Mandriva Linux Security Advisory 2014-073 - The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.
3a942a72f3bb0e2d469def4623994ff2661f53ca7af93d0cf0a7bda17e0e2da7-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:073
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : file
Date : April 9, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated file packages fix security vulnerabilities:
The BEGIN regular expression in the awk script detector in
magic/Magdir/commands in file before 5.15 uses multiple wildcards
with unlimited repetitions, which allows context-dependent attackers
to cause a denial of service (CPU consumption) via a crafted ASCII
file that triggers a large amount of backtracking, as demonstrated
via a file with many newline characters (CVE-2013-7345).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345
http://advisories.mageia.org/MGASA-2014-0142.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
4b4561e9f1573586faf3e776a8f4fe74 mbs1/x86_64/file-5.12-1.1.mbs1.x86_64.rpm
a0fe4f9fdc9139483ff2646c457457d0 mbs1/x86_64/lib64magic1-5.12-1.1.mbs1.x86_64.rpm
23d2709d6591a1bf152803f31435d36a mbs1/x86_64/lib64magic-devel-5.12-1.1.mbs1.x86_64.rpm
69dc8737c1c20341a2f062ee382cfdf1 mbs1/x86_64/lib64magic-static-devel-5.12-1.1.mbs1.x86_64.rpm
b73482de9b5c0d944c558ac4db1f26f9 mbs1/x86_64/python-magic-5.12-1.1.mbs1.noarch.rpm
436b242b459fa885153668f6cae2056f mbs1/SRPMS/file-5.12-1.1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFTRUPamqjQ0CJFipgRAlI1AKDbGsuPUDuBLEObQHXwP7OpO0jHhgCfYGrn
YRR4xBW2cZ0XFAUpzAV8yz0=
=UhvO
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed