Red Hat Security Advisory 2015-2155-07 - The file command is used to identify a particular file according to the type of data the file contains. It can identify many different file types, including Executable and Linkable Format binary files, system libraries, RPM packages, and different graphics formats. Multiple denial of service flaws were found in the way file parsed certain Composite Document Format files. A remote attacker could use either of these flaws to crash file, or an application using file, via a specially crafted CDF file.
04a6ee9092dd32d61ea6bb3d141cce1697e5330904bf01426b4f34fcc545167f
Apple Security Advisory 2015-04-08-2 - OS X Yosemite 10.10.3 and Security Update 2015-004 are now available and address privilege escalation, code execution, information disclosure, and various other vulnerabilities.
bfdc53ae50c366d1018234c77470fabd66ae9360537370dafd782122121b89cd
Mandriva Linux Security Advisory 2015-080 - Multiple vulnerabilities have been discovered and corrected in php.
c10e025ba97f4a2c50f16a7bf42fdd55255bca05fae063bbdc4d60c7452dc956
Red Hat Security Advisory 2014-1766-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A buffer overflow flaw was found in the Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_thumbnail() function to crash or, possibly, execute arbitrary code. Multiple buffer overflow flaws were found in the way PHP parsed DNS responses. A malicious DNS server or a man-in-the-middle attacker could use these flaws to crash or, possibly, execute arbitrary code with the privileges of a PHP application that uses the dns_get_record() function.
c3530e2eb3a2547c8de58c72a285a5c384c312184ea908e8519aa2069c9d6a3a
Red Hat Security Advisory 2014-1765-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A buffer overflow flaw was found in the Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_thumbnail() function to crash or, possibly, execute arbitrary code. Multiple buffer overflow flaws were found in the way PHP parsed DNS responses. A malicious DNS server or a man-in-the-middle attacker could use these flaws to crash or, possibly, execute arbitrary code with the privileges of a PHP application that uses the dns_get_record() function.
362757b3bfd3a6b631b51131cc90b35f3677fc1a047df1d9dd2a1a227704367b
Red Hat Security Advisory 2014-1606-02 - The "file" command is used to identify a particular file according to the type of data contained in the file. The command can identify various file types, including ELF binaries, system libraries, RPM packages, and different graphics formats. Multiple denial of service flaws were found in the way file parsed certain Composite Document Format files. A remote attacker could use either of these flaws to crash file, or an application using file, via a specially crafted CDF file.
abe0ed469d7ae83d0ad40aebd791f00a02439feaa1060a6f6cfecd1c3806dafe
Apple Security Advisory 2014-09-17-3 - OS X Mavericks 10.9.5 and Security Update 2014-004 are now available and address PHP code execution, Bluetooth API validation, PDF handling, and various other vulnerabilities.
4e7c77251432e1559177fbfc860df8439663744f27a763ac3194f1ebdf0e44e0
Debian Linux Security Advisory 3021-1 - Multiple security issues have been found in file, a tool to determine a file type. These vulnerabilities allow remote attackers to cause a denial of service, via resource consumption or application crash.
115bf94ed1ae10d5933506efacb195641342c54b763f1ee67edf43028f3516c2
Debian Linux Security Advisory 3021-2 - This update corrects DSA 3021-1, which introduced a regression in the detection of a some "Composite Document Files" (CDF), marking them look as corrupted, with the error: "Can't expand summary_info".
d8bc3a976a77d945fa9729274dcb77beef67b36b7e76cce28961d31ec075b64d
Gentoo Linux Security Advisory 201408-11 - Multiple vulnerabilities have been discovered in PHP, the worst of which could lead to remote execution of arbitrary code. Versions less than 5.5.16 are affected.
603e59db98b503d98e09222be7ae1aa6e92e8c93410b7df813b8dd5222e058f1
Red Hat Security Advisory 2014-1013-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. PHP's fileinfo module provides functions used to identify a particular file according to the type of data contained by the file. A denial of service flaw was found in the File Information extension rules for detecting AWK files. A remote attacker could use this flaw to cause a PHP application using fileinfo to consume an excessive amount of CPU. Multiple denial of service flaws were found in the way the File Information extension parsed certain Composite Document Format files. A remote attacker could use either of these flaws to crash a PHP application using fileinfo via a specially crafted CDF file.
5865809d0cc205eb897e11d94093aa0f109e69c05fcb2d9fc3a008f62752e332
Red Hat Security Advisory 2014-1012-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. PHP's fileinfo module provides functions used to identify a particular file according to the type of data contained by the file. Multiple denial of service flaws were found in the way the File Information extension parsed certain Composite Document Format files. A remote attacker could use either of these flaws to crash a PHP application using fileinfo via a specially crafted CDF file. Two denial of service flaws were found in the way the File Information extension handled indirect and search rules. A remote attacker could use either of these flaws to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
75d69ed5db0c26d8fff244ccb4d6071a528c9b06c9770c22a68c4d391a8305a7
Ubuntu Security Notice 2254-1 - Christian Hoffmann discovered that the PHP FastCGI Process Manager (FPM) set incorrect permissions on the UNIX socket. A local attacker could use this issue to possibly elevate their privileges. This issue only affected Ubuntu 12.04 LTS, Ubuntu 13.10, and Ubuntu 14.04 LTS. Francisco Alonso discovered that the PHP Fileinfo component incorrectly handled certain CDF documents. A remote attacker could use this issue to cause PHP to hang or crash, resulting in a denial of service. Various other issues were also addressed.
2b8da918b6d2a26bf40ceadde3bfdcca411a3dfed0ac5a2df1c150957c5ab312
Mandriva Linux Security Advisory 2014-116 - A flaw was found in the way file's Composite Document Files format parser handle CDF files with many summary info entries. The cdf_unpack_summary_info() function unnecessarily repeatedly read the info from the same offset. This led to many file_printf() calls in cdf_file_property_info(), which caused file to use an excessive amount of CPU time when parsing a specially-crafted CDF file. A flaw was found in the way file parsed property information from Composite Document Files files. A property entry with 0 elements triggers an infinite loop.
557e42e82c67252163930b21555b2e5f92450ae290af79e5857f5424829306bf
Mandriva Linux Security Advisory 2014-115 - A flaw was found in the way file's Composite Document Files format parser handle CDF files with many summary info entries. The cdf_unpack_summary_info() function unnecessarily repeatedly read the info from the same offset. This led to many file_printf() calls in cdf_file_property_info(), which caused file to use an excessive amount of CPU time when parsing a specially-crafted CDF file. A flaw was found in the way file parsed property information from Composite Document Files files. A property entry with 0 elements triggers an infinite loop. PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to this issue. It has been updated to the 5.5.13 version, which fixes this issue and several other bugs. Additionally, php-apc has been rebuilt against the updated php packages.
feaf6ced4249190aad01f31414c2e51829d0234fd68516651567749d443fe0e1
Slackware Security Advisory - New php packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
6ccaa63bae36ebf2fee8dfc6bb315c90f04190112dec98873bd2c97833e1fea3
Debian Linux Security Advisory 2943-1 - Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.
14ceb25eecc0ebf2b0e99e958e18bd4f806ab39310e6a3cccdc09f253ced106d