Summary
Francisco Alonso of Red Hat Product Security found an issue in the file utility: when checking ELF files, note headers are incorrectly checked, thus potentially allowing attackers to cause a denial of service (out-of-bounds read and application crash) by supplying a specially crafted ELF file.
Solution
For the stable distribution (wheezy), this problem has been fixed in version 5.11-2+deb7u6.
For the upcoming stable distribution (jessie), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in version 1:5.20-2.
We recommend that you upgrade your file packages.
Insight
File tests each argument in an attempt to classify it. There are three sets of tests, performed in this order: filesystem tests, magic number tests, and language tests. The first test that succeeds causes the file type to be printed.
Affected
file on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-3710 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:N/I:N/A:P
Related Vulnerabilities