BugTraq
[ MDVSA-2014:073 ] file Apr 09 2014 03:58PM
security mandriva com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:073
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : file
Date : April 9, 2014
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Updated file packages fix security vulnerabilities:

The BEGIN regular expression in the awk script detector in
magic/Magdir/commands in file before 5.15 uses multiple wildcards
with unlimited repetitions, which allows context-dependent attackers
to cause a denial of service (CPU consumption) via a crafted ASCII
file that triggers a large amount of backtracking, as demonstrated
via a file with many newline characters (CVE-2013-7345).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345
http://advisories.mageia.org/MGASA-2014-0142.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
4b4561e9f1573586faf3e776a8f4fe74 mbs1/x86_64/file-5.12-1.1.mbs1.x86_64.rpm
a0fe4f9fdc9139483ff2646c457457d0 mbs1/x86_64/lib64magic1-5.12-1.1.mbs1.x86_64.rpm
23d2709d6591a1bf152803f31435d36a mbs1/x86_64/lib64magic-devel-5.12-1.1.mbs1.x86_64.rpm
69dc8737c1c20341a2f062ee382cfdf1 mbs1/x86_64/lib64magic-static-devel-5.12-1.1.mbs1.x86_64.rpm
b73482de9b5c0d944c558ac4db1f26f9 mbs1/x86_64/python-magic-5.12-1.1.mbs1.noarch.rpm
436b242b459fa885153668f6cae2056f mbs1/SRPMS/file-5.12-1.1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFTRUPamqjQ0CJFipgRAlI1AKDbGsuPUDuBLEObQHXwP7OpO0jHhgCfYGrn
YRR4xBW2cZ0XFAUpzAV8yz0=
=UhvO
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus