file: CVE-2014-3710: denial of service (out-of-bounds read and application crash) via a crafted ELF file

Debian Bug report logs - #768806
file: CVE-2014-3710: denial of service (out-of-bounds read and application crash) via a crafted ELF file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: file: CVE-2014-3710: denial of service (out-of-bounds read and application crash) via a crafted ELF file

Date: Sun, 09 Nov 2014 13:45:40 +0100

Source: file
Version: 5.11-2
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for file.

CVE-2014-3710[0]:
out-of-bounds read in elf note headers

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-3710
[1] https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1155071 

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #16 received at 768806-close@bugs.debian.org (full text, mbox, reply):

From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

To: 768806-close@bugs.debian.org

Subject: Bug#768806: fixed in file 1:5.20-2

Date: Sun, 09 Nov 2014 17:33:44 +0000

Source: file
Source-Version: 1:5.20-2

We believe that the bug you reported is fixed in the latest version of
file, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 768806@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Biedl <debian.axhn@manchmal.in-ulm.de> (supplier of updated file package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 09 Nov 2014 14:46:05 +0100
Source: file
Binary: file file-dbg libmagic1 libmagic-dev python-magic python3-magic
Architecture: source armhf all
Version: 1:5.20-2
Distribution: unstable
Urgency: high
Maintainer: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Changed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Description:
 file       - Determines file type using "magic" numbers
 file-dbg   - Determines file type using "magic" numbers (debug)
 libmagic-dev - File type determination library using "magic" numbers (developmen
 libmagic1  - File type determination library using "magic" numbers
 python-magic - File type determination library using "magic" numbers (Python bin
 python3-magic - File type determination library using "magic" numbers (Python 3 b
Closes: 768806
Changes:
 file (1:5.20-2) unstable; urgency=high
 .
   * Fixes a security issue, urgency set to high
   * Cherry-pick upstream commit FILE5_20-5-g39c7ac1:
     Fix note bounds reading, Francisco Alonso / Red Hat (CVE-2014-3710).
     Closes: #768806
Checksums-Sha1:
 363d509ffc0a237af56b1d667d1c2244e7d007ee 2050 file_5.20-2.dsc
 9386b07179f1d587bbe1af2789fa0594874d0e84 29304 file_5.20-2.debian.tar.xz
 5c60ced6db10cd20b1ec8a071c5e6323ee6519c4 57960 file_5.20-2_armhf.deb
 dbd0abed216273510df03f96f38afee11a828f13 180842 file-dbg_5.20-2_armhf.deb
 6f2e288a0ab9335a7fcba1b126f896e974a7084e 239136 libmagic1_5.20-2_armhf.deb
 a923a7a72190887f609ef83882b5a36969fd2d47 102524 libmagic-dev_5.20-2_armhf.deb
 982f20f390ce8eb405328896db7585a9ea89f373 43880 python-magic_5.20-2_all.deb
 bf8d5be910d65792741f7371af1f7d475e43efa5 43934 python3-magic_5.20-2_all.deb
Checksums-Sha256:
 b02b682727699fa14108ad182b28276725a5bffa539d4cdafd8de29d9246f720 2050 file_5.20-2.dsc
 7926738a871ddbaa39dd44f16b5fcd38d1472c2d2293dd250b63271c488640eb 29304 file_5.20-2.debian.tar.xz
 89d9ee769cee3dbea1a0e5f4fd7cac95ee4f92c56286dc13a2a3afc9fafc2141 57960 file_5.20-2_armhf.deb
 737ba8853f0a87300fda0860081cfa1c2c6a0034c9012e96cc8cfc5f05033562 180842 file-dbg_5.20-2_armhf.deb
 16624659d0df903ae3959f0d5c9d7bbbb24ba0dd1c0dc98d8a5349aa3f0685a4 239136 libmagic1_5.20-2_armhf.deb
 8b483b2589c7922a32ad6c605c6e2ebf5759d5b61d3e076178a563fc4b9a6cc9 102524 libmagic-dev_5.20-2_armhf.deb
 3889c4a0e8b6ba5081c616985cc460590473fae1e2b4ff42826b13da39ee37cd 43880 python-magic_5.20-2_all.deb
 91275c9ed8b7c3a41108424f8fd8fbeb2caa325b4c5311c4acc995c172ae4d47 43934 python3-magic_5.20-2_all.deb
Files:
 8ef08dc2d9b2afee663e0d119ad9ecbf 2050 utils standard file_5.20-2.dsc
 ceaf008aabb256a48f8fa3b19546433b 29304 utils standard file_5.20-2.debian.tar.xz
 d10c8d96f3fe9ea4a404030d4bea50cd 57960 utils standard file_5.20-2_armhf.deb
 9d19297c12ffc9b2fc6cf424feb2110f 180842 debug extra file-dbg_5.20-2_armhf.deb
 958e3d70068792d6dee6657f9b83932d 239136 libs standard libmagic1_5.20-2_armhf.deb
 10b3e650eb360cb763b32693c41be001 102524 libdevel optional libmagic-dev_5.20-2_armhf.deb
 9994280dc08374069527c40d1664aed7 43880 python optional python-magic_5.20-2_all.deb
 145e534f63667c087c36b3f9ca00d5a8 43934 python optional python3-magic_5.20-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJUX6CsAAoJEMQsWOtZFJL9ws4P/3zek1Fod1zhJ5rEiZ79uRVN
mBkJ+8YftV4IJrp6b67rpMBfCZideLMTL1QkrneVvaEST1fkvDmiajeD9Bn1F29w
uS8RrIFksm8Re7aNDlpJXwR9aD86dpERKHjCht5wvnnoM/0QYW5P7cHorJbT9ulz
9X2V7Xwc3uL4EGNo8kY8PKqGzJyo/Ke4ddH3ptELY34Z+eQNoHuGVIcB6gNTAbzB
kOIxXdihGKlicozQuuh+QdSxsj/yownHzDzVC2qK0VLgSrpi7aCmSagpORE3HC0j
lRO/pge8ZkGRsVO15BWv02ARNaqS43fYlLXDaF2lvkF5KJEwocJ1JcPqRuNi+fX2
mgU+anfE4gQMYGAaZMrCmJ77qCCLAbzUJ8W2PO2k5bgI0vfQEAW8RL8ieeMOMT+G
rYUH7FxANuMeTIi8rvrjvrVnpEJe2WaPklmlBYw2/+zBaigRElbAfxnNLIztTTsU
WmvpSZMSV4cY/d5G1YfopTY3tps//Ib1wa+bjngi3w+8EiEO3mMHBs+AaJRz9SaK
uMignL22LH/M5mxvpuE1wg5HcauDS53XREnl9cPIuD4t/59rrxlXy88VNPAjimdz
0HVHa8VJQ5x/khFhSIna4R0dKTt1cmLKiRqUNueZwuqCWzt3C/euauj3uS1TGUMf
4WFSHE3QCvIs6QPft06H
=jaDE
-----END PGP SIGNATURE-----

Message #21 received at 768806-close@bugs.debian.org (full text, mbox, reply):

From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

To: 768806-close@bugs.debian.org

Subject: Bug#768806: fixed in file 5.04-5+squeeze8

Date: Tue, 11 Nov 2014 22:19:51 +0000

Source: file
Source-Version: 5.04-5+squeeze8

We believe that the bug you reported is fixed in the latest version of
file, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 768806@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Biedl <debian.axhn@manchmal.in-ulm.de> (supplier of updated file package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 09 Nov 2014 14:57:15 +0100
Source: file
Binary: file libmagic1 libmagic-dev python-magic python-magic-dbg
Architecture: source amd64
Version: 5.04-5+squeeze8
Distribution: squeeze-lts
Urgency: high
Maintainer: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Changed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Description: 
 file       - Determines file type using "magic" numbers
 libmagic-dev - File type determination library using "magic" numbers (developmen
 libmagic1  - File type determination library using "magic" numbers
 python-magic - File type determination library using "magic" numbers (Python bin
 python-magic-dbg - File type determination library using "magic" numbers (Python bin
Closes: 768806
Changes: 
 file (5.04-5+squeeze8) squeeze-lts; urgency=high
 .
   * Fix note bounds reading, Francisco Alonso / Red Hat (CVE-2014-3710).
     Closes: #768806
Checksums-Sha1: 
 f45275391ae2a57da1daec73f7fba17b9b550900 1958 file_5.04-5+squeeze8.dsc
 f698e1dfbf1ca5d08781887b5253105c3302c8bc 72563 file_5.04-5+squeeze8.diff.gz
 eea7c58da15031e9610046b8fd4eb90b41b3c87a 50774 file_5.04-5+squeeze8_amd64.deb
 b6b0402ab11ac4ed27f2a9b6d75b885290cd9b8f 237080 libmagic1_5.04-5+squeeze8_amd64.deb
 854eae575a36ff4a55217aa319a2a0bac96737e6 109740 libmagic-dev_5.04-5+squeeze8_amd64.deb
 59019b3e4e39b5a9522f7067df9d32e21b0b336b 39220 python-magic_5.04-5+squeeze8_amd64.deb
 5ea433fd289c0d1551c9d5cbd518d0f1f8949422 35726 python-magic-dbg_5.04-5+squeeze8_amd64.deb
Checksums-Sha256: 
 646e32f5dc6506238f0c35c936d1d72b8bb947c59a4003ffb39183c104c52b87 1958 file_5.04-5+squeeze8.dsc
 a5e47535fcbd7fef97796d3c3712ed3e949702304e7623aa13389d5104b9d311 72563 file_5.04-5+squeeze8.diff.gz
 37ee1f5fab0c4ed0bca25b981c776a0454e3b33ad5244be0bbf309186d865b0f 50774 file_5.04-5+squeeze8_amd64.deb
 ddff54cbbd0e335d75c05d7a425d34f01d0e2c0380583ba3dfae2dd59f251c90 237080 libmagic1_5.04-5+squeeze8_amd64.deb
 9f058801456a4ecb9d441d3ca781e899411d9a0aa911c156d0429ee66e3b9134 109740 libmagic-dev_5.04-5+squeeze8_amd64.deb
 54dea6f6c2b3a1054bdc08cdc45aeaef2c28023a8c296e4a43048d1b199afe08 39220 python-magic_5.04-5+squeeze8_amd64.deb
 f0d6889272705d4ea671abdb806ea40bf293a5e8822aff0211117a0beec8b3b6 35726 python-magic-dbg_5.04-5+squeeze8_amd64.deb
Files: 
 e3d6e6603cb70fdf3f11309620ae71ad 1958 utils standard file_5.04-5+squeeze8.dsc
 7241358305cbb9e13cab1497d6618b08 72563 utils standard file_5.04-5+squeeze8.diff.gz
 0a8698dda922c83d2e8e1b56af022fd2 50774 utils standard file_5.04-5+squeeze8_amd64.deb
 64a9be2789585838f2c8860bc89a5799 237080 libs standard libmagic1_5.04-5+squeeze8_amd64.deb
 65c45b50aa5b4ded1bf2687b352572d7 109740 libdevel optional libmagic-dev_5.04-5+squeeze8_amd64.deb
 248f5b0348452c0121336aea01313a83 39220 python extra python-magic_5.04-5+squeeze8_amd64.deb
 3c175d19324498f9a33f93f922c34072 35726 debug extra python-magic-dbg_5.04-5+squeeze8_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJUYN51AAoJEMQsWOtZFJL9MQsQAJrF7G9yNhGREy1CmoZI+56E
OvaomXx9aIS+hnwSUjJXCcYvHYdOI48z7Im+XhQGUVBdavhwLUHrvOYs7Cbce2em
bzolqIfmZhAH1uqWlcnffo9cLXf9tBythIlOPBG5N0MbLApacY/1NAopRu/7q+si
ojTFVhgs+RZfZlmsi+NHgTD+w1ao1llimUcbsDEXiz1cq/nvmjjeNtQ8Su0ALpcO
8uMSOlqmYNMRrMXAllnuULSAOLJcEJc2jVlgJZb5aJlgKZKKepKSmt1wXgUPFs31
LmjOI2y+HZHG8dYQ0tcy1ZFI5CBi0Es9JdFCx0C6PDStujyv3NsOCeG9q8zrdXgm
V2edOvSMcry3BWg61ahcJep+TK+UvrUWxX+wx2e6Nd9BMX1a4rzawyoFLBYqOs6V
up+ZAJSx1IAbdhLArkwHLKP0tdrZ+3yviTUeMITqtNasvJ138TuQMald3FuRR92S
NlDjTDgY7Ld6cBOGA4DoG5miafRa2UwNXw+1l1JdMKyPEPEURD6o96BU3/ujQ/1A
JRGv1H8J1SdWkkX5Iu4jiY/9hXHQcE/zrk20Sfo49qzMmOfzHCRH0nKEoQ9/r9ST
+lew5XlU6UzezOpkNtdIq7XOQiLfI2qdE3XxPUMa0fZH10INUeqZ2zdeujQr2PTg
D6YSF+WWq9e8qiedEnuC
=07tk
-----END PGP SIGNATURE-----

Message #26 received at 768806-close@bugs.debian.org (full text, mbox, reply):

From: Pierre Schweitzer <pierre@reactos.org>

To: 768806-close@bugs.debian.org

Subject: Bug#768806: fixed in file 5.11-2+deb7u6

Date: Tue, 25 Nov 2014 21:47:09 +0000

Source: file
Source-Version: 5.11-2+deb7u6

We believe that the bug you reported is fixed in the latest version of
file, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 768806@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Schweitzer <pierre@reactos.org> (supplier of updated file package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 09 Nov 2014 12:15:16 +0100
Source: file
Binary: file libmagic1 libmagic-dev python-magic python-magic-dbg
Architecture: source amd64
Version: 5.11-2+deb7u6
Distribution: wheezy-security
Urgency: high
Maintainer: Daniel Baumann <daniel.baumann@progress-technologies.net>
Changed-By: Pierre Schweitzer <pierre@reactos.org>
Description: 
 file       - Determines file type using "magic" numbers
 libmagic-dev - File type determination library using "magic" numbers (developmen
 libmagic1  - File type determination library using "magic" numbers
 python-magic - File type determination library using "magic" numbers (Python bin
 python-magic-dbg - File type determination library using "magic" numbers (Python bin
Closes: 768806
Changes: 
 file (5.11-2+deb7u6) wheezy-security; urgency=high
 .
   * Fix CVE-2014-3710 for file 5.11/Debian wheezy. Closes: #768806
Checksums-Sha1: 
 0c76da4deca01ce487d76061afa472b004725ead 1651 file_5.11-2+deb7u6.dsc
 85821f4ea66fbd0d3322f832ee9d654a9b728dca 31236 file_5.11-2+deb7u6.debian.tar.xz
 e239ae6b36f93942ed5c091c8cadb46e599f9fb2 52684 file_5.11-2+deb7u6_amd64.deb
 f2bf35cfbcc7f821db3ee4b7594810fc4550ce8f 203116 libmagic1_5.11-2+deb7u6_amd64.deb
 ee06dd10e8e30cbc186a97bfe20ec8d9182ce1a9 92838 libmagic-dev_5.11-2+deb7u6_amd64.deb
 25ca4ce1e6bec3161cd703b9b03de242cb347b6d 39198 python-magic_5.11-2+deb7u6_amd64.deb
 bd0855b880ea1f91efb1cbf8da848b47e88331d0 942 python-magic-dbg_5.11-2+deb7u6_amd64.deb
Checksums-Sha256: 
 fc1edaf1f80748f9ec2172ee3c131a26b8a879471e345fd9717f6b32a8a73fbd 1651 file_5.11-2+deb7u6.dsc
 02b1f65ffbf4cb024cf62876cd669c5f3ed056d4a3f28bc07e80f77bd4f037fd 31236 file_5.11-2+deb7u6.debian.tar.xz
 6eb52775efae49626cd39125915cda67e7678e3118e9e6d2fe21e44e2ac90adb 52684 file_5.11-2+deb7u6_amd64.deb
 ee9af5af43b1c92cb524b44bc18d05732c78132439e773fdbbeb61adb5482ad0 203116 libmagic1_5.11-2+deb7u6_amd64.deb
 2cc262f1e7d40eef11af96067ff754e36efc4d949e0de8248162dc536fc0fc46 92838 libmagic-dev_5.11-2+deb7u6_amd64.deb
 d287ed9b08c2b318ed23e68e13126ec330e8b64e1122e464d44ba3aae8726ba4 39198 python-magic_5.11-2+deb7u6_amd64.deb
 6fde1616daad63b5fd18d0683c7330ddd927cd7c33ef77543f171b8d35af95f9 942 python-magic-dbg_5.11-2+deb7u6_amd64.deb
Files: 
 a326b7a0af6c06bf703bae930302a292 1651 utils standard file_5.11-2+deb7u6.dsc
 6f946b3acf8c52eb163cbf43b0328882 31236 utils standard file_5.11-2+deb7u6.debian.tar.xz
 3028dac1848f41224530fcd713933ada 52684 utils standard file_5.11-2+deb7u6_amd64.deb
 734cc81ff0ece85db87dfa1c4ad9de97 203116 libs standard libmagic1_5.11-2+deb7u6_amd64.deb
 3be2c04d489772ac17ce249b84e90774 92838 libdevel optional libmagic-dev_5.11-2+deb7u6_amd64.deb
 6a0fe8672727f99bf79a7719dc42cdbb 39198 python extra python-magic_5.11-2+deb7u6_amd64.deb
 edc8aa19340041b84bba6082563f7bf4 942 debug extra python-magic-dbg_5.11-2+deb7u6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUYGo+AAoJEFb2GnlAHawE9XoH/jmkw7OwsEMVq5KWONWN6Obb
biqGUuJlsh4+q806zH7Z7p2u2Vf6GaeoETYNSF1dHYXI4cIh7UmgJupBCuR8ii6e
OxnkdymRdO1BkxwB6+jn82f84FvwwicPg/6iAUZwQVd296x7/cdjzFSvDryvSRX6
UeKZqy4RUyQ66cUKzhpoSayM9BJrure7lkAFEPA303b2Jnic7z/pdJrp9wekWYdU
kkRiB++WnL+5hss4luBQf59ZJdFmh4phnrNxyOhy3EaVtZwcT1p30MVAxioiok78
MXurTWRFHKw+y8e4DE1k0q9lUOEosYNZ4FNmMS0KU0FHSF4ZfppIjABDW+D2RQc=
=Fqsi
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.