[security-announce] file 5.18: Security update

Adrian Dudau Adrian.Dudau at enea.com
Thu Mar 26 12:50:45 CET 2015


Enea Linux Security Advisory
=========================================================
Product/package: file 5.18
CVE Names:
CVE-2014-9620 Limit the number of ELF notes processed - DoS
CVE-2014-9621 Limit string printing to 100 chars - DoS
=========================================================
 
A security patch that fixes DoS vulnerability in file is now available
at http://linux.enea.com/5.0-beta-m400/patches:
 
README file: 0011-file-CVE-2014-9620-and-CVE-2014-9621.README
Patch file: 0011-file-CVE-2014-9620-and-CVE-2014-9621.patch
 
Description
===========
CVE-2014-9620
The ELF parser in file 5.08 through 5.21 allows remote attackers
to cause a denial of service via a large number of notes.
 
CVE-2014-9621
The ELF parser in file 5.16 through 5.21 allows remote attackers
to cause a denial of service via a long string.
 
References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9621
 
How to apply the patches
=======================
- Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order
 
wget http://linux.enea.com/5.0-beta-m400/Enea-Linux-5.0-beta-m400.tar.gz
tar zxvf Enea-Linux-5.0-beta-m400.tar.gz
<Fetch and apply the existing patches, please refer to
    README file for the individual patch>
 
- Fetch and apply the new patch
cd Enea-Linux-5.0-beta-m400/poky
wget
http://linux.enea.com/5.0-beta-m400/patches/0011-file-CVE-2014-9620-and-CVE-2014-9621.patch
patch -p1 < ./0011-file-CVE-2014-9620-and-CVE-2014-9621.patch
 
If you have any questions regarding the security patches and security
updates please contact security at enea.com.
 
Enea Security Team
www.enea.com
 
This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.


More information about the security-announce mailing list