Package: file Version: 5.11-2 Severity: grave Tags: security [ Re-sent to BTS by request of the security team, also updated ]
a bug in the handling of "indirect" magic rules of libmagic leads to an infinite recursion when trying to determine the file type of certain files. The has been assigned CVE-2014-1943. Additionally, other well-crafted files might result in long computation times (five seconds for a single file while using 100% CPU) and overlong results (~400k line), something some applications that operate on the file result might not handle in a sane way. The issue has been made public by Bernd Melchers who initially found this bug: http://mx.gw.com/pipermail/file/2014/001327.html Impact is two-layered. The bug itself has been introduced years ago (pre oldstable). From jessie on, the default magic file as shipped in the package contains a file magic rule that is exploitable for a segmentation fault. In other words: jessie: Always affected and in full scale. squeeze/wheezy: Segmentation fault when using non-standard magic files that use "indirect" in a certain way. Still vulnerable for the "computation time" and "overlong" issues mentioned above. Upstream released 5.17 last night, fixing the bug for all reproducers I have in my collection. Backporting the patch is not trivial but hopefully feasible. I'll give that a try later the day. Christoph -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
