885196 – (CVE-2014-0236) VUL-1: CVE-2014-0236: file: root_storage NULL pointer deference flaw in CDF parser

Bug 885196 (CVE-2014-0236) - VUL-1: CVE-2014-0236: file: root_storage NULL pointer deference flaw in CDF parser

Summary: VUL-1: CVE-2014-0236: file: root_storage NULL pointer deference flaw in CDF p...

Status:	RESOLVED UPSTREAM

Alias:	CVE-2014-0236

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Dr. Werner Fink
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/102932/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-07-01 07:36 UTC by Victor Pereira
Modified:	2022-01-19 14:36 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2014-07-01 07:36:37 UTC

CVE-2014-0236

NULL pointer deference flaw was found in the way file processed root_storage entries in Composite Document Files (CDF).  A crafted CDF file could cause file to crash.

This issue was introduced in the following commit:
https://github.com/file/file/commit/209113ac443c82cc7573bb228b68ce1dd9d50f90

This change was introduced in upstream version 5.18, previous versions are not affected.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1098209
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0236.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0236

Comment 2 Dr. Werner Fink 2014-07-01 07:58:30 UTC

We do not have 5.18 on any product.  For SLES-12 as wel las openSUSE Factory we have 5.19.