Bugzilla – Bug 910253
VUL-0: CVE-2014-8117: denial of service issue (resource consumption)
Last modified: 2020-09-18 12:55:57 UTC
Via rh#1174606: CVE-2014-8117 was assigned to this issue. Thomas Jarosch of Intra2net AG reported a denial of service issue (resource consumption) in the ELF parser used by file(1). Using file(1) on a specially-crafted ELF binary could lead to a denial of service (resource consumption). Upstream fix: https://github.com/file/file/commit/6f737ddfadb596d7d4a993f7ed2141ffd664a81c Due to some regressions found when testing, the following commits are also required: https://github.com/file/file/commit/8a905717660395b38ec4966493f6f1cf2f33946c https://github.com/file/file/commit/90018fe22ff8b74a22fcd142225b0a00f3f12677 https://github.com/file/file/commit/6bf45271eb8e0e6577b92042ce2003ba998d1686 Refer also to rh#1171580 (CVE-2014-8116). Acknowledgements: Red Hat would like to thank Thomas Jarosch of Intra2net AG for reporting this issue.
See bug 910252 for CVE-2014-8116.
Please tell us *which* versions are affected as well as *please* provide an reproducer.
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (910253) was mentioned in https://build.opensuse.org/request/show/265566 Factory / file
Ping?
This is an autogenerated message for OBS integration: This bug (910253) was mentioned in https://build.opensuse.org/request/show/265888 13.2 / file https://build.opensuse.org/request/show/265889 13.1 / file
openSUSE-SU-2014:1721-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 910252,910253 CVE References: CVE-2014-8116,CVE-2014-8117 Sources used: openSUSE 13.1 (src): file-5.15-4.28.1, python-magic-5.15-4.28.1
SUSE-SU-2014:1730-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 910252,910253 CVE References: CVE-2014-8116,CVE-2014-8117 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): file-5.19-9.1, python-magic-5.19-9.1 SUSE Linux Enterprise Server 12 (src): file-5.19-9.1 SUSE Linux Enterprise Desktop 12 (src): file-5.19-9.1
Also here ... file 4.24 and below do not do a recursion in src/softmagic.c that IMHO there is no vulnerability. If you think this is not correct then please provide an example!
all updates released
This is an autogenerated message for OBS integration: This bug (910253) was mentioned in https://build.opensuse.org/request/show/286645 13.1 / file https://build.opensuse.org/request/show/286646 13.2 / file
SUSE-SU-2017:3048-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1009966,1063269,910252,910253,913650,913651,917152,996511 CVE References: CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): file-5.22-10.3.1, python-magic-5.22-10.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): file-5.22-10.3.1, python-magic-5.22-10.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): file-5.22-10.3.1 SUSE Linux Enterprise Server 12-SP3 (src): file-5.22-10.3.1 SUSE Linux Enterprise Server 12-SP2 (src): file-5.22-10.3.1 SUSE Linux Enterprise Desktop 12-SP3 (src): file-5.22-10.3.1 SUSE Linux Enterprise Desktop 12-SP2 (src): file-5.22-10.3.1 SUSE Container as a Service Platform ALL (src): file-5.22-10.3.1 OpenStack Cloud Magnum Orchestration 7 (src): file-5.22-10.3.1
openSUSE-SU-2017:3067-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1009966,1063269,910252,910253,913650,913651,917152,996511 CVE References: CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Sources used: openSUSE Leap 42.3 (src): file-5.22-10.1, python-magic-5.22-10.1 openSUSE Leap 42.2 (src): file-5.22-7.3.1, python-magic-5.22-7.3.1