Your submission was sent successfully! Close

CVE-2014-2270

Published: 14 March 2014

softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.

Priority

Medium

Status

Package Release Status
file
Launchpad, Ubuntu, Debian
lucid
Released (5.03-5ubuntu1.2)
precise
Released (5.09-2ubuntu0.3)
quantal
Released (5.11-2ubuntu0.2)
saucy
Released (5.11-2ubuntu4.2)
upstream Needs triage

Patches:
upstream: https://github.com/file/file/commit/447558595a3650db2886cd2f416ad0beba965801
upstream: https://github.com/file/file/commit/70c65d2e1841491f59168db1f905e8b14083fb1c

php5
Launchpad, Ubuntu, Debian
lucid
Released (5.3.2-1ubuntu4.24)
precise
Released (5.3.10-1ubuntu3.11)
quantal
Released (5.4.6-1ubuntu1.8)
saucy
Released (5.5.3+dfsg-1ubuntu2.3)
upstream
Released (5.5.10)
Patches:


upstream: http://git.php.net/?p=php-src.git;a=commitdiff;h=a33759fd275b32ed0bbe89796fe2953b3cb0b41f

Notes

AuthorNote
mdeslaur
see regression fix in DSA-2873-2
The regression in the debian package is caused by a fix for
a different issue which does not seem to have a CVE number:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703993
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742262 (file regression 1)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742265 (file regression 2)

References

Bugs