Lucene search

K
debianDebianDEBIAN:DLA-27-1:4882D
HistoryJul 31, 2014 - 2:47 p.m.

[DLA 27-1] file security update

2014-07-3114:47:17
lists.debian.org
26

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

AI Score

8.5

Confidence

High

EPSS

0.157

Percentile

96.0%

Package : file
Version : 5.04-5+squeeze6
CVE ID : CVE-2014-0207 CVE-2014-0237 CVE-2014-0238 CVE-2014-3478
CVE-2014-3479 CVE-2014-3480 CVE-2014-3487

Fix various denial of service attacks:

CVE-2014-3487

The cdf_read_property_info function does not properly validate a stream
offset, which allows remote attackers to cause a denial of service
(application crash) via a crafted CDF file.

CVE-2014-3480

The cdf_count_chain function in cdf.c in does not properly validate
sector-count data, which allows remote attackers to cause a denial of
service
(application crash) via a crafted CDF file.

CVE-2014-3479

The cdf_check_stream_offset function in cdf.c relies on incorrect
sector-size data, which allows remote attackers to cause a denial of service
(application crash) via a crafted stream offset in a CDF file.

CVE-2014-3478

Buffer overflow in the mconvert function in softmagic.c allows remote
attackers to cause a denial of service (application crash) via a crafted
Pascal string in a FILE_PSTRING conversion.

CVE-2014-0238

The cdf_read_property_info function in cdf.c allows remote attackers to
cause a denial of service (infinite loop or out-of-bounds memory access) via
a vector that (1) has zero length or (2) is too long.

CVE-2014-0237

The cdf_unpack_summary_info function in cdf.c allows remote attackers to
cause a denial of service (performance degradation) by triggering many
file_printf calls.

CVE-2014-0207

The cdf_read_short_sector function in cdf.c allows remote attackers to
cause a denial of service (assertion failure and application exit) via a
crafted CDF file.
Attachment:
signature.asc
Description: This is a digitally signed message part.

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

AI Score

8.5

Confidence

High

EPSS

0.157

Percentile

96.0%