Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 03 Jan 2015 22:50:26 +0300
From: Alexander Cherepanov <>
Subject: Re: CVE request: file(1) DoS

On 2014-12-17 03:44, Alexander Cherepanov wrote:
> There are two more DoSes fixed in ELF parser of file(1), similar to the
> recent CVE-2014-8116.

These fixes were included in 5.22 release:

> 1. Limit the number of ELF notes processed
> Report:
> Fix:

This issue seems to be introduced here:

which ended up in 5.08 release. Hence releases 5.08--5.21 are vulnerable.

> 2. Limit string printing to 100 chars
> Report:
> Fix:

This issue was introduced in the following commit:

which ended up in 5.16 release. Hence releases 5.16--5.21 are vulnerable.

> Both problems amplified by the fact that the same section in ELF file
> can be referenced and processed by file(1) multiple times. This is also
> fixed in the first commit linked above.
> Could CVE(s) please be assigned?

Alexander Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ