Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Dec 2014 16:08:36 +1100
From: Murray McAllister <>
Subject: file(1): multiple denial of service issues (resource consumption),
 CVE-2014-8116 and CVE-2014-8117


Thomas Jarosch of Intra2net AG reported a number of denial of service 
issues (resource consumption) in the ELF parser used by file(1). These 
issues were fixed in the 5.21 release of file(1), but by mistake are 
missing from the changelog.

The important commits are:

There were a few regressions along the way, so the following are also 
all needed:

Please credit "Thomas Jarosch of Intra2net AG".

Details of what CVE is for what:

Please use CVE-2014-8116 for these two:
limit the number of program and section header number of sections to be
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Stop reporting bad capabilities after the first few.
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Please use CVE-2014-8117 for this one:
reduce recursion level from 20 to 10 and make a symbolic constant for it.
CWE-674: Uncontrolled Recursion

Red Hat's bugs (to be opened shortly):


Murray McAllister / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.