file-5.11-31.el7
エラータID: AXSA:2015-693:01
The file command is used to identify a particular file according to the
type of data contained by the file. File can identify many different
file types, including ELF binaries, system libraries, RPM packages, and
different graphics formats.
Security issues fixed with this release:
CVE-2014-0207
The cdf_read_short_sector function in cdf.c in file before 5.19, as
used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before
5.5.14, allows remote attackers to cause a denial of service
(assertion failure and application exit) via a crafted CDF file.
CVE-2014-0237
The cdf_unpack_summary_info function in cdf.c in the Fileinfo
component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote
attackers to cause a denial of service (performance degradation) by
triggering many file_printf calls.
CVE-2014-0238
The cdf_read_property_info function in cdf.c in the Fileinfo component
in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers
to cause a denial of service (infinite loop or out-of-bounds memory
access) via a vector that (1) has zero length or (2) is too long.
CVE-2014-3478
Buffer overflow in the mconvert function in softmagic.c in file before
5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x
before 5.5.14, allows remote attackers to cause a denial of service
(application crash) via a crafted Pascal string in a FILE_PSTRING
conversion.
CVE-2014-3479
The cdf_check_stream_offset function in cdf.c in file before 5.19, as
used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before
5.5.14, relies on incorrect sector-size data, which allows remote
attackers to cause a denial of service (application crash) via a
crafted stream offset in a CDF file.
CVE-2014-3480
The cdf_count_chain function in cdf.c in file before 5.19, as used in
the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14,
does not properly validate sector-count data, which allows remote
attackers to cause a denial of service (application crash) via a
crafted CDF file.
CVE-2014-3487
The cdf_read_property_info function in file before 5.19, as used in
the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14,
does not properly validate a stream offset, which allows remote
attackers to cause a denial of service (application crash) via a
crafted CDF file.
CVE-2014-3538
file before 5.19 does not properly restrict the amount of data read
during a regex search, which allows remote attackers to cause a denial
of service (CPU consumption) via a crafted file that triggers
backtracking during processing of an awk rule. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2013-7345.
CVE-2014-3587
Integer overflow in the cdf_read_property_info function in cdf.c in
file through 5.19, as used in the Fileinfo component in PHP before
5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a
denial of service (application crash) via a crafted CDF file. NOTE:
this vulnerability exists because of an incomplete fix for
CVE-2012-1571.
CVE-2014-3710
The donote function in readelf.c in file through 5.20, as used in the
Fileinfo component in PHP 5.4.34, does not ensure that sufficient note
headers are present, which allows remote attackers to cause a denial
of service (out-of-bounds read and application crash) via a crafted
ELF file.
CVE-2014-8116
The ELF parser (readelf.c) in file before 5.21 allows remote attackers
to cause a denial of service (CPU consumption or crash) via a large
number of (1) program or (2) section headers or (3) invalid
capabilities.
CVE-2014-8117
softmagic.c in file before 5.21 does not properly limit recursion,
which allows remote attackers to cause a denial of service (CPU
consumption or crash) via unspecified vectors.
CVE-2014-9652
The mconvert function in softmagic.c in file before 5.21, as used in
the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and
5.6.x before 5.6.5, does not properly handle a certain string-length
field during a copy of a truncated version of a Pascal string, which
might allow remote attackers to cause a denial of service
(out-of-bounds memory access and application crash) via a crafted
file.
CVE-2014-9653
readelf.c in file before 5.22, as used in the Fileinfo component in
PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does
not consider that pread calls sometimes read only a subset of the
available data, which allows remote attackers to cause a denial of
service (uninitialized memory access) or possibly have unspecified
other impact via a crafted ELF file.
Update packages.
file before 5.11 and libmagic allow remote attackers to cause a denial of service (crash) via a crafted Composite Document File (CDF) file that triggers (1) an out-of-bounds read or (2) an invalid pointer dereference.
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.
The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.
The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long.
Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345.
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.
The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.
The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities.
softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.
N/A
SRPMS
- file-5.11-31.el7.src.rpm
MD5: 0d084f8ae0d846e5340696e6ab3dd955
SHA-256: f5938e8fd6d7b67f21a6c69af2223382f20bf0cfdae7a3090957851cda6e6203
Size: 661.18 kB
Asianux Server 7 for x86_64
- file-5.11-31.el7.x86_64.rpm
MD5: f76712f1c205c6810d49b034c6a7b1bb
SHA-256: 2f92cb4aa6a25e9ce48486f4953b3dd23c183f9a70e26433a85f2fb7fa97c2df
Size: 55.25 kB - file-libs-5.11-31.el7.x86_64.rpm
MD5: 810bc0d0453891c6996409ac198feede
SHA-256: 6c52fc2956d91d4b28e2713a95b2a45dea99af6ec7c7395f521eafc642c0df88
Size: 337.93 kB - python-magic-5.11-31.el7.noarch.rpm
MD5: 2952beb618ab3923badcc64367d600d5
SHA-256: 25ecc5947f6660a329cc407242f790c53180524e56497e139abdd4161e387973
Size: 31.84 kB - file-libs-5.11-31.el7.i686.rpm
MD5: 9d11e79fe50990ce6671b6dbbf637f73
SHA-256: ef6a89370e4f0574dc289dfd50ab4db267802f6befcf2a7fc39e97f84626c1cd
Size: 339.09 kB
日本語