SB2014072304 - Amazon Linux AMI update for file

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2014072304

SB2014072304 - Amazon Linux AMI update for file

Published: July 23, 2014

Security Bulletin ID SB2014072304
Severity
Medium
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 22% Low 78%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-7345)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.


2) Reachable assertion (CVE-ID: CVE-2014-0207)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to assertion failure in the cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14. A remote attacker can trigger reachable assertion via a specially crafted CDF file and cause the service to crash.

3) Denial of service (CVE-ID: CVE-2014-0237)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 due to performance degradation. A remote attacker can trigger many file_printf calls and cause the service to crash.


4) Infinite loop (CVE-ID: CVE-2014-0238)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in the cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13. A remote attacker can trigger out-of-bounds memory access via a vector that (1) has zero length or (2) is too long and cause the service to crash.

5) Buffer overflow (CVE-ID: CVE-2014-3478)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14. A remote attacker can trigger memory corruption via a crafted Pascal string in a FILE_PSTRING conversion and cause the service to crash.

6) Input validation error (CVE-ID: CVE-2014-3479)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when the cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data. A remote attacker can cause the service to crash via a crafted stream offset in a CDF file.

7) Input validation error (CVE-ID: CVE-2014-3480)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of sector-count data by df_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14. A remote attacker can cause application crash via a crafted CDF file.

8) Input validation error (CVE-ID: CVE-2014-3487)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of a stream offset by the cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14. A remote attacker can cause the application to crash via a crafted CDF file.


9) Input validation error (CVE-ID: CVE-2014-3538)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule.


Remediation

Install update from vendor's website.

References