Main Vulnerability Database SB2014090307

SB2014090307 - Amazon Linux AMI update for file

Published: September 3, 2014

Security Bulletin ID SB2014090307

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2012-1571)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

file before 5.11 and libmagic allow remote attackers to cause a denial of service (crash) via a crafted Composite Document File (CDF) file that triggers (1) an out-of-bounds read or (2) an invalid pointer dereference.

2) Integer overflow (CVE-ID: CVE-2014-3587)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16. A remote attacker can trigger memory corruption via a crafted CDF fileand cause the service to crash.

Remediation

Install update from vendor's website.

References

https://alas.aws.amazon.com/ALAS-2014-398.html