Out-of-bounds read in file - CVE-2014-9652
Published: November 27, 2018
Vulnerability identifier: #VU16103
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2014-9652
CWE-ID: CWE-125
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Ian F. Darwin
Affected software:
file
file
Detailed vulnerability description
The vulnerability allows a remote attacker to cause DoS condition.
The vulnerability exists due to the mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string. A remote attacker can cause out-of-bounds memory access and application crash via a crafted file.
How to mitigate CVE-2014-9652
Install updates from vendor's website.