Out-of-Bounds

Affecting file package, versions <1:5.21+15-1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream file package. See Remediation section below for Debian:9 relevant versions.

The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.

Remediation

Upgrade Debian:9 file to version 1:5.21+15-1 or higher.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE
CVE-2014-9652
CWE
CWE-119
Snyk ID
SNYK-DEBIAN9-FILE-300941
Disclosed
30 Mar, 2015
Published
30 Mar, 2015