CVE-2013-7345

Publication date 24 March 2014

Last updated 24 July 2024

The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
file	14.04 LTS trusty	Fixed 1:5.14-2ubuntu3.1
	13.10 saucy	Fixed 5.11-2ubuntu4.3
	12.10 quantal	Ignored
	12.04 LTS precise	Fixed 5.09-2ubuntu0.4
	10.04 LTS lucid	Fixed 5.03-5ubuntu1.3

Notes

jdstrand

see regression fix in DSA-2873-2

mdeslaur

introduced in 5.05, but included in Debian specific patch in older releases. The fix for this issue was not complete, resulting in CVE-2014-3538. The proper fix in CVE-2014-3538 is intrusive.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
file	Vendor: http://www.debian.org/security/2014/dsa-2873 Upstream: ef2329c

References

Related Ubuntu Security Notices (USN)