Bug 1180642 (CVE-2014-9621)

Summary: CVE-2014-9621 file: limit string printing to 100 chars
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: harald, jkaluza, jorton, jrusnack, mmaslano, mmcallis, packaging-team-maint, rcollet, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: file 5.22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-09 17:22:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1180643    
Bug Blocks: 1180646    

Description Vasyl Kaigorodov 2015-01-09 15:48:47 UTC 
It was reported [1] that file versions prior to 5.22 did not limit the number of strings printed, which could lead to a local resource exhaustion and denial of service.

Upstream fix:
https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c

This issue seems to be introduced here:
https://github.com/file/file/commit/c8451af8ab0c2e2a93ce93b9c68257d31576cc85
which ended up in 5.16 release.

[1]: http://mx.gw.com/pipermail/file/2014/001654.html
Comment 1 Vasyl Kaigorodov 2015-01-09 15:49:09 UTC 
Created file tracking bugs for this issue:

Affects: fedora-all [bug 1180643]
Comment 3 Francisco Alonso 2015-03-30 14:54:33 UTC 
*** Bug 1175083 has been marked as a duplicate of this bug. ***
Comment 5 Tomas Hoger 2015-11-27 11:38:15 UTC 
Not Red Hat product was affected by this issue.