Bug 1180642 (CVE-2014-9621) - CVE-2014-9621 file: limit string printing to 100 chars
Summary: CVE-2014-9621 file: limit string printing to 100 chars
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-9621
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1175083 (view as bug list)
Depends On: 1180643
Blocks: 1180646
TreeView+ depends on / blocked
 
Reported: 2015-01-09 15:48 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:26 UTC (History)
9 users (show)

Fixed In Version: file 5.22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-09 17:22:51 UTC
Embargoed:

Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-01-09 15:48:47 UTC 
It was reported [1] that file versions prior to 5.22 did not limit the number of strings printed, which could lead to a local resource exhaustion and denial of service.

Upstream fix:
https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c

This issue seems to be introduced here:
https://github.com/file/file/commit/c8451af8ab0c2e2a93ce93b9c68257d31576cc85
which ended up in 5.16 release.

[1]: http://mx.gw.com/pipermail/file/2014/001654.html
Comment 1 Vasyl Kaigorodov 2015-01-09 15:49:09 UTC 
Created file tracking bugs for this issue:

Affects: fedora-all [bug 1180643]
Comment 3 Francisco Alonso 2015-03-30 14:54:33 UTC 
*** Bug 1175083 has been marked as a duplicate of this bug. ***
Comment 5 Tomas Hoger 2015-11-27 11:38:15 UTC 
Not Red Hat product was affected by this issue.
Note You need to log in before you can comment on or make changes to this bug.