Arch Linux Security Advisory ASA-201411-9 ========================================= Severity: Medium Date : 2014-11-12 CVE-ID : CVE-2014-3710 Package : file Type : denial of service through out-of-bounds read Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package file before version 5.20-2 is vulnerable to denial of service through out-of-bounds read. Resolution ========== Upgrade to 5.20-2. # pacman -Syu "file>=5.20-2" The problems have been fixed upstream [0] but no release version is available yet. Workaround ========== None. Description =========== An out-of-bounds read flaw was found in file's donote() function in the way the file utility determined the note headers of a elf file. This could possibly lead to file executable crash. Impact ====== A specially crafted elf file may lead to out-of-bounds read while parsing the note headers and lead to file executable crash. As readelf in file is widely used this could possibly lead to denial of service of middleware relying on it. References ========== [0] https://github.com/file/file/commit/39c7ac1106 https://access.redhat.com/security/cve/CVE-2014-3710 https://bugzilla.redhat.com/show_bug.cgi?id=1155071 https://bugs.archlinux.org/task/42759