ALAS-2014-323


Amazon Linux AMI Security Advisory: ALAS-2014-323
Advisory Release Date: 2014-09-18 00:20 Pacific
Severity: Medium
References: CVE-2013-7345 

Issue Overview:

The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.


Affected Packages:

file


Issue Correction:
Run yum update file to update your system.

New Packages:
i686:
    file-static-5.11-13.16.amzn1.i686
    file-libs-5.11-13.16.amzn1.i686
    file-debuginfo-5.11-13.16.amzn1.i686
    file-5.11-13.16.amzn1.i686
    file-devel-5.11-13.16.amzn1.i686

noarch:
    python-magic-5.11-13.16.amzn1.noarch

src:
    file-5.11-13.16.amzn1.src

x86_64:
    file-libs-5.11-13.16.amzn1.x86_64
    file-static-5.11-13.16.amzn1.x86_64
    file-5.11-13.16.amzn1.x86_64
    file-debuginfo-5.11-13.16.amzn1.x86_64
    file-devel-5.11-13.16.amzn1.x86_64