| Name | CVE-2014-9620 |
| Description | The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-3121-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| file (PTS) | buster | 1:5.35-4+deb10u2 | fixed |
| buster (security) | 1:5.35-4+deb10u1 | fixed |
| bullseye (security), bullseye | 1:5.39-3+deb11u1 | fixed |
| bookworm | 1:5.44-3 | fixed |
| trixie | 1:5.45-2 | fixed |
| sid | 1:5.45-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| file | source | squeeze | (not affected) | | | |
| file | source | wheezy | 5.11-2+deb7u7 | | DSA-3121-1 | |
| file | source | (unstable) | 1:5.21+15-1 | | | |
| php5 | source | (unstable) | (not affected) | | | |
Notes
[squeeze] - file <not-affected> (Introduced in 5.08)
- php5 <not-affected> (readelf.c not used and even removed in 5.4.36-0+deb7u3)
Report: http://mx.gw.com/pipermail/file/2014/001653.html
Fix: https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4
Introduced by: https://github.com/file/file/commit/956a45ab1c54b11304b367056f41905e72a02380#diff-bc5c24ef9f39a5f4963ca28ecbc645b3L423