Bug 34135

Summary: file: Multiple issues (3.2)
Product: UCS Reporter: Moritz Muehlenhoff <jmm>
Component: Security updatesAssignee: Stefan Gohmann <gohmann>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P3 CC: gohmann, requate, walkenhorst
Version: UCS 3.0Flags: requate: Patch_Available+
Target Milestone: UCS 3.2-7-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Moritz Muehlenhoff univentionstaff 2014-02-17 08:45:30 CET 
+++ This bug was initially created as a clone of Bug #34134 +++

CVE-2014-1943

Incorrect handling of indirect rules in libmagic may lead to an infinite loop, resulting in denial of service
Comment 1 Moritz Muehlenhoff univentionstaff 2014-03-06 09:59:52 CET 
Denial of service in libmagic (CVE-2014-2270)
Comment 2 Moritz Muehlenhoff univentionstaff 2014-03-26 14:19:54 CET 
CVE-2013-7345: Denial of service in magic for awk scripts
Comment 3 Moritz Muehlenhoff univentionstaff 2014-06-30 07:17:42 CEST 
Buffer overflow in CDF module (CVE-2014-3487, CVE-2014-3479, CVE-2014-3480, CVE-2014-0207)
Incorrect string size calculation in the softmagic module (CVE-2014-3478)
Comment 4 Moritz Muehlenhoff univentionstaff 2014-09-08 07:54:24 CEST 
Buffer overflow in CDF parsing (CVE-2014-3587)
Comment 5 Moritz Muehlenhoff univentionstaff 2014-11-10 13:32:11 CET 
Out of bounds reads when parsing ELF section headers (CVE-2014-3710)
Comment 6 Moritz Muehlenhoff univentionstaff 2014-12-15 10:22:17 CET 
Denial of service issues in the ELF parser (CVE-2014-8116, CVE-2014-8117)
Comment 7 Moritz Muehlenhoff univentionstaff 2015-02-10 09:30:59 CET 
Denial of service when processing malformed ELF files (CVE-2014-9653)
Comment 8 Arvid Requate univentionstaff 2015-05-06 17:17:41 CEST 
Fixed in upstream Debian package version 5.04-5+squeeze10
Comment 9 Stefan Gohmann univentionstaff 2015-08-29 20:28:03 CEST 
5.04-5+squeeze10 has been imported and build. It also fixes
  * Performance degradation (CVE-2014-0237)
  * Infinite loop or out-of-bounds memory access (CVE-2014-0238)
  * CPU consumption (CVE-2014-3538)

YAML: 2015-08-29-acpi-support.yaml
Comment 10 Felix Botner univentionstaff 2015-09-03 19:24:58 CEST 
OK - version 5.04-5+squeeze10 built in errata3.2-7
OK - CVE's
OK - YAML
Comment 11 Janek Walkenhorst univentionstaff 2015-09-09 11:31:13 CEST 
<http://errata.software-univention.de/ucs/3.2/366.html>