#VU16088 Buffer overflow in file - CVE-2014-3478
Vulnerability identifier: #VU16088
Vulnerability risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-119
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
file
Universal components / Libraries /
Libraries used by multiple products
Vendor: Ian F. Darwin
Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14. A remote attacker can trigger memory corruption via a crafted Pascal string in a FILE_PSTRING conversion and cause the service to crash.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
file: 5.00 - 5.18
External links
https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
