CVE-2014-3710

Publication date 24 October 2014

Last updated 24 July 2024

The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
file	14.10 utopic	Fixed 1:5.19-1ubuntu1.2
	14.04 LTS trusty	Fixed 1:5.14-2ubuntu3.3
	12.04 LTS precise	Fixed 5.09-2ubuntu0.6
	10.04 LTS lucid	Fixed 5.03-5ubuntu1.5
php5	14.10 utopic	Fixed 5.5.12+dfsg-2ubuntu4.1
	14.04 LTS trusty	Fixed 5.5.9+dfsg-1ubuntu4.5
	12.04 LTS precise	Fixed 5.3.10-1ubuntu3.15
	10.04 LTS lucid	Fixed 5.3.2-1ubuntu4.28

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
file	Upstream: 39c7ac1
php5	Upstream: http://git.php.net/?p=php-src.git;a=commit;h=1803228597e82218a8c105e67975bc50e6f5bf0d Upstream: http://git.php.net/?p=php-src.git;a=commit;h=5b295bf19161b14d6c81151fd89c2f17bd50525c Upstream: http://git.php.net/?p=php-src.git;a=commit;h=1803228597e82218a8c105e67975bc50e6f5bf0d

References

Related Ubuntu Security Notices (USN)

USN-2494-1
file vulnerabilities
4 February 2015

USN-2391-1
php5 vulnerabilities
30 October 2014

Other references

https://www.cve.org/CVERecord?id=CVE-2014-3710