Description

The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.

References

• APPLE-APPLE-SA-2015-04-08-2
• BID-70807
• CVE-2014-3710
• DEBIAN-DSA-3072
• REDHAT-RHSA-2014:1765
• REDHAT-RHSA-2014:1766
• REDHAT-RHSA-2014:1767
• REDHAT-RHSA-2014:1768
• REDHAT-RHSA-2016:0760
• URL: https://support.apple.com/kb/HT204659

Solution

Related Vulnerabilities

• RHSA-2014:1765: php54-php security update
• DSA-3072-1 file -- security update
• Amazon Linux AMI: Security patch for file (ALAS-2014-453) (CVE-2014-3710)
• SUSE: CVE-2014-3710: SUSE Linux Security Advisory
• Amazon Linux AMI: Security patch for php54 (ALAS-2014-450) (CVE-2014-3710)
• RHSA-2016:0760: file security, bug fix, and enhancement update
• ELSA-2015-2155 Moderate: Oracle Linux file security and bug fix update
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 5
• DSA-3074-1 php5 -- security update
• FreeBSD: file -- multiple vulnerabilities (FreeBSD-SA-14:28.file) (Multiple CVEs)
• ELSA-2014-1768 Important: Oracle Linux php53 security update
• Amazon Linux AMI: Security patch for php55 (ALAS-2014-451) (CVE-2014-3710)
• RHSA-2015:2155: file security and bug fix update
• RHSA-2014:1766: php55-php security update
• USN-2494-1: file vulnerabilities
• RHSA-2014:1768: php53 security update
• USN-2391-1: php5 vulnerabilities
• PHP Vulnerability: CVE-2014-3710
• RHSA-2014:1767: php security update
• ELSA-2015-1135 Important: Oracle Linux php security and bug fix update
• Oracle Solaris 11: CVE-2014-3710: Vulnerability in PHP
• OS X update for Admin Framework (CVE-2014-3710)
• Oracle Linux: (CVE-2014-3710) ELSA-2016-0760: file security, bug fix, and enhancement update
• ELSA-2014-1767 Important: Oracle Linux php security update
• Gentoo Linux: CVE-2014-3710: file: Multiple vulnerabilities