Vigil@nce - Fine Free file: infinite loop of libmagic
March 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate an infinite loop in libmagic of Fine Free
file, in order to trigger a denial of service.
Impacted products: Debian, Fedora, PHP, Ubuntu, Unix (platform)
Severity: 1/4
Creation date: 03/03/2014
DESCRIPTION OF THE VULNERABILITY
The Fine Free file program analyzes files, in order to
automatically recognize their type. The PHP Fileinfo module also
uses libmagic.
Its libmagic library uses "indirect" rules. However, if a
"Composite Document" has a null indirection offset, an infinite
recursion occurs.
An attacker can therefore generate an infinite loop in libmagic of
Fine Free file, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Fine-Free-file-infinite-loop-of-libmagic-14346