CVE-2013-7345

The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:N/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 80%
VendorProductVersion
christos_zoulasfile
𝑥
< 5.15
phpphp
5.4.0 ≤
𝑥
< 5.4.27
phpphp
5.5.0 ≤
𝑥
< 5.5.11
debiandebian_linux
6.0
debiandebian_linux
7.0
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
file
bullseye (security)
1:5.39-3+deb11u1
fixed
bullseye
1:5.39-3+deb11u1
fixed
squeeze
not-affected
bookworm
1:5.44-3
fixed
sid
1:5.45-3
fixed
trixie
1:5.45-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
file
trusty
Fixed 1:5.14-2ubuntu3.1
released
saucy
Fixed 5.11-2ubuntu4.3
released
quantal
ignored
precise
Fixed 5.09-2ubuntu0.4
released
lucid
Fixed 5.03-5ubuntu1.3
released
References
http://bugs.gw.com/view.php?id=164
http://rhn.redhat.com/errata/RHSA-2014-1765.html
http://support.apple.com/kb/HT6443
http://www.debian.org/security/2014/dsa-2873
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703993
https://github.com/file/file/commit/ef2329cf71acb59204dd981e2c6cce6c81fe467c
http://bugs.gw.com/view.php?id=164
http://rhn.redhat.com/errata/RHSA-2014-1765.html
http://support.apple.com/kb/HT6443
http://www.debian.org/security/2014/dsa-2873
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703993
https://github.com/file/file/commit/ef2329cf71acb59204dd981e2c6cce6c81fe467c