Jan Kaluza

**Name of the Vulnerable Software and Affected Versions** file versions prior to 5.19 PHP versions prior to 5.4.30 and 5.5.x prior to 5.5.14 **Description** The issue exists in the `cdf check stream offset` function due to the use of incorrect sector-size data. This allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file. Multiple vulnerabilities in the file package can lead to disruption of protected information and can be exploited remotely. **Recommendations** For file versions prior to 5.19, update to version 5.19 or later. For PHP versions prior to 5.4.30, update to version 5.4.30 or later. For PHP versions 5.5.x prior to 5.5.14, update to version 5.5.14 or later. As a temporary workaround, consider restricting access to CDF files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** file versions prior to 5.19 Red Hat Enterprise Linux file-static-5.04 Red Hat Enterprise Linux file-5.04 Red Hat Enterprise Linux file-debuginfo-5.04 Red Hat Enterprise Linux file-libs-5.04 Red Hat Enterprise Linux file-devel-5.04 Debian GNU/Linux file **Description** The issue is related to multiple vulnerabilities in the file package, which can lead to a disruption of protected information availability. These vulnerabilities can be exploited remotely. The cdf count chain function in cdf.c does not properly validate sector-count data, allowing remote attackers to cause a denial of service via a crafted CDF file. **Recommendations** For file versions prior to 5.19, update to version 5.19 or later. For Red Hat Enterprise Linux file-static-5.04, file-5.04, file-debuginfo-5.04, file-libs-5.04, and file-devel-5.04, update to a version that is not affected by these vulnerabilities. For Debian GNU/Linux file, update to a version that is not affected by these vulnerabilities. As a temporary workaround, consider restricting access to the cdf count chain function in cdf.c until a patch is available.