Bug 13105

Summary:	file new security issue CVE-2013-7345
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	balaton, oe, pterjan, rverschelde, sysadmin-bugs
Version:	3	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/592275/
Whiteboard:	has_procedure MGA3-64-OK MGA3-32-OK advisory
Source RPM:	file-5.12-8.2.mga3.src.rpm	CVE:
Status comment:

Description David Walser 2014-03-27 18:31:56 CET

Fedora has issued an advisory on March 26:
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130688.html

Patched package uploaded for Mageia 3.

The issue was fixed upstream in 5.15, so Mageia 4 and Cauldron are not affected.

Advisory:
========================

Updated file packages fix security vulnerabilities:

The BEGIN regular expression in the awk script detector in
magic/Magdir/commands in file before 5.15 uses multiple wildcards with
unlimited repetitions, which allows context-dependent attackers to cause a
denial of service (CPU consumption) via a crafted ASCII file that triggers a
large amount of backtracking, as demonstrated via a file with many newline
characters (CVE-2013-7345).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130688.html
========================

Updated packages in core/updates_testing:
========================
file-5.12-8.3.mga3
libmagic1-5.12-8.3.mga3
libmagic-devel-5.12-8.3.mga3
libmagic-static-devel-5.12-8.3.mga3
python-magic-5.12-8.3.mga3

from file-5.12-8.3.mga3.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 claire robinson 2014-03-27 18:50:11 CET

PoC on the upstream bug http://bugs.gw.com/view.php?id=164


create a file with 10KB newlines:
  $ dd ibs=10000 count=1 if=/dev/zero | tr '\0' '\n' > newlines

run file w/out the BEGIN regex (in multi- or single- byte locale):
  $ time file newlines

Whiteboard: (none) => has_procedure

Comment 2 Zoltan Balaton 2014-03-28 16:10:13 CET

Tested on mga3 64bit.
The updated version spends about 50% of time on the newlines file and still identifies a random set of files the same as before.

CC: (none) => balaton
Whiteboard: has_procedure => has_procedure MGA3-64-OK

Comment 3 Zoltan Balaton 2014-03-28 16:23:07 CET

Tested on mga3 32bit.
Similar results as on 64bit (newlines done in 58% time than before update).
Someone please take care of the advisory and validating.

Whiteboard: has_procedure MGA3-64-OK => has_procedure MGA3-64-OK MGA3-32-OK

Comment 4 Rémi Verschelde 2014-03-28 22:13:37 CET

Validating update, advisory has been uploaded.
Please push to 3 core/updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA3-64-OK MGA3-32-OK => has_procedure MGA3-64-OK MGA3-32-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 5 Pascal Terjan 2014-03-31 21:34:59 CEST

http://advisories.mageia.org/MGASA-2014-0142.html

Status: NEW => RESOLVED
CC: (none) => pterjan
Resolution: (none) => FIXED

Comment 6 Oden Eriksson 2014-04-09 14:38:26 CEST

Affects php as well:

http://www.php.net/ChangeLog-5.php#5.4.27
http://www.php.net/ChangeLog-5.php#5.5.11

https://bugs.php.net/bug.php?id=66946

Status: RESOLVED => REOPENED
CC: (none) => oe
Resolution: FIXED => (none)

Comment 7 David Walser 2014-04-09 14:41:34 CEST

I know, I have an update ready to go and a bug already assigned to you:
https://bugs.mageia.org/show_bug.cgi?id=13142

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 8 Oden Eriksson 2014-04-09 14:45:18 CEST

Ooos.

Comment 9 Oden Eriksson 2014-04-09 14:46:01 CEST

OOPS. Tired now.