Bug 15064

Summary: file new DoS issues fixed upstream in 5.22 (CVE-2014-962[01])
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: lewyssmith, olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/630069/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: file-5.16-1.9.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-01-17 01:25:41 CET 
As was noted in the bug for our previous file update, CVEs were requested for additional DoS issues fixed upstream:
https://bugs.mageia.org/show_bug.cgi?id=14818#c5

There still has been no response for the CVE request, but Debian included the fixes in their update for the CVE-2014-811[67] issues without waiting for the CVEs, as they noted here:
http://openwall.com/lists/oss-security/2015/01/16/14

Debian backported a bunch of prerequisite commits so that they could backport the actual fixes linked in that thread.  The full list of commits that they used is:
https://github.com/file/file/commit/6ce24f35cd4a43c4bdd249e8e0c4952c1f8eac67
https://github.com/file/file/commit/0056ec32255de1de973574b0300161a1568767d6
https://github.com/file/file/commit/09e41625c999a2e5b51e1092f0ef2432a99b5c33
https://github.com/file/file/commit/af444af0738468393f40f9d2261b1ea10fc4b2ba
https://github.com/file/file/commit/68bd8433c7e11a8dbe100deefdfac69138ee7cd9
https://github.com/file/file/commit/dddd3cdb95210a765dd90f7d722cb8b5534daee7
https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f
https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4
https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c

I have backported the same set of commits for Mageia 4 and Cauldron and checked it into SVN (the 2015-dos patches).  The code changes are significant, but it did build.  Hopefully it works.

Here is the relevant DSA:
https://www.debian.org/security/2015/dsa-3121

Once CVEs are assigned, we can test these.

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-17 01:25:48 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-01-18 19:10:13 CET 
CVE-2014-9620 and CVE-2014-9621 have been assigned:
http://openwall.com/lists/oss-security/2015/01/17/9

CVE-2014-9620 relates to the processing of ELF notes and CVE-2014-9621 (which only affects file >= 5.16) relates to the processing of long strings in ELF notes.

I actually hadn't checked the patches into SVN yet, but now they're appropriately named with the CVE numbers.

Patched packages uploaded for Mageia 4 and Cauldron.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13460#c4

Besides running the file command on ~/* (i.e., the files in your home directory), you should also run it on some ELF files, as that's what's impacted by this update.  Perhaps "file /usr/bin/*" and there will also be a ton of output and it shouldn't crash or hang.

I've verified already that it works fine in Cauldron.

Advisory:
========================

Updated file packages fix security vulnerabilities:

Alexander Cherepanov reported that using the file command on a
specially-crafted ELF binary could lead to a denial of service due to
uncontrolled resource consumption while processing ELF section headers
(CVE-2014-9620, CVE-2014-9621).

As part of the fixes, several limits on aspects of the detection were added
or tightened, sometimes resulting in messages like "recursion limit exceeded"
or "too many program header sections".

To mitigate such shortcomings, these limits are controllable by a new -P,
--parameter option in the file program.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9621
http://openwall.com/lists/oss-security/2015/01/17/9
https://www.debian.org/security/2015/dsa-3121
========================

Updated packages in core/updates_testing:
========================
file-5.16-1.10.mga4
libmagic1-5.16-1.10.mga4
libmagic-devel-5.16-1.10.mga4
libmagic-static-devel-5.16-1.10.mga4
python-magic-5.16-1.10.mga4

from file-5.16-1.10.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Summary: file new DoS issues fixed upstream in 5.22 => file new DoS issues fixed upstream in 5.22 (CVE-2014-962[01])
Whiteboard: MGA4TOO => has_procedure
Severity: normal => major

Comment 2 olivier charles 2015-01-18 20:20:02 CET 
Testing on Mageia4x64 real hardware, following procedure mentioned in Comment 1

From current packages :
--------------------
file-5.16-1.9.mga4
python-magic-5.16-1.9.mga4
libmagic1-5.16-1.9.mga4


$ file ~/*
$ file /usr/bin/*
$ file /usr/sbin/*
+ python test found in procedure.

Nothing to report

To updated testing packages :
---------------------------
file-5.16-1.10.mga4
python-magic-5.16-1.10.mga4
libmagic1-5.16-1.10.mga4


All OK

CC: (none) => olchal
Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 3 David Walser 2015-01-18 20:32:25 CET 
Tested fine for me on Mageia 4 i586 using the procedures in Comment 1.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 4 Lewis Smith 2015-01-18 20:48:29 CET 
Testing MGA4 x64 real hardware

Olivier beat me to it! I did the same with the current packages:
$ file ~/*
$ file ~/.*
$ file /usr/bin/*
$ python test.py           (Having created the script given in 
 https://bugs.mageia.org/show_bug.cgi?id=13460#c4)
All output sensible.

Updated to file-5.16-1.10.mga4, libmagic1-5.16-1.10.mga4, python-magic-5.16-1.10.mga4
All 4 tests ran similarly. OK verified.

CC: (none) => lewyssmith

Comment 5 claire robinson 2015-01-19 13:07:05 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-01-19 17:48:13 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0030.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-01-20 20:15:28 CET

URL: (none) => http://lwn.net/Vulnerabilities/630069/

Comment 7 David Walser 2015-02-05 18:43:13 CET 
The following commit has been assigned CVE-2014-9653:
https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f

It was included in this update.
Comment 8 David Walser 2015-02-05 18:43:40 CET 
(In reply to David Walser from comment #7)
> The following commit has been assigned CVE-2014-9653:
> https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f
> 
> It was included in this update.

Here was the CVE assignment:
http://openwall.com/lists/oss-security/2015/02/05/13
Comment 9 David Walser 2015-02-18 23:23:39 CET 
(In reply to David Walser from comment #8)
> (In reply to David Walser from comment #7)
> > The following commit has been assigned CVE-2014-9653:
> > https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f
> > 
> > It was included in this update.
> 
> Here was the CVE assignment:
> http://openwall.com/lists/oss-security/2015/02/05/13

LWN reference:
http://lwn.net/Vulnerabilities/633829/