https://bugzilla.redhat.com/show_bug.cgi?id=1065836 " Murray McAllister 2014-02-17 00:58:09 EST A flaw was found in the way the file utility determined the type of a file. A malicious input file could cause the file utility to use 100% CPU, or trigger infinite recursion, causing the file utility to crash or, potentially, execute arbitrary code. Upstream fixes: https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 Original report: http://mx.gw.com/pipermail/file/2014/001327.html" http://www.debian.org/security/2014/dsa-2861
Fixed in file-5.17. I would probably backport file-5.17 from cauldron to have 5.17 in mga3 and mga4?
We can patch file just as Debian did. Their patch was a re-diff combination of the two upstream commits that you linked, as well as this one from between file 5.13 and 5.14, since their file version was older than 5.14 (as ours is in Mageia 3): https://github.com/glensc/file/commit/4afb9b168906f117e32a11367761cd50fe9d4abe I've re-diffed the three commits (two for Mageia 4) and submitted file. Since you say PHP is affected, I won't submit to QA yet until you've patched that, presumably with the commit you linked on IRC this morning: http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c547014646e71862df3664e3ff33d7143d We should actually probably make another bug for QA to test php. File packages uploaded: file-5.12-8.1.mga3 libmagic1-5.12-8.1.mga3 libmagic-devel-5.12-8.1.mga3 libmagic-static-devel-5.12-8.1.mga3 python-magic-5.12-8.1.mga3 file-5.16-1.1.mga4 libmagic1-5.16-1.1.mga4 libmagic-devel-5.16-1.1.mga4 libmagic-static-devel-5.16-1.1.mga4 python-magic-5.16-1.1.mga4 from SRPMS: file-5.12-8.1.mga3.src.rpm file-5.16-1.1.mga4.src.rpm For future QA reference, if anyone knows how to convert the binary file in the (file) upstream git commit back to an actual binary file, you can use that to reproduce this issue. The PHP commit also creates it using PHP, so you could use that instead. https://github.com/glensc/file/commit/f52ef08461a4bf0ab69a362d850e0397e0ab39a8.patch For PHP, since the PHP commit includes the test, the build-time test suite will already check that the CVE is fixed. For file this isn't the case, since the patch command doesn't accept git binary diffs like the one I linked above, otherwise I would have included it in the updated build.
URL: http://lwn.net/Articles/586755/ => http://lwn.net/Vulnerabilities/586789/Version: 3 => 4Summary: CVE-2014-1943: file, php: infinite recursion => file, php: infinite recursion (CVE-2014-1943)Whiteboard: (none) => MGA3TOO
Blocks: (none) => 12842
I split PHP into Bug 12842. Assigning the "file" update to QA. Advisory: ======================== Updated file packages fix security vulnerability: It was discovered that file before 5.17 contains a flaw in the handling of "indirect" magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943). Additionally, other well-crafted files might result in long computation times (while using 100% CPU) and overlong results. The affected packages have been patched to correct these flaws. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943 http://www.debian.org/security/2014/dsa-2861 ======================== Updated packages in core/updates_testing: ======================== file-5.12-8.1.mga3 libmagic1-5.12-8.1.mga3 libmagic-devel-5.12-8.1.mga3 libmagic-static-devel-5.12-8.1.mga3 python-magic-5.12-8.1.mga3 file-5.16-1.1.mga4 libmagic1-5.16-1.1.mga4 libmagic-devel-5.16-1.1.mga4 libmagic-static-devel-5.16-1.1.mga4 python-magic-5.16-1.1.mga4 from SRPMS: file-5.12-8.1.mga3.src.rpm file-5.16-1.1.mga4.src.rpm
Assignee: bugsquad => qa-bugsSummary: file, php: infinite recursion (CVE-2014-1943) => file: infinite recursion (CVE-2014-1943)Severity: normal => major
Source RPM: file, php => file
Created attachment 4999 [details] 'test' file to with 45 52 00 00 00 hexedit'ed at the start Causes a long execution time and segfault $ time file test Segmentation fault real 0m12.312s user 0m10.155s sys 0m0.074s
Testing mga3 32 After ----- $ time file test test: Apple Driver Map, blocksize 0 real 0m0.007s user 0m0.002s sys 0m0.002s Not sure the python module is working though, from the README here https://github.com/ahupp/python-magic.. >>> import magic >>> magic.from_file("test") Traceback (most recent call last): File "<pyshell#1>", line 1, in <module> magic.from_file("test") AttributeError: 'module' object has no attribute 'from_file' >>> magic.from_file("/home/claire/test/test") Traceback (most recent call last): File "<pyshell#2>", line 1, in <module> magic.from_file("/home/claire/test/test") AttributeError: 'module' object has no attribute 'from_file' >>> magic.from_buffer(open("test").read(1024)) Traceback (most recent call last): File "<pyshell#3>", line 1, in <module> magic.from_buffer(open("test").read(1024)) AttributeError: 'module' object has no attribute 'from_buffer' Am I doing something wrong? Tried in idle and python cli.
Whiteboard: MGA3TOO => MGA3TOO has_procedure
(In reply to claire robinson from comment #5) > Not sure the python module is working though, from the README here > https://github.com/ahupp/python-magic.. not the good module > Am I doing something wrong? Tried in idle and python cli. yes, the good module is here : https://github.com/glensc/file/tree/master/python (ref : http://www.darwinsys.com/file/) try something like this : >>> import magic >>> ms = magic.open(magic.NONE) >>> ms.load() 0 >>> tp = ms.file('Documents/progit.fr.pdf') >>> print(tp) PDF document, version 1.4
CC: (none) => makowski.mageia
Thanks Philippe! Really need to find time to learn more python. $ python Python 2.7.6 (default, Feb 16 2014, 16:03:48) [GCC 4.7.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import magic >>> ms = magic.open(magic.NONE) >>> ms.load() 0 >>> tp = ms.file('test') >>> print(tp) Apple Driver Map, blocksize 0 >>> quit() Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok
Testing complete mga3 64 Before ------ $ time file test Segmentation fault real 0m2.925s user 0m2.850s sys 0m0.013s $ python Python 2.7.6 (default, Feb 16 2014, 16:03:10) [GCC 4.7.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import magic >>> ms = magic.open(magic.NONE) >>> ms.load() 0 >>> tp = ms.file('test') Segmentation fault After ----- $ time file test test: Apple Driver Map, blocksize 0 real 0m0.003s user 0m0.001s sys 0m0.001s $ python Python 2.7.6 (default, Feb 16 2014, 16:03:10) [GCC 4.7.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import magic >>> ms = magic.open(magic.NONE) >>> ms.load() 0 >>> tp = ms.file('test') >>> print(tp) Apple Driver Map, blocksize 0 >>> quit()
Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete mga4 64
CC: (none) => napcokWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating update, advisory uploaded. Please push to 3 & 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisoryCC: (none) => remi, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0092.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED