Bug 12807 - file: infinite recursion (CVE-2014-1943)
: file: infinite recursion (CVE-2014-1943)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/586789/
: MGA3TOO has_procedure mga3-32-ok mga3...
: validated_update
:
: 12842
  Show dependency treegraph
 
Reported: 2014-02-18 09:42 CET by Oden Eriksson
Modified: 2014-02-22 20:15 CET (History)
5 users (show)

See Also:
Source RPM: file
CVE:
Status comment:


Attachments
'test' file to with 45 52 00 00 00 hexedit'ed at the start (5 bytes, application/octet-stream)
2014-02-21 23:44 CET, claire robinson
Details

Description Oden Eriksson 2014-02-18 09:42:10 CET
https://bugzilla.redhat.com/show_bug.cgi?id=1065836

" Murray McAllister 2014-02-17 00:58:09 EST

A flaw was found in the way the file utility determined the type of a file. A malicious input file could cause the file utility to use 100% CPU, or trigger infinite recursion, causing the file utility to crash or, potentially, execute arbitrary code.

Upstream fixes:
https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f
https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70

Original report:
http://mx.gw.com/pipermail/file/2014/001327.html"

http://www.debian.org/security/2014/dsa-2861
Comment 1 Oden Eriksson 2014-02-18 09:44:32 CET
Fixed in file-5.17. I would probably backport file-5.17 from cauldron to have 5.17 in mga3 and mga4?
Comment 2 David Walser 2014-02-18 19:19:35 CET
We can patch file just as Debian did.

Their patch was a re-diff combination of the two upstream commits that you linked, as well as this one from between file 5.13 and 5.14, since their file version was older than 5.14 (as ours is in Mageia 3):
https://github.com/glensc/file/commit/4afb9b168906f117e32a11367761cd50fe9d4abe

I've re-diffed the three commits (two for Mageia 4) and submitted file.

Since you say PHP is affected, I won't submit to QA yet until you've patched that, presumably with the commit you linked on IRC this morning:
http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c547014646e71862df3664e3ff33d7143d

We should actually probably make another bug for QA to test php.

File packages uploaded:
file-5.12-8.1.mga3
libmagic1-5.12-8.1.mga3
libmagic-devel-5.12-8.1.mga3
libmagic-static-devel-5.12-8.1.mga3
python-magic-5.12-8.1.mga3
file-5.16-1.1.mga4
libmagic1-5.16-1.1.mga4
libmagic-devel-5.16-1.1.mga4
libmagic-static-devel-5.16-1.1.mga4
python-magic-5.16-1.1.mga4

from SRPMS:
file-5.12-8.1.mga3.src.rpm
file-5.16-1.1.mga4.src.rpm

For future QA reference, if anyone knows how to convert the binary file in the (file) upstream git commit back to an actual binary file, you can use that to reproduce this issue.  The PHP commit also creates it using PHP, so you could use that instead.
https://github.com/glensc/file/commit/f52ef08461a4bf0ab69a362d850e0397e0ab39a8.patch

For PHP, since the PHP commit includes the test, the build-time test suite will already check that the CVE is fixed.  For file this isn't the case, since the patch command doesn't accept git binary diffs like the one I linked above, otherwise I would have included it in the updated build.
Comment 3 David Walser 2014-02-21 17:31:37 CET
I split PHP into Bug 12842.  Assigning the "file" update to QA.

Advisory:
========================

Updated file packages fix security vulnerability:

It was discovered that file before 5.17 contains a flaw in the handling of
"indirect" magic rules in the libmagic library, which leads to an infinite
recursion when trying to determine the file type of certain files
(CVE-2014-1943).

Additionally, other well-crafted files might result in long computation times
(while using 100% CPU) and overlong results.

The affected packages have been patched to correct these flaws.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943
http://www.debian.org/security/2014/dsa-2861
========================

Updated packages in core/updates_testing:
========================
file-5.12-8.1.mga3
libmagic1-5.12-8.1.mga3
libmagic-devel-5.12-8.1.mga3
libmagic-static-devel-5.12-8.1.mga3
python-magic-5.12-8.1.mga3
file-5.16-1.1.mga4
libmagic1-5.16-1.1.mga4
libmagic-devel-5.16-1.1.mga4
libmagic-static-devel-5.16-1.1.mga4
python-magic-5.16-1.1.mga4

from SRPMS:
file-5.12-8.1.mga3.src.rpm
file-5.16-1.1.mga4.src.rpm
Comment 4 claire robinson 2014-02-21 23:44:41 CET
Created attachment 4999 [details]
'test' file to with 45 52 00 00 00 hexedit'ed at the start

Causes a long execution time and segfault

$ time file test
Segmentation fault

real    0m12.312s
user    0m10.155s
sys     0m0.074s
Comment 5 claire robinson 2014-02-21 23:56:26 CET
Testing mga3 32

After
-----
$ time file test
test: Apple Driver Map, blocksize 0

real    0m0.007s
user    0m0.002s
sys     0m0.002s


Not sure the python module is working though, from the README here https://github.com/ahupp/python-magic..

>>> import magic
>>> magic.from_file("test")

Traceback (most recent call last):
  File "<pyshell#1>", line 1, in <module>
    magic.from_file("test")
AttributeError: 'module' object has no attribute 'from_file'

>>> magic.from_file("/home/claire/test/test")

Traceback (most recent call last):
  File "<pyshell#2>", line 1, in <module>
    magic.from_file("/home/claire/test/test")
AttributeError: 'module' object has no attribute 'from_file'

>>> magic.from_buffer(open("test").read(1024))

Traceback (most recent call last):
  File "<pyshell#3>", line 1, in <module>
    magic.from_buffer(open("test").read(1024))
AttributeError: 'module' object has no attribute 'from_buffer'

Am I doing something wrong? Tried in idle and python cli.
Comment 6 Philippe Makowski 2014-02-22 00:17:21 CET
(In reply to claire robinson from comment #5)
> Not sure the python module is working though, from the README here
> https://github.com/ahupp/python-magic..
not the good module
> Am I doing something wrong? Tried in idle and python cli.
yes, the good module is here :
https://github.com/glensc/file/tree/master/python
(ref : http://www.darwinsys.com/file/)

try something like this :
>>> import magic
>>> ms = magic.open(magic.NONE)
>>> ms.load()
0
>>> tp = ms.file('Documents/progit.fr.pdf')
>>> print(tp)
PDF document, version 1.4
Comment 7 claire robinson 2014-02-22 00:21:15 CET
Thanks Philippe! Really need to find time to learn more python.

$ python
Python 2.7.6 (default, Feb 16 2014, 16:03:48) 
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import magic
>>> ms = magic.open(magic.NONE)
>>> ms.load()
0
>>> tp = ms.file('test')
>>> print(tp)
Apple Driver Map, blocksize 0
>>> quit()


Testing complete mga3 32
Comment 8 claire robinson 2014-02-22 00:28:58 CET
Testing complete mga3 64

Before
------
$ time file test
Segmentation fault

real    0m2.925s
user    0m2.850s
sys     0m0.013s


$ python
Python 2.7.6 (default, Feb 16 2014, 16:03:10) 
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import magic
>>> ms = magic.open(magic.NONE)
>>> ms.load()
0
>>> tp = ms.file('test')
Segmentation fault


After
-----
$ time file test
test: Apple Driver Map, blocksize 0

real    0m0.003s
user    0m0.001s
sys     0m0.001s

$ python
Python 2.7.6 (default, Feb 16 2014, 16:03:10) 
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import magic
>>> ms = magic.open(magic.NONE)
>>> ms.load()
0
>>> tp = ms.file('test')
>>> print(tp)
Apple Driver Map, blocksize 0
>>> quit()
Comment 9 Daniel Napora 2014-02-22 01:31:54 CET
Testing complete mga4 64
Comment 10 Daniel Napora 2014-02-22 01:43:03 CET
Testing complete mga4 32
Comment 11 Rémi Verschelde 2014-02-22 09:48:44 CET
Validating update, advisory uploaded. Please push to 3 & 4 core/updates.
Comment 12 Thomas Backlund 2014-02-22 20:15:08 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0092.html

Note You need to log in before you can comment on or make changes to this bug.