Fedora has issued an advisory on March 26: https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130688.html Patched package uploaded for Mageia 3. The issue was fixed upstream in 5.15, so Mageia 4 and Cauldron are not affected. Advisory: ======================== Updated file packages fix security vulnerabilities: The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345 https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130688.html ======================== Updated packages in core/updates_testing: ======================== file-5.12-8.3.mga3 libmagic1-5.12-8.3.mga3 libmagic-devel-5.12-8.3.mga3 libmagic-static-devel-5.12-8.3.mga3 python-magic-5.12-8.3.mga3 from file-5.12-8.3.mga3.src.rpm Reproducible: Steps to Reproduce:
PoC on the upstream bug http://bugs.gw.com/view.php?id=164 create a file with 10KB newlines: $ dd ibs=10000 count=1 if=/dev/zero | tr '\0' '\n' > newlines run file w/out the BEGIN regex (in multi- or single- byte locale): $ time file newlines
Whiteboard: (none) => has_procedure
Tested on mga3 64bit. The updated version spends about 50% of time on the newlines file and still identifies a random set of files the same as before.
CC: (none) => balatonWhiteboard: has_procedure => has_procedure MGA3-64-OK
Tested on mga3 32bit. Similar results as on 64bit (newlines done in 58% time than before update). Someone please take care of the advisory and validating.
Whiteboard: has_procedure MGA3-64-OK => has_procedure MGA3-64-OK MGA3-32-OK
Validating update, advisory has been uploaded. Please push to 3 core/updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA3-64-OK MGA3-32-OK => has_procedure MGA3-64-OK MGA3-32-OK advisoryCC: (none) => remi, sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0142.html
Status: NEW => RESOLVEDCC: (none) => pterjanResolution: (none) => FIXED
Affects php as well: http://www.php.net/ChangeLog-5.php#5.4.27 http://www.php.net/ChangeLog-5.php#5.5.11 https://bugs.php.net/bug.php?id=66946
Status: RESOLVED => REOPENEDCC: (none) => oeResolution: FIXED => (none)
I know, I have an update ready to go and a bug already assigned to you: https://bugs.mageia.org/show_bug.cgi?id=13142
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
Ooos.
OOPS. Tired now.