Bug 13105 - file new security issue CVE-2013-7345
Summary: file new security issue CVE-2013-7345
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/592275/
Whiteboard: has_procedure MGA3-64-OK MGA3-32-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-03-27 18:31 CET by David Walser
Modified: 2014-04-09 14:46 CEST (History)
5 users (show)

See Also:
Source RPM: file-5.12-8.2.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-03-27 18:31:56 CET 
Fedora has issued an advisory on March 26:
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130688.html

Patched package uploaded for Mageia 3.

The issue was fixed upstream in 5.15, so Mageia 4 and Cauldron are not affected.

Advisory:
========================

Updated file packages fix security vulnerabilities:

The BEGIN regular expression in the awk script detector in
magic/Magdir/commands in file before 5.15 uses multiple wildcards with
unlimited repetitions, which allows context-dependent attackers to cause a
denial of service (CPU consumption) via a crafted ASCII file that triggers a
large amount of backtracking, as demonstrated via a file with many newline
characters (CVE-2013-7345).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130688.html
========================

Updated packages in core/updates_testing:
========================
file-5.12-8.3.mga3
libmagic1-5.12-8.3.mga3
libmagic-devel-5.12-8.3.mga3
libmagic-static-devel-5.12-8.3.mga3
python-magic-5.12-8.3.mga3

from file-5.12-8.3.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2014-03-27 18:50:11 CET 
PoC on the upstream bug http://bugs.gw.com/view.php?id=164


create a file with 10KB newlines:
  $ dd ibs=10000 count=1 if=/dev/zero | tr '\0' '\n' > newlines

run file w/out the BEGIN regex (in multi- or single- byte locale):
  $ time file newlines

Whiteboard: (none) => has_procedure

Comment 2 Zoltan Balaton 2014-03-28 16:10:13 CET 
Tested on mga3 64bit.
The updated version spends about 50% of time on the newlines file and still identifies a random set of files the same as before.

CC: (none) => balaton
Whiteboard: has_procedure => has_procedure MGA3-64-OK

Comment 3 Zoltan Balaton 2014-03-28 16:23:07 CET 
Tested on mga3 32bit.
Similar results as on 64bit (newlines done in 58% time than before update).
Someone please take care of the advisory and validating.

Whiteboard: has_procedure MGA3-64-OK => has_procedure MGA3-64-OK MGA3-32-OK

Comment 4 Rémi Verschelde 2014-03-28 22:13:37 CET 
Validating update, advisory has been uploaded.
Please push to 3 core/updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA3-64-OK MGA3-32-OK => has_procedure MGA3-64-OK MGA3-32-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 5 Pascal Terjan 2014-03-31 21:34:59 CEST 
http://advisories.mageia.org/MGASA-2014-0142.html

Status: NEW => RESOLVED
CC: (none) => pterjan
Resolution: (none) => FIXED

Comment 6 Oden Eriksson 2014-04-09 14:38:26 CEST 
Affects php as well:

http://www.php.net/ChangeLog-5.php#5.4.27
http://www.php.net/ChangeLog-5.php#5.5.11

https://bugs.php.net/bug.php?id=66946

Status: RESOLVED => REOPENED
CC: (none) => oe
Resolution: FIXED => (none)

Comment 7 David Walser 2014-04-09 14:41:34 CEST 
I know, I have an update ready to go and a bug already assigned to you:
https://bugs.mageia.org/show_bug.cgi?id=13142

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 8 Oden Eriksson 2014-04-09 14:45:18 CEST 
Ooos.
Comment 9 Oden Eriksson 2014-04-09 14:46:01 CEST 
OOPS. Tired now.
Note You need to log in before you can comment on or make changes to this bug.