Upstream has released versions 5.4.29 and 5.5.12 on May 29: http://www.php.net/archive/2014.php#id2014-05-29-5 http://www.php.net/archive/2014.php#id2014-05-29-3 As with other recent PHP CVEs, these were issues in fileinfo, so the file package may also be affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
RedHat's bugs for these issues identify upstream commits to file: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0237 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0238 Looking at the code and other commits, I think we should add in some other commits as well. RedHat linked these: https://github.com/file/file/commit/b8acc83781d5a24cc5101e525d15efe0482c280d https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0 It looks like it'd be good to pull these in too: https://github.com/file/file/commit/961f3849dd0ed90dd658a7126cc0f1c91d6e4bcf https://github.com/file/file/commit/b51659e225841db5cf0c6dfd76950ffbe4c8cf72 https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391 using the readcdf.c section only of the 2nd one there and the cdf.c section only of the third one there. When I get a chance to commit this, I'll have to clone this bug for the file package.
URL: (none) => http://lwn.net/Vulnerabilities/601059/
The second commit linked above references CVE-2014-0207 in the commit message, but I'm not sure why. I can't find any references to that anywhere else. I've added the commits to file as described above to the file package for Mageia 3, Mageia 4, and Cauldron. Cloning this bug next...
Severity: normal => major
Blocks: (none) => 13476
Blocks: 13476 => (none)
Bug cloned. Let's use this bug for file and Bug 13476 for PHP. Advisory: ======================== Updated file packages fix security vulnerabilities: A flaw was found in the way file's Composite Document Files (CDF) format parser handle CDF files with many summary info entries. The cdf_unpack_summary_info() function unnecessarily repeatedly read the info from the same offset. This led to many file_printf() calls in cdf_file_property_info(), which caused file to use an excessive amount of CPU time when parsing a specially-crafted CDF file (CVE-2014-0237). A flaw was found in the way file parsed property information from Composite Document Files (CDF) files. A property entry with 0 elements triggers an infinite loop (CVE-2014-0238). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0237 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0238 ======================== Updated packages in core/updates_testing: ======================== file-5.12-8.4.mga3 libmagic1-5.12-8.4.mga3 libmagic-devel-5.12-8.4.mga3 libmagic-static-devel-5.12-8.4.mga3 python-magic-5.12-8.4.mga3 file-5.16-1.3.mga4 libmagic1-5.16-1.3.mga4 libmagic-devel-5.16-1.3.mga4 libmagic-static-devel-5.16-1.3.mga4 python-magic-5.16-1.3.mga4 from SRPMS: file-5.12-8.4.mga3.src.rpm file-5.16-1.3.mga4.src.rpm
Assignee: oe => qa-bugsSummary: php new security issues CVE-2014-0237 and CVE-2014-0238 => file new security issues CVE-2014-0237 and CVE-2014-0238Source RPM: php-5.5.12-1.mga4.src.rpm => file-5.16-1.2.mga4.src.rpm
Testing complete mga4 64 No PoC and difficult to find a cdf file example so just checking file works ok.. $ file ~/* Shows long list. Testing python-magic, excuse the lack of python skills, I modified the script from previous testing.. $ cat test.py import os import magic path = os.path.expanduser('~') listing = os.listdir(path) for infile in listing: ms = magic.open(magic.NONE) ms.load() tp = ms.file(os.path.join(path, infile)) print (infile + " " + tp) $ python test.py Shows a long list
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Testing complete mga3 32 & 64
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0252.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
(In reply to David Walser from comment #2) > The second commit linked above references CVE-2014-0207 in the commit > message, but I'm not sure why. I can't find any references to that anywhere > else. It looks like upstream got their CVEs mixed up. While the commit message for the second commit I linked in Comment 1 says CVE-2014-0207, it was for CVE-2014-0238 as previously stated. However, the fifth commit (cdf.c portion) that I linked in Comment 1 has been identified by RedHat and PHP as CVE-2014-0207: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0207 So in other words, CVE-2014-0207, publicly announced yesterday (June 26) as fixed in the newest versions of PHP, was already fixed in our file package by this update. Addendum to advisory: A flaw was found in the way file parsed property information from Composite Document Files (CDF) files. Invalid pointer dereference flaws due to an incorrect boundary check in the cdf_read_short_sector() function, could cause the file executable to crash (CVE-2014-0207). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0207
Summary: file new security issues CVE-2014-0237 and CVE-2014-0238 => file new security issues CVE-2014-0207, CVE-2014-0237, and CVE-2014-0238