Bug 13460 - file new security issues CVE-2014-0207, CVE-2014-0237, and CVE-2014-0238
Summary: file new security issues CVE-2014-0207, CVE-2014-0237, and CVE-2014-0238
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/601059/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-05-30 18:20 CEST by David Walser
Modified: 2014-06-27 17:03 CEST (History)
2 users (show)

See Also:
Source RPM: file-5.16-1.2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-05-30 18:20:59 CEST
Upstream has released versions 5.4.29 and 5.5.12 on May 29:
http://www.php.net/archive/2014.php#id2014-05-29-5
http://www.php.net/archive/2014.php#id2014-05-29-3

As with other recent PHP CVEs, these were issues in fileinfo, so the file package may also be affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-30 18:21:05 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-06-02 19:48:04 CEST
RedHat's bugs for these issues identify upstream commits to file:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0237
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0238

Looking at the code and other commits, I think we should add in some other commits as well.

RedHat linked these:
https://github.com/file/file/commit/b8acc83781d5a24cc5101e525d15efe0482c280d
https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0

It looks like it'd be good to pull these in too:
https://github.com/file/file/commit/961f3849dd0ed90dd658a7126cc0f1c91d6e4bcf
https://github.com/file/file/commit/b51659e225841db5cf0c6dfd76950ffbe4c8cf72
https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391

using the readcdf.c section only of the 2nd one there and the cdf.c section only of the third one there.

When I get a chance to commit this, I'll have to clone this bug for the file package.

URL: (none) => http://lwn.net/Vulnerabilities/601059/

Comment 2 David Walser 2014-06-03 15:26:19 CEST
The second commit linked above references CVE-2014-0207 in the commit message, but I'm not sure why.  I can't find any references to that anywhere else.

I've added the commits to file as described above to the file package for Mageia 3, Mageia 4, and Cauldron.  Cloning this bug next...

Severity: normal => major

David Walser 2014-06-03 15:26:57 CEST

Blocks: (none) => 13476

David Walser 2014-06-03 15:27:31 CEST

Blocks: 13476 => (none)

Comment 3 David Walser 2014-06-03 15:33:08 CEST
Bug cloned.  Let's use this bug for file and Bug 13476 for PHP.

Advisory:
========================

Updated file packages fix security vulnerabilities:

A flaw was found in the way file's Composite Document Files (CDF) format
parser handle CDF files with many summary info entries.  The
cdf_unpack_summary_info() function unnecessarily repeatedly read the info
from the same offset.  This led to many file_printf() calls in
cdf_file_property_info(), which caused file to use an excessive amount of
CPU time when parsing a specially-crafted CDF file (CVE-2014-0237).

A flaw was found in the way file parsed property information from Composite
Document Files (CDF) files.  A property entry with 0 elements triggers an
infinite loop (CVE-2014-0238).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0237
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0238
========================

Updated packages in core/updates_testing:
========================
file-5.12-8.4.mga3
libmagic1-5.12-8.4.mga3
libmagic-devel-5.12-8.4.mga3
libmagic-static-devel-5.12-8.4.mga3
python-magic-5.12-8.4.mga3
file-5.16-1.3.mga4
libmagic1-5.16-1.3.mga4
libmagic-devel-5.16-1.3.mga4
libmagic-static-devel-5.16-1.3.mga4
python-magic-5.16-1.3.mga4

from SRPMS:
file-5.12-8.4.mga3.src.rpm
file-5.16-1.3.mga4.src.rpm

Assignee: oe => qa-bugs
Summary: php new security issues CVE-2014-0237 and CVE-2014-0238 => file new security issues CVE-2014-0237 and CVE-2014-0238
Source RPM: php-5.5.12-1.mga4.src.rpm => file-5.16-1.2.mga4.src.rpm

Comment 4 claire robinson 2014-06-04 19:45:49 CEST
Testing complete mga4 64

No PoC and difficult to find a cdf file example so just checking file works ok..

$ file ~/*

Shows long list.

Testing python-magic, excuse the lack of python skills, I modified the script from previous testing..

$ cat test.py
import os
import magic
 
path = os.path.expanduser('~')
listing = os.listdir(path)
for infile in listing:
    ms = magic.open(magic.NONE)
    ms.load()
    tp = ms.file(os.path.join(path, infile))
    print (infile + " " + tp)


$ python test.py

Shows a long list

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 5 claire robinson 2014-06-04 19:52:54 CEST
Testing complete mga4 32

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 6 claire robinson 2014-06-04 19:57:20 CEST
Testing complete mga3 32 & 64

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 7 claire robinson 2014-06-04 20:00:45 CEST
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2014-06-06 08:28:53 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0252.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 9 David Walser 2014-06-27 17:03:20 CEST
(In reply to David Walser from comment #2)
> The second commit linked above references CVE-2014-0207 in the commit
> message, but I'm not sure why.  I can't find any references to that anywhere
> else.

It looks like upstream got their CVEs mixed up.  While the commit message for the second commit I linked in Comment 1 says CVE-2014-0207, it was for CVE-2014-0238 as previously stated.  However, the fifth commit (cdf.c portion) that I linked in Comment 1 has been identified by RedHat and PHP as CVE-2014-0207:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0207

So in other words, CVE-2014-0207, publicly announced yesterday (June 26) as fixed in the newest versions of PHP, was already fixed in our file package by this update.

Addendum to advisory:

A flaw was found in the way file parsed property information from Composite
Document Files (CDF) files. Invalid pointer dereference flaws due to an
incorrect boundary check in the cdf_read_short_sector() function, could cause
the file executable to crash (CVE-2014-0207).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0207

Summary: file new security issues CVE-2014-0237 and CVE-2014-0238 => file new security issues CVE-2014-0207, CVE-2014-0237, and CVE-2014-0238


Note You need to log in before you can comment on or make changes to this bug.