Two security issues fixed in file 5.21 have been announced: http://openwall.com/lists/oss-security/2014/12/16/2 Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated file packages fix security vulnerabilities: Thomas Jarosch of Intra2net AG reported that using the file command on a specially-crafted ELF binary could lead to a denial of service due to uncontrolled resource consumption (CVE-2014-8116). Thomas Jarosch of Intra2net AG reported that using the file command on a specially-crafted ELF binary could lead to a denial of service due to uncontrolled recursion (CVE-2014-8117). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117 http://openwall.com/lists/oss-security/2014/12/16/2 https://bugzilla.redhat.com/show_bug.cgi?id=1171580 https://bugzilla.redhat.com/show_bug.cgi?id=1174606 ======================== Updated packages in core/updates_testing: ======================== file-5.16-1.8.mga4 libmagic1-5.16-1.8.mga4 libmagic-devel-5.16-1.8.mga4 libmagic-static-devel-5.16-1.8.mga4 python-magic-5.16-1.8.mga4 from file-5.16-1.8.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13460#c4 Besides running the file command on ~/* (i.e., the files in your home directory), you should also run it on some ELF files, as that's what's impacted by this update. Perhaps "file /usr/bin/*" and there will also be a ton of output and it shouldn't crash or hang.
Whiteboard: (none) => has_procedure
I don't know if PHP is affected. I don't see any commits upstream in PHP for this.
CC: (none) => oe
I've added an additional patch due to this follow-up message: http://openwall.com/lists/oss-security/2014/12/16/3 We'll see if it receives a CVE too. Updated packages in core/updates_testing: ======================== file-5.16-1.9.mga4 libmagic1-5.16-1.9.mga4 libmagic-devel-5.16-1.9.mga4 libmagic-static-devel-5.16-1.9.mga4 python-magic-5.16-1.9.mga4 from file-5.16-1.9.mga4.src.rpm
Tested successfully on Mageia 4 i586. No PoC for the CVEs, but I did test on /usr/bin/* and ~/*. I also tested on the PoC in Comment 3, but I didn't use valgrind so there's no errors before or after the update. I'll update the advisory if the Comment 3 one receives a CVE or if Fedora issues an advisory for this.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
And the hits just keep coming. CVE request for more DoS issues fixed upstream in the ELF parser: http://openwall.com/lists/oss-security/2014/12/17/1 I'll add those and rebuild the update again once CVEs are assigned.
Whiteboard: has_procedure MGA4-32-OK => has_procedure feedback
I haven't seen anything from cve-assign in quite a while. Maybe they took December off. I'll let this one go unless MITRE actually starts responding again. Also, the newest patches are significant changes and don't look easily rediffable to say the least. I'll have to see how others handle backporting those changes.
Whiteboard: has_procedure feedback => has_procedure MGA4-32-OK
Testing on Mageia4x64 real hardware Current packages : ---------------- file-5.16-1.7.mga4.x86_64 lib64magic1-5.16-1.7.mga4.x86_64 python-magic-5.16-1.7.mga4.x86_64 Following procedure mentionned in comment 1 + $ file /usr/bin/* No errors, nor crashes. PoC found in comment 3 : $ valgrind -v file file-oob-read.jpg which returned this error : ERROR SUMMARY: 1 errors from 1 contexts Updated testing packages : ------------------------ file-5.16-1.9.mga4.x86_64 lib64magic1-5.16-1.9.mga4.x86_64 python-magic-5.16-1.9.mga4.noarch Ran same tests : all OK (including the valgrind test which did not return any error)
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OKCC: (none) => olchal
David do you want to update the advisory for the extra patches?
(In reply to claire robinson from comment #8) > David do you want to update the advisory for the extra patches? I only added one extra patch in Comment 3, and I don't know enough to say anything about it at this time.
Thanks, uploaded as comment 0 with srpm from comment 3 Validating. Could sysadmin please push to 4 updates Thanks
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0537.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
URL: (none) => http://lwn.net/Vulnerabilities/627329/
(In reply to David Walser from comment #3) > I've added an additional patch due to this follow-up message: > http://openwall.com/lists/oss-security/2014/12/16/3 > > We'll see if it receives a CVE too. CVE request for this issue: http://openwall.com/lists/oss-security/2015/02/04/12
(In reply to David Walser from comment #12) > (In reply to David Walser from comment #3) > > I've added an additional patch due to this follow-up message: > > http://openwall.com/lists/oss-security/2014/12/16/3 > > > > We'll see if it receives a CVE too. > > CVE request for this issue: > http://openwall.com/lists/oss-security/2015/02/04/12 This is now CVE-2014-9652: http://openwall.com/lists/oss-security/2015/02/05/12
(In reply to David Walser from comment #13) > (In reply to David Walser from comment #12) > > (In reply to David Walser from comment #3) > > > I've added an additional patch due to this follow-up message: > > > http://openwall.com/lists/oss-security/2014/12/16/3 > > > > > > We'll see if it receives a CVE too. > > > > CVE request for this issue: > > http://openwall.com/lists/oss-security/2015/02/04/12 > > This is now CVE-2014-9652: > http://openwall.com/lists/oss-security/2015/02/05/12 LWN reference: http://lwn.net/Vulnerabilities/633839/