As was noted in the bug for our previous file update, CVEs were requested for additional DoS issues fixed upstream: https://bugs.mageia.org/show_bug.cgi?id=14818#c5 There still has been no response for the CVE request, but Debian included the fixes in their update for the CVE-2014-811[67] issues without waiting for the CVEs, as they noted here: http://openwall.com/lists/oss-security/2015/01/16/14 Debian backported a bunch of prerequisite commits so that they could backport the actual fixes linked in that thread. The full list of commits that they used is: https://github.com/file/file/commit/6ce24f35cd4a43c4bdd249e8e0c4952c1f8eac67 https://github.com/file/file/commit/0056ec32255de1de973574b0300161a1568767d6 https://github.com/file/file/commit/09e41625c999a2e5b51e1092f0ef2432a99b5c33 https://github.com/file/file/commit/af444af0738468393f40f9d2261b1ea10fc4b2ba https://github.com/file/file/commit/68bd8433c7e11a8dbe100deefdfac69138ee7cd9 https://github.com/file/file/commit/dddd3cdb95210a765dd90f7d722cb8b5534daee7 https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4 https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c I have backported the same set of commits for Mageia 4 and Cauldron and checked it into SVN (the 2015-dos patches). The code changes are significant, but it did build. Hopefully it works. Here is the relevant DSA: https://www.debian.org/security/2015/dsa-3121 Once CVEs are assigned, we can test these. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
CVE-2014-9620 and CVE-2014-9621 have been assigned: http://openwall.com/lists/oss-security/2015/01/17/9 CVE-2014-9620 relates to the processing of ELF notes and CVE-2014-9621 (which only affects file >= 5.16) relates to the processing of long strings in ELF notes. I actually hadn't checked the patches into SVN yet, but now they're appropriately named with the CVE numbers. Patched packages uploaded for Mageia 4 and Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13460#c4 Besides running the file command on ~/* (i.e., the files in your home directory), you should also run it on some ELF files, as that's what's impacted by this update. Perhaps "file /usr/bin/*" and there will also be a ton of output and it shouldn't crash or hang. I've verified already that it works fine in Cauldron. Advisory: ======================== Updated file packages fix security vulnerabilities: Alexander Cherepanov reported that using the file command on a specially-crafted ELF binary could lead to a denial of service due to uncontrolled resource consumption while processing ELF section headers (CVE-2014-9620, CVE-2014-9621). As part of the fixes, several limits on aspects of the detection were added or tightened, sometimes resulting in messages like "recursion limit exceeded" or "too many program header sections". To mitigate such shortcomings, these limits are controllable by a new -P, --parameter option in the file program. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9621 http://openwall.com/lists/oss-security/2015/01/17/9 https://www.debian.org/security/2015/dsa-3121 ======================== Updated packages in core/updates_testing: ======================== file-5.16-1.10.mga4 libmagic1-5.16-1.10.mga4 libmagic-devel-5.16-1.10.mga4 libmagic-static-devel-5.16-1.10.mga4 python-magic-5.16-1.10.mga4 from file-5.16-1.10.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsSummary: file new DoS issues fixed upstream in 5.22 => file new DoS issues fixed upstream in 5.22 (CVE-2014-962[01])Whiteboard: MGA4TOO => has_procedureSeverity: normal => major
Testing on Mageia4x64 real hardware, following procedure mentioned in Comment 1 From current packages : -------------------- file-5.16-1.9.mga4 python-magic-5.16-1.9.mga4 libmagic1-5.16-1.9.mga4 $ file ~/* $ file /usr/bin/* $ file /usr/sbin/* + python test found in procedure. Nothing to report To updated testing packages : --------------------------- file-5.16-1.10.mga4 python-magic-5.16-1.10.mga4 libmagic1-5.16-1.10.mga4 All OK
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-64-OK
Tested fine for me on Mageia 4 i586 using the procedures in Comment 1.
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK
Testing MGA4 x64 real hardware Olivier beat me to it! I did the same with the current packages: $ file ~/* $ file ~/.* $ file /usr/bin/* $ python test.py (Having created the script given in https://bugs.mageia.org/show_bug.cgi?id=13460#c4) All output sensible. Updated to file-5.16-1.10.mga4, libmagic1-5.16-1.10.mga4, python-magic-5.16-1.10.mga4 All 4 tests ran similarly. OK verified.
CC: (none) => lewyssmith
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0030.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/630069/
The following commit has been assigned CVE-2014-9653: https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f It was included in this update.
(In reply to David Walser from comment #7) > The following commit has been assigned CVE-2014-9653: > https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f > > It was included in this update. Here was the CVE assignment: http://openwall.com/lists/oss-security/2015/02/05/13
(In reply to David Walser from comment #8) > (In reply to David Walser from comment #7) > > The following commit has been assigned CVE-2014-9653: > > https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f > > > > It was included in this update. > > Here was the CVE assignment: > http://openwall.com/lists/oss-security/2015/02/05/13 LWN reference: http://lwn.net/Vulnerabilities/633829/