As was noted in the bug for our previous file update, CVEs were requested for additional DoS issues fixed upstream:
There still has been no response for the CVE request, but Debian included the fixes in their update for the CVE-2014-811 issues without waiting for the CVEs, as they noted here:
Debian backported a bunch of prerequisite commits so that they could backport the actual fixes linked in that thread. The full list of commits that they used is:
I have backported the same set of commits for Mageia 4 and Cauldron and checked it into SVN (the 2015-dos patches). The code changes are significant, but it did build. Hopefully it works.
Here is the relevant DSA:
Once CVEs are assigned, we can test these.
Steps to Reproduce:
CVE-2014-9620 and CVE-2014-9621 have been assigned:
CVE-2014-9620 relates to the processing of ELF notes and CVE-2014-9621 (which only affects file >= 5.16) relates to the processing of long strings in ELF notes.
I actually hadn't checked the patches into SVN yet, but now they're appropriately named with the CVE numbers.
Patched packages uploaded for Mageia 4 and Cauldron.
Besides running the file command on ~/* (i.e., the files in your home directory), you should also run it on some ELF files, as that's what's impacted by this update. Perhaps "file /usr/bin/*" and there will also be a ton of output and it shouldn't crash or hang.
I've verified already that it works fine in Cauldron.
Updated file packages fix security vulnerabilities:
Alexander Cherepanov reported that using the file command on a
specially-crafted ELF binary could lead to a denial of service due to
uncontrolled resource consumption while processing ELF section headers
As part of the fixes, several limits on aspects of the detection were added
or tightened, sometimes resulting in messages like "recursion limit exceeded"
or "too many program header sections".
To mitigate such shortcomings, these limits are controllable by a new -P,
--parameter option in the file program.
Updated packages in core/updates_testing:
file new DoS issues fixed upstream in 5.22 =>
file new DoS issues fixed upstream in 5.22 (CVE-2014-962)Whiteboard:
Testing on Mageia4x64 real hardware, following procedure mentioned in Comment 1
From current packages :
$ file ~/*
$ file /usr/bin/*
$ file /usr/sbin/*
+ python test found in procedure.
Nothing to report
To updated testing packages :
Tested fine for me on Mageia 4 i586 using the procedures in Comment 1.
has_procedure MGA4-64-OK =>
has_procedure MGA4-64-OK MGA4-32-OK
Testing MGA4 x64 real hardware
Olivier beat me to it! I did the same with the current packages:
$ file ~/*
$ file ~/.*
$ file /usr/bin/*
$ python test.py (Having created the script given in
All output sensible.
Updated to file-5.16-1.10.mga4, libmagic1-5.16-1.10.mga4, python-magic-5.16-1.10.mga4
All 4 tests ran similarly. OK verified.
Validating. Advisory uploaded.
Please push to 4 updates
has_procedure MGA4-64-OK MGA4-32-OK =>
has_procedure advisory MGA4-64-OK MGA4-32-OKCC:
An update for this issue has been pushed to Mageia Updates repository.
The following commit has been assigned CVE-2014-9653:
It was included in this update.
(In reply to David Walser from comment #7)
> The following commit has been assigned CVE-2014-9653:
> It was included in this update.
Here was the CVE assignment:
(In reply to David Walser from comment #8)
> (In reply to David Walser from comment #7)
> > The following commit has been assigned CVE-2014-9653:
> > https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f
> > It was included in this update.
> Here was the CVE assignment: