Bug 1065836 (CVE-2014-1943)

Summary: CVE-2014-1943 file: unrestricted recursion in handling of indirect type rules
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: btotty, csutherl, dkutalek, drieden, falonso, fedora, harald, huzaifas, jkaluza, jkurik, jorton, jrusnack, kshravag, ksrot, mmaslano, mmcgrath, nobody+bgollahe, packaging-team-maint, pfrields, pmatilai, rcollet, security-response-team, szidek, vdanen, vg.aetera, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: file 5.17, php 5.5.10 Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way the File Information (fileinfo) extension handled indirect rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-31 09:10:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1065837, 1066563, 1066565, 1066568, 1114520, 1114521, 1119563, 1119564, 1120503, 1120504, 1149768    
Bug Blocks: 1065838, 1101912, 1149858    

Description Murray McAllister 2014-02-17 05:58:09 UTC 
A flaw was found in the way the file utility determined the type of a file. A malicious input file could cause the file utility to use 100% CPU, or trigger infinite recursion, causing the file utility to crash or, potentially, execute arbitrary code.

Upstream fixes:
https://github.com/file/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f
https://github.com/file/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70
https://github.com/file/file/commit/4afb9b168906f117e32a11367761cd50fe9d4abe

Original report:
http://mx.gw.com/pipermail/file/2014/001327.html
Comment 1 Murray McAllister 2014-02-17 05:59:34 UTC 
It was noted that this issue was introduced in November 2008:

http://mx.gw.com/pipermail/file/2014/001330.html

The version of file as shipped in Fedora is affected.

From very brief testing and code inspection the version in Red Hat Enterprise Linux 6 appears to be too old to be affected by this issue. Investigation on-going.
Comment 2 Murray McAllister 2014-02-17 06:00:21 UTC 
Created file tracking bugs for this issue:

Affects: fedora-all [bug 1065837]
Comment 5 Murray McAllister 2014-02-17 06:42:40 UTC 
Another fix may be needed: http://mx.gw.com/pipermail/file/2014/001339.html
Comment 9 Murray McAllister 2014-02-18 06:02:26 UTC 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739012 notes some versions of PHP have an internal copy of libmagic.

I tested with PHP version 5.5.8 on Fedora 20, and the issue presents there. The backtrace was full of file_softmagic() calls (from /usr/lib64/php/modules/fileinfo.so), and strace did not reveal it trying to use the system version from file-libs (libmagic.so).
Comment 10 Jan Kaluža 2014-02-18 08:04:20 UTC 
(In reply to Murray McAllister from comment #5)
> Another fix may be needed: http://mx.gw.com/pipermail/file/2014/001339.html

Actually, isn't that what Christos did in the commit https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 linked in the Description of this bug (Comment 0)?

This email has been sent on Feb 12 and Christos committed this the very same day (and it does what's described in the email above). If I'm right, it should be fixed completely in File github repo.
Comment 17 Tomas Hoger 2014-02-21 10:28:49 UTC 
PHP commit:
http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c

Follow up commit correcting memory leak:
http://git.php.net/?p=php-src.git;a=commitdiff;h=10eb007
Comment 18 Fedora Update System 2014-02-23 08:37:53 UTC 
file-5.14-15.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Remi Collet 2014-02-23 09:40:50 UTC 
Upstream (file) commit which fix the memory leak:
https://github.com/glensc/file/commit/c0c0032b9e9eb57b91fefef905a3b018bab492d9
Comment 25 Fedora Update System 2014-03-04 06:43:53 UTC 
file-5.11-12.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Vincent Danen 2014-03-06 16:01:45 UTC 
This has been corrected in upstream PHP 5.5.10:

http://www.php.net/ChangeLog-5.php#5.5.10
https://bugs.php.net/bug.php?id=66731
Comment 27 Tomas Hoger 2014-03-06 20:57:44 UTC 
file was fixed upstream in version 5.17.  Note that upstream mailing list announcement initially incorrectly announced that version as 5.18:

http://mx.gw.com/pipermail/file/2014/001340.html
http://mx.gw.com/pipermail/file/2014/001341.html
Comment 28 Tomas Hoger 2014-03-14 15:51:32 UTC 
This issue affects file versions 5.00 and later.  5.00 is the version that introduced the support for "indirect" type test:

http://mx.gw.com/pipermail/file/2009/000311.html

A reproducer that was posted to the upstream list only affects versions 5.12 and later, when additional tests using "indirect" were added that trigger infinite recursion on the publicly posted test case:

https://github.com/file/file/commit/918400e

In previous version, the default magic file does not contain test that triggers infinite recursion.  It is possible to trigger deep recursion with sufficiently large file.

This issue can cause an application using libmagic to crash when exhausting all stack memory.  This also triggers high CPU usage before all stack memory is exhausted.  This does not lead to code execution.
Comment 32 Tomas Hoger 2014-03-18 12:05:37 UTC 
(In reply to Tomas Hoger from comment #28)
> This issue affects file versions 5.00 and later.  5.00 is the version that
> introduced the support for "indirect" type test

Overview of file versions embedded in selected PHP versions:

PHP 5.3.3  - file 5.03
PHP 5.4.16 - file 5.14
PHP 5.5.6  - file 5.14
Comment 51 Huzaifa S. Sidhpurwala 2014-07-18 05:25:11 UTC 
Statement:

This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 5. This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 7.
Comment 52 Martin Prpič 2014-07-28 11:12:30 UTC 
IssueDescription:

A denial of service flaw was found in the way the File Information (fileinfo) extension handled indirect rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
Comment 56 errata-xmlrpc 2014-08-06 05:15:15 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:1012 https://rhn.redhat.com/errata/RHSA-2014-1012.html
Comment 60 errata-xmlrpc 2014-10-14 08:29:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1606 https://rhn.redhat.com/errata/RHSA-2014-1606.html
Comment 61 errata-xmlrpc 2014-10-30 19:47:21 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html