Bug 1065836 (CVE-2014-1943)
Summary: | CVE-2014-1943 file: unrestricted recursion in handling of indirect type rules | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | btotty, csutherl, dkutalek, drieden, falonso, fedora, harald, huzaifas, jkaluza, jkurik, jorton, jrusnack, kshravag, ksrot, mmaslano, mmcgrath, nobody+bgollahe, packaging-team-maint, pfrields, pmatilai, rcollet, security-response-team, szidek, vdanen, vg.aetera, webstack-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | file 5.17, php 5.5.10 | Doc Type: | Bug Fix |
Doc Text: |
A denial of service flaw was found in the way the File Information (fileinfo) extension handled indirect rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-10-31 09:10:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1065837, 1066563, 1066565, 1066568, 1114520, 1114521, 1119563, 1119564, 1120503, 1120504, 1149768 | ||
Bug Blocks: | 1065838, 1101912, 1149858 |
Description
Murray McAllister
2014-02-17 05:58:09 UTC
It was noted that this issue was introduced in November 2008: http://mx.gw.com/pipermail/file/2014/001330.html The version of file as shipped in Fedora is affected. From very brief testing and code inspection the version in Red Hat Enterprise Linux 6 appears to be too old to be affected by this issue. Investigation on-going. Created file tracking bugs for this issue: Affects: fedora-all [bug 1065837] Another fix may be needed: http://mx.gw.com/pipermail/file/2014/001339.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739012 notes some versions of PHP have an internal copy of libmagic. I tested with PHP version 5.5.8 on Fedora 20, and the issue presents there. The backtrace was full of file_softmagic() calls (from /usr/lib64/php/modules/fileinfo.so), and strace did not reveal it trying to use the system version from file-libs (libmagic.so). (In reply to Murray McAllister from comment #5) > Another fix may be needed: http://mx.gw.com/pipermail/file/2014/001339.html Actually, isn't that what Christos did in the commit https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 linked in the Description of this bug (Comment 0)? This email has been sent on Feb 12 and Christos committed this the very same day (and it does what's described in the email above). If I'm right, it should be fixed completely in File github repo. PHP commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c Follow up commit correcting memory leak: http://git.php.net/?p=php-src.git;a=commitdiff;h=10eb007 file-5.14-15.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Upstream (file) commit which fix the memory leak: https://github.com/glensc/file/commit/c0c0032b9e9eb57b91fefef905a3b018bab492d9 file-5.11-12.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. This has been corrected in upstream PHP 5.5.10: http://www.php.net/ChangeLog-5.php#5.5.10 https://bugs.php.net/bug.php?id=66731 file was fixed upstream in version 5.17. Note that upstream mailing list announcement initially incorrectly announced that version as 5.18: http://mx.gw.com/pipermail/file/2014/001340.html http://mx.gw.com/pipermail/file/2014/001341.html This issue affects file versions 5.00 and later. 5.00 is the version that introduced the support for "indirect" type test: http://mx.gw.com/pipermail/file/2009/000311.html A reproducer that was posted to the upstream list only affects versions 5.12 and later, when additional tests using "indirect" were added that trigger infinite recursion on the publicly posted test case: https://github.com/file/file/commit/918400e In previous version, the default magic file does not contain test that triggers infinite recursion. It is possible to trigger deep recursion with sufficiently large file. This issue can cause an application using libmagic to crash when exhausting all stack memory. This also triggers high CPU usage before all stack memory is exhausted. This does not lead to code execution. (In reply to Tomas Hoger from comment #28) > This issue affects file versions 5.00 and later. 5.00 is the version that > introduced the support for "indirect" type test Overview of file versions embedded in selected PHP versions: PHP 5.3.3 - file 5.03 PHP 5.4.16 - file 5.14 PHP 5.5.6 - file 5.14 Statement: This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 5. This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 7. IssueDescription: A denial of service flaw was found in the way the File Information (fileinfo) extension handled indirect rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2014:1012 https://rhn.redhat.com/errata/RHSA-2014-1012.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1606 https://rhn.redhat.com/errata/RHSA-2014-1606.html This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html |