Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2014-1943 file: unrestricted recursion in handling of indirect type rules|
|Product:||[Other] Security Response||Reporter:||Murray McAllister <mmcallis>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||arcfi, bgollahe, btotty, csutherl, dkutalek, drieden, falonso, fedora, harald, huzaifas, jkaluza, jkurik, jorton, jrusnack, kshravag, ksrot, mmaslano, mmcgrath, packaging-team-maint, pfrields, pmatilai, rcollet, security-response-team, szidek, vdanen, webstack-team|
|Fixed In Version:||file 5.17, php 5.5.10||Doc Type:||Bug Fix|
A denial of service flaw was found in the way the File Information (fileinfo) extension handled indirect rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
|Last Closed:||2014-10-31 05:10:13 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||1065837, 1066563, 1066565, 1066568, 1114520, 1114521, 1119563, 1119564, 1120503, 1120504, 1149768|
|Bug Blocks:||1065838, 1101912, 1149858|
Description Murray McAllister 2014-02-17 00:58:09 EST
A flaw was found in the way the file utility determined the type of a file. A malicious input file could cause the file utility to use 100% CPU, or trigger infinite recursion, causing the file utility to crash or, potentially, execute arbitrary code. Upstream fixes: https://github.com/file/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f https://github.com/file/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 https://github.com/file/file/commit/4afb9b168906f117e32a11367761cd50fe9d4abe Original report: http://mx.gw.com/pipermail/file/2014/001327.html
Comment 1 Murray McAllister 2014-02-17 00:59:34 EST
It was noted that this issue was introduced in November 2008: http://mx.gw.com/pipermail/file/2014/001330.html The version of file as shipped in Fedora is affected. From very brief testing and code inspection the version in Red Hat Enterprise Linux 6 appears to be too old to be affected by this issue. Investigation on-going.
Comment 2 Murray McAllister 2014-02-17 01:00:21 EST
Created file tracking bugs for this issue: Affects: fedora-all [bug 1065837]
Comment 5 Murray McAllister 2014-02-17 01:42:40 EST
Another fix may be needed: http://mx.gw.com/pipermail/file/2014/001339.html
Comment 9 Murray McAllister 2014-02-18 01:02:26 EST
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739012 notes some versions of PHP have an internal copy of libmagic. I tested with PHP version 5.5.8 on Fedora 20, and the issue presents there. The backtrace was full of file_softmagic() calls (from /usr/lib64/php/modules/fileinfo.so), and strace did not reveal it trying to use the system version from file-libs (libmagic.so).
Comment 10 Jan Kaluža 2014-02-18 03:04:20 EST
(In reply to Murray McAllister from comment #5) > Another fix may be needed: http://mx.gw.com/pipermail/file/2014/001339.html Actually, isn't that what Christos did in the commit https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 linked in the Description of this bug (Comment 0)? This email has been sent on Feb 12 and Christos committed this the very same day (and it does what's described in the email above). If I'm right, it should be fixed completely in File github repo.
Comment 17 Tomas Hoger 2014-02-21 05:28:49 EST
PHP commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c Follow up commit correcting memory leak: http://git.php.net/?p=php-src.git;a=commitdiff;h=10eb007
Comment 18 Fedora Update System 2014-02-23 03:37:53 EST
file-5.14-15.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Remi Collet 2014-02-23 04:40:50 EST
Upstream (file) commit which fix the memory leak: https://github.com/glensc/file/commit/c0c0032b9e9eb57b91fefef905a3b018bab492d9
Comment 25 Fedora Update System 2014-03-04 01:43:53 EST
file-5.11-12.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 26 Vincent Danen 2014-03-06 11:01:45 EST
This has been corrected in upstream PHP 5.5.10: http://www.php.net/ChangeLog-5.php#5.5.10 https://bugs.php.net/bug.php?id=66731
Comment 27 Tomas Hoger 2014-03-06 15:57:44 EST
file was fixed upstream in version 5.17. Note that upstream mailing list announcement initially incorrectly announced that version as 5.18: http://mx.gw.com/pipermail/file/2014/001340.html http://mx.gw.com/pipermail/file/2014/001341.html
Comment 28 Tomas Hoger 2014-03-14 11:51:32 EDT
This issue affects file versions 5.00 and later. 5.00 is the version that introduced the support for "indirect" type test: http://mx.gw.com/pipermail/file/2009/000311.html A reproducer that was posted to the upstream list only affects versions 5.12 and later, when additional tests using "indirect" were added that trigger infinite recursion on the publicly posted test case: https://github.com/file/file/commit/918400e In previous version, the default magic file does not contain test that triggers infinite recursion. It is possible to trigger deep recursion with sufficiently large file. This issue can cause an application using libmagic to crash when exhausting all stack memory. This also triggers high CPU usage before all stack memory is exhausted. This does not lead to code execution.
Comment 32 Tomas Hoger 2014-03-18 08:05:37 EDT
(In reply to Tomas Hoger from comment #28) > This issue affects file versions 5.00 and later. 5.00 is the version that > introduced the support for "indirect" type test Overview of file versions embedded in selected PHP versions: PHP 5.3.3 - file 5.03 PHP 5.4.16 - file 5.14 PHP 5.5.6 - file 5.14
Comment 51 Huzaifa S. Sidhpurwala 2014-07-18 01:25:11 EDT
Statement: This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 5. This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 7.
Comment 52 Martin Prpic 2014-07-28 07:12:30 EDT
IssueDescription: A denial of service flaw was found in the way the File Information (fileinfo) extension handled indirect rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
Comment 56 errata-xmlrpc 2014-08-06 01:15:15 EDT
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2014:1012 https://rhn.redhat.com/errata/RHSA-2014-1012.html
Comment 60 errata-xmlrpc 2014-10-14 04:29:22 EDT
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1606 https://rhn.redhat.com/errata/RHSA-2014-1606.html
Comment 61 errata-xmlrpc 2014-10-30 15:47:21 EDT
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html