|Summary:||CVE-2014-2270 file: out-of-bounds access in search rules with offsets from input file|
|Product:||[Other] Security Response||Reporter:||Murray McAllister <mmcallis>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:||David Kutálek <dkutalek>|
|Version:||unspecified||CC:||carnil, dkutalek, drieden, erich, falonso, fedora, harald, jkaluza, jkurik, jorton, jrusnack, kshravag, ksrot, kwizart, mmaslano, mmcgrath, nobody+bgollahe, packaging-team-maint, pfrields, pmatilai, rcollet, security-response-team, vdanen, webstack-team|
|Fixed In Version:||file 5.17, php 5.5.10||Doc Type:||Bug Fix|
A denial of service flaw was found in the way the File Information (fileinfo) extension handled search rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
|Last Closed:||2014-10-31 09:15:01 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1073554, 1073555, 1073556, 1073557, 1094481, 1094482, 1094483, 1094484, 1114520, 1114521, 1119563, 1119564, 1120503, 1120504, 1149768|
|Bug Blocks:||1065838, 1072232, 1101912, 1149858|
Description Murray McAllister 2014-03-04 06:50:18 UTC
A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code. Upstream report: http://bugs.gw.com/view.php?id=313 Upstream fix: https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801
Comment 1 Murray McAllister 2014-03-04 06:52:02 UTC
CVE request: http://seclists.org/oss-sec/2014/q1/473
Comment 4 Murray McAllister 2014-03-04 07:41:29 UTC
Note that the arbitrary code execution impact is a guess. The issue is still being investigated.
Comment 5 Remi Collet 2014-03-04 09:13:06 UTC
Notice, this upstream patch doesn't seems correct. +#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) >= ((n) - (o))) At least, it breaks php test suite for this extension. A better fix seems to be +#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) Under investigation...
Comment 6 Remi Collet 2014-03-04 20:00:24 UTC
Comment 7 Remi Collet 2014-03-05 06:14:22 UTC
Additional File upstream commit: https://github.com/glensc/file/commit/70c65d2e1841491f59168db1f905e8b14083fb1c
Comment 8 Vincent Danen 2014-03-05 19:07:34 UTC
CVE-2014-2270 has been assigned to this issue: http://seclists.org/oss-sec/2014/q1/504
Comment 9 Vincent Danen 2014-03-06 16:03:19 UTC
This has been corrected in upstream PHP 5.5.10: http://www.php.net/ChangeLog-5.php#5.5.10 https://bugs.php.net/bug.php?id=66820
Comment 10 Vincent Danen 2014-03-06 16:55:19 UTC
At a quick glance, this looks to be applicable to even file 4.10, so this should affect pretty much everything we ship. I don't know how likely it is that file would be used on a Windows Portable Executable (PE) file but in mixed environments (or with something like clamav, etc.) I suppose it's possible that these types of files may be processed by PHP or file.
Comment 11 Vincent Danen 2014-03-06 17:06:58 UTC
Also, for Fedora, it looks like sleuthkit might embed file: sleuthkit-4.0.2-2.fc19: (source) sleuthkit-4.0.2.tar.gz: sleuthkit-4.0.2/framework/TskModules/c_FileTypeSigModule/file-5.08/src/softmagic.c The spec file has a requires on file, but no buildrequires on file-devel. I've not had an opportunity to look closer to see exactly what that means.
Comment 14 Vincent Danen 2014-03-06 17:09:03 UTC
Created php tracking bugs for this issue: Affects: fedora-all [bug 1073557]
Comment 15 Vincent Danen 2014-03-06 17:09:08 UTC
Created file tracking bugs for this issue: Affects: fedora-all [bug 1073555]
Comment 16 Fedora Update System 2014-03-12 12:30:58 UTC
file-5.14-17.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Tomas Hoger 2014-03-24 20:39:52 UTC
(In reply to Vincent Danen from comment #11) > Also, for Fedora, it looks like sleuthkit might embed file: > > sleuthkit-4.0.2-2.fc19: (source) sleuthkit-4.0.2.tar.gz: > sleuthkit-4.0.2/framework/TskModules/c_FileTypeSigModule/file-5.08/src/ > softmagic.c The code is not built, hence Fedora sleuthkit is not affected.
Comment 20 Tomas Hoger 2014-03-25 20:41:41 UTC
This issue is not specific to PE parsing and is related to how file handles offsets read from file in "search" type rules. This problem is exposed by PE parsing rules in the default magic file. In mget(), when processing a rule using 32bit offset read form a file, it is possible to have offset set to 0xffffffff. In call to mcopy(), ms->search is set up for "search" rules, with ms->search.s pointing out of bounds. Back in mget(), subsequent check to see if there is enough data there is this check for "search" rules: (nbytes < (offset + m->vallen)). This check is bypassed, as offset is 32bit, causing this addition to wrap around. Out of bounds access occurs when file tries to compare data pointed to by ms->search.s with pattern specified in the magic file. There is difference between 32bit and 64bit systems. ms->search.s is set using: ms->search.s = RCAST(const char *, s) + offset; On 32bit systems, this also wraps, causing ms->search.s to point to memory a little before s, an accessible memory, avoiding the crash. On 64bit systems, ms->search.s is likely to point to unmapped memory, leading to crash. Impact of this issue is limited to crash, or unlikely limited information leak (test if memory at the fixed offset from the memory holding input contains specific string from magic file rule).
Comment 28 Fedora Update System 2014-03-27 04:47:44 UTC
file-5.11-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 43 Huzaifa S. Sidhpurwala 2014-07-18 05:25:33 UTC
Statement: This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 5. This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 7.
Comment 44 Martin Prpič 2014-07-28 11:12:39 UTC
IssueDescription: A denial of service flaw was found in the way the File Information (fileinfo) extension handled search rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
Comment 45 errata-xmlrpc 2014-08-06 05:15:20 UTC
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2014:1012 https://rhn.redhat.com/errata/RHSA-2014-1012.html
Comment 47 errata-xmlrpc 2014-10-14 08:29:30 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1606 https://rhn.redhat.com/errata/RHSA-2014-1606.html
Comment 48 errata-xmlrpc 2014-10-30 19:47:25 UTC
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html