Bug 1128587 (CVE-2014-3587)

Summary: CVE-2014-3587 file: incomplete fix for CVE-2012-1571 in cdf_read_property_info
Product: [Other] Security Response Reporter: Francisco Alonso <falonso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, jkaluza, jorton, jrusnack, mmaslano, rcollet, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.5.16, php 5.4.32 Doc Type: Bug Fix
Doc Text:
It was found that the fix for CVE-2012-1571 was incomplete; the File Information (fileinfo) extension did not correctly parse certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-11 06:48:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1114521, 1132787, 1132788, 1140017, 1140023, 1140026, 1140027, 1149768, 1149774, 1238984, 1238985, 1284826    
Bug Blocks: 1128588, 1138881, 1149858, 1210268, 1278736    

Description Francisco Alonso 2014-08-11 07:25:32 UTC 
A flaw was found in the way file uses cdf_read_property_info function when checks stream offsets for certain Composite Document Format (CDF).An insufficient input validation flaw for p and q minimal and maximal value, leads to a pointer overflow.This issue only affects 32bit systems.

771	cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h
..
835	q = (const uint8_t *)(const void *)
836	    ((const char *)(const void *)p + ofs
837	    - 2 * sizeof(uint32_t));
838		if (q > e) {
839	DPRINTF(("Ran of the end %p > %p\n", q, e));
840 	goto out;
841 	}

Upstream commit:
https://github.com/file/file/commit/0641e56be1af003aa02c7c6b0184466540637233
Comment 1 Murray McAllister 2014-08-22 04:10:47 UTC 
This issue is public:

http://lwn.net/Vulnerabilities/609180/
Comment 2 Murray McAllister 2014-08-22 04:11:48 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1132788]
Comment 3 Murray McAllister 2014-08-22 04:11:52 UTC 
Created file tracking bugs for this issue:

Affects: fedora-all [bug 1132787]
Comment 4 Vincent Danen 2014-08-22 18:54:23 UTC 
This is corrected in upstream PHP 5.5.16:

http://php.net/ChangeLog-5.php#5.5.16
Comment 5 Fedora Update System 2014-08-24 02:56:00 UTC 
file-5.19-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-09-02 06:40:45 UTC 
php-5.5.16-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-09-02 06:47:50 UTC 
php-5.5.16-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Remi Collet 2014-09-11 05:59:45 UTC 
PHP commit: 
http://git.php.net/?p=php-src.git;a=patch;h=7ba1409a1aee5925180de546057ddd84ff267947
Comment 13 Francisco Alonso 2014-09-19 09:44:48 UTC 
Statement:

This issue did not affect the php and the file packages as shipped with Red Hat Enterprise Linux 5.

This issue affects the versions of file as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 14 Martin Prpič 2014-09-25 12:13:12 UTC 
IssueDescription:

It was found that the fix for CVE-2012-1571 was incomplete; the File Information (fileinfo) extension did not correctly parse certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file.
Comment 15 errata-xmlrpc 2014-09-30 05:15:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:1326 https://rhn.redhat.com/errata/RHSA-2014-1326.html
Comment 16 errata-xmlrpc 2014-09-30 09:10:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1327 https://rhn.redhat.com/errata/RHSA-2014-1327.html
Comment 19 errata-xmlrpc 2014-10-30 19:46:36 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html
Comment 20 errata-xmlrpc 2014-10-30 19:48:22 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html
Comment 24 errata-xmlrpc 2015-11-19 08:09:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2155 https://rhn.redhat.com/errata/RHSA-2015-2155.html
Comment 26 errata-xmlrpc 2016-05-10 19:46:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0760 https://rhn.redhat.com/errata/RHSA-2016-0760.html