Bug 497913 (CVE-2009-1515)

Summary: CVE-2009-1515 file: heap-based buffer overflow in cdf_read_sat()
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dnovotny, jbj, mbacovsk
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-16 07:02:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2009-04-27 20:28:45 UTC
A bug reported to Debian [1] affects file 5.x which is only available in the forthcoming Fedora 11.  When running file on an MSI file, file crashes.  The following link causes a crash with file 5.x: http://www.python.org/ftp/python/2.6.2/python-2.6.2.msi.  Tested with file 4.x on Fedora 10, RHEL5, and RHEL4 and the file is properly identified.

% file python-2.6.2.msi 
*** glibc detected *** file: munmap_chunk(): invalid pointer: 0x0000000001a8cf50 ***

There is currently no patch to correct the issue that I can find.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525820

Comment 1 Daniel Novotny 2009-04-28 08:58:16 UTC
hello,
I have reported the issue to file upstream

Comment 2 Vincent Danen 2009-05-01 23:22:46 UTC
Secunia has issued an advisory about this: http://secunia.com/advisories/34881/

Comment 3 Vincent Danen 2009-05-04 19:28:28 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1515 to
the following vulnerability:

Name: CVE-2009-1515
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1515
Assigned: 20090504
Reference: MISC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=515603
Reference: MISC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525820
Reference: CONFIRM:ftp://ftp.astron.com/pub/file/file-5.01.tar.gz
Reference: BID:34745
Reference: URL: http://www.securityfocus.com/bid/34745
Reference: OSVDB:54100
Reference: URL: http://www.osvdb.org/54100
Reference: SECUNIA:34881
Reference: URL: http://secunia.com/advisories/34881

Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c
in Christos Zoulas file 5.00 allows user-assisted remote attackers to
execute arbitrary code via a crafted compound document file, as
demonstrated by a .msi, .doc, or .mpp file.  NOTE: some of these
details are obtained from third party information.


Despite the allusion to it above, file 5.01 does *not* fix what the python.msi file breaks.

Comment 4 Vincent Danen 2009-05-04 19:45:09 UTC
file 5.02 which was released today corrects the issue:

~/Download/tmp/file-5.02/src/ >% ./file --magic=../magic/magic.mgc ~/Desktop/python-2.6.2.msi       
/home/vdanen/Desktop/python-2.6.2.msi: CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Title: Installation Database, Subject: Python 2.6.2, Author: Python Software Foundation, Template: Intel;1033, Revision Number: {7D2E52BC-98BB-493F-BC14-CFF942D2FB84}, Number of Words: 2, Number of Pages: 200, Name of Creating Application: Python MSI Library
~/Download/tmp/file-5.02/src/ >% ./file --magic=../magic/magic.mgc --version                 
lt-file-5.02
magic file from ../magic/magic.mgc

Comment 5 Daniel Novotny 2009-05-05 09:58:38 UTC
Hello,
I updated to 5.02 in rawhide (F12).
F11 has development freeze right now, so I cannot put the new version there...

Comment 6 Vincent Danen 2009-05-05 16:47:00 UTC
Hi, Daniel.  I just got the go-ahead from Jesse so you can push this for F11 despite the freeze.  If you could do that, that would be fantastic.

Thanks!

Comment 7 Daniel Novotny 2009-05-06 09:19:10 UTC
OK, built and filed a ticket in releng trac
( https://fedorahosted.org/rel-eng/ticket/1740 )

Comment 8 Daniel Novotny 2009-05-06 12:33:05 UTC
file-5.02-1.fc11 was successfully tagged into f11-final

Comment 9 Vincent Danen 2009-05-11 15:37:28 UTC
Sorry, Daniel, but 5.03 is out now with more CDF-related security fixes:

http://mx.gw.com/pipermail/file/2009/000383.html

There is no CVE name as of yet.

Comment 10 Daniel Novotny 2009-05-12 10:31:53 UTC
(In reply to comment #9)
> Sorry, Daniel, but 5.03 is out now with more CDF-related security fixes:
OK, requested dist-f11 tag
https://fedorahosted.org/rel-eng/ticket/1785

(F12 already done yesterday)

Comment 11 Daniel Novotny 2009-05-13 08:26:43 UTC
file-5.03-1.fc11 successfully tagged into f11-final