Bug 498682 (CVE-2009-0947, CVE-2009-0948)

Summary: CVE-2009-0947, CVE-2009-0948 file: multiple memory corruption issues
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0947
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-11 15:40:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch from Apple to correct the issues none

Description Vincent Danen 2009-05-01 21:17:37 UTC 
Drew Yao of Apple Product Security discovered several memory corruption issues in file 5.00 in the CDF parsing implementation.

The first is an integer overflow in cdf_read_property_info(), and the second is an integer overflow in cdf_read_sat().  Both have been assigned CVE-2009-0947.

The third issue is buffer overflows in cdf_read_sat(), cdf_read_long_sector_chain(), and cdf_read_ssat().  These issues have been assigned CVE-2009-0948.

These issues only affect file 5.00, and not earlier versions, due to introduced support for CDF (Common Document Format) files in file 5.00.  Because of this, only Fedora 11 is affected by these issues.
Comment 2 Vincent Danen 2009-05-01 21:21:52 UTC 
Created attachment 342155 [details]
patch from Apple to correct the issues

This is a proposed patch from Drew Yao that corrects the issues.
Comment 4 Vincent Danen 2009-05-01 21:41:03 UTC 
Upstream released 5.01:

http://mx.gw.com/pipermail/file/2009/000379.html

The announcement notes the CDF issues, but doesn't note the memory corruption issues.

The upstream author also notes:

"These were not the only memory corrupting issues; 5.01 was released
yesterday to address the ones you found and more (Such as DoS
attacks with looping sector chains)."

There are no CVE's assigned based on the upstream changelog, so I suspect this embargo will be short-lived.
Comment 5 Vincent Danen 2009-05-04 19:54:33 UTC 
Upstream has released 5.02 which corrects these issues.
Comment 7 Vincent Danen 2009-05-11 15:40:30 UTC 
File has been updated to 5.02 in Fedora 11, fixing these issues.