Bug 1065836 (CVE-2014-1943) - CVE-2014-1943 file: unrestricted recursion in handling of indirect type rules
Summary: CVE-2014-1943 file: unrestricted recursion in handling of indirect type rules
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-1943
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1065837 1066563 1066565 1066568 1114520 1114521 1119563 1119564 1120503 1120504 1149768
Blocks: 1065838 1101912 1149858
TreeView+ depends on / blocked
 
Reported: 2014-02-17 05:58 UTC by Murray McAllister
Modified: 2021-02-17 06:52 UTC (History)
26 users (show)

Fixed In Version: file 5.17, php 5.5.10
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way the File Information (fileinfo) extension handled indirect rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
Clone Of:
Environment:
Last Closed: 2014-10-31 09:10:13 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1012 0 normal SHIPPED_LIVE Moderate: php53 and php security update 2014-08-06 09:14:44 UTC
Red Hat Product Errata RHSA-2014:1606 0 normal SHIPPED_LIVE Moderate: file security and bug fix update 2014-10-14 01:39:32 UTC
Red Hat Product Errata RHSA-2014:1765 0 normal SHIPPED_LIVE Important: php54-php security update 2014-10-30 23:45:24 UTC

Description Murray McAllister 2014-02-17 05:58:09 UTC
A flaw was found in the way the file utility determined the type of a file. A malicious input file could cause the file utility to use 100% CPU, or trigger infinite recursion, causing the file utility to crash or, potentially, execute arbitrary code.

Upstream fixes:
https://github.com/file/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f
https://github.com/file/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70
https://github.com/file/file/commit/4afb9b168906f117e32a11367761cd50fe9d4abe

Original report:
http://mx.gw.com/pipermail/file/2014/001327.html

Comment 1 Murray McAllister 2014-02-17 05:59:34 UTC
It was noted that this issue was introduced in November 2008:

http://mx.gw.com/pipermail/file/2014/001330.html

The version of file as shipped in Fedora is affected.

From very brief testing and code inspection the version in Red Hat Enterprise Linux 6 appears to be too old to be affected by this issue. Investigation on-going.

Comment 2 Murray McAllister 2014-02-17 06:00:21 UTC
Created file tracking bugs for this issue:

Affects: fedora-all [bug 1065837]

Comment 5 Murray McAllister 2014-02-17 06:42:40 UTC
Another fix may be needed: http://mx.gw.com/pipermail/file/2014/001339.html

Comment 9 Murray McAllister 2014-02-18 06:02:26 UTC
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739012 notes some versions of PHP have an internal copy of libmagic.

I tested with PHP version 5.5.8 on Fedora 20, and the issue presents there. The backtrace was full of file_softmagic() calls (from /usr/lib64/php/modules/fileinfo.so), and strace did not reveal it trying to use the system version from file-libs (libmagic.so).

Comment 10 Jan Kaluža 2014-02-18 08:04:20 UTC
(In reply to Murray McAllister from comment #5)
> Another fix may be needed: http://mx.gw.com/pipermail/file/2014/001339.html

Actually, isn't that what Christos did in the commit https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 linked in the Description of this bug (Comment 0)?

This email has been sent on Feb 12 and Christos committed this the very same day (and it does what's described in the email above). If I'm right, it should be fixed completely in File github repo.

Comment 17 Tomas Hoger 2014-02-21 10:28:49 UTC
PHP commit:
http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c

Follow up commit correcting memory leak:
http://git.php.net/?p=php-src.git;a=commitdiff;h=10eb007

Comment 18 Fedora Update System 2014-02-23 08:37:53 UTC
file-5.14-15.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Remi Collet 2014-02-23 09:40:50 UTC
Upstream (file) commit which fix the memory leak:
https://github.com/glensc/file/commit/c0c0032b9e9eb57b91fefef905a3b018bab492d9

Comment 25 Fedora Update System 2014-03-04 06:43:53 UTC
file-5.11-12.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Vincent Danen 2014-03-06 16:01:45 UTC
This has been corrected in upstream PHP 5.5.10:

http://www.php.net/ChangeLog-5.php#5.5.10
https://bugs.php.net/bug.php?id=66731

Comment 27 Tomas Hoger 2014-03-06 20:57:44 UTC
file was fixed upstream in version 5.17.  Note that upstream mailing list announcement initially incorrectly announced that version as 5.18:

http://mx.gw.com/pipermail/file/2014/001340.html
http://mx.gw.com/pipermail/file/2014/001341.html

Comment 28 Tomas Hoger 2014-03-14 15:51:32 UTC
This issue affects file versions 5.00 and later.  5.00 is the version that introduced the support for "indirect" type test:

http://mx.gw.com/pipermail/file/2009/000311.html

A reproducer that was posted to the upstream list only affects versions 5.12 and later, when additional tests using "indirect" were added that trigger infinite recursion on the publicly posted test case:

https://github.com/file/file/commit/918400e

In previous version, the default magic file does not contain test that triggers infinite recursion.  It is possible to trigger deep recursion with sufficiently large file.

This issue can cause an application using libmagic to crash when exhausting all stack memory.  This also triggers high CPU usage before all stack memory is exhausted.  This does not lead to code execution.

Comment 32 Tomas Hoger 2014-03-18 12:05:37 UTC
(In reply to Tomas Hoger from comment #28)
> This issue affects file versions 5.00 and later.  5.00 is the version that
> introduced the support for "indirect" type test

Overview of file versions embedded in selected PHP versions:

PHP 5.3.3  - file 5.03
PHP 5.4.16 - file 5.14
PHP 5.5.6  - file 5.14

Comment 51 Huzaifa S. Sidhpurwala 2014-07-18 05:25:11 UTC
Statement:

This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 5. This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 7.

Comment 52 Martin Prpič 2014-07-28 11:12:30 UTC
IssueDescription:

A denial of service flaw was found in the way the File Information (fileinfo) extension handled indirect rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.

Comment 56 errata-xmlrpc 2014-08-06 05:15:15 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:1012 https://rhn.redhat.com/errata/RHSA-2014-1012.html

Comment 60 errata-xmlrpc 2014-10-14 08:29:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1606 https://rhn.redhat.com/errata/RHSA-2014-1606.html

Comment 61 errata-xmlrpc 2014-10-30 19:47:21 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html


Note You need to log in before you can comment on or make changes to this bug.