A flaw was found in the way the file utility determined the type of a file. A malicious input file could cause the file utility to use 100% CPU, or trigger infinite recursion, causing the file utility to crash or, potentially, execute arbitrary code. Upstream fixes: https://github.com/file/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f https://github.com/file/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 https://github.com/file/file/commit/4afb9b168906f117e32a11367761cd50fe9d4abe Original report: http://mx.gw.com/pipermail/file/2014/001327.html
It was noted that this issue was introduced in November 2008: http://mx.gw.com/pipermail/file/2014/001330.html The version of file as shipped in Fedora is affected. From very brief testing and code inspection the version in Red Hat Enterprise Linux 6 appears to be too old to be affected by this issue. Investigation on-going.
Created file tracking bugs for this issue: Affects: fedora-all [bug 1065837]
Another fix may be needed: http://mx.gw.com/pipermail/file/2014/001339.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739012 notes some versions of PHP have an internal copy of libmagic. I tested with PHP version 5.5.8 on Fedora 20, and the issue presents there. The backtrace was full of file_softmagic() calls (from /usr/lib64/php/modules/fileinfo.so), and strace did not reveal it trying to use the system version from file-libs (libmagic.so).
(In reply to Murray McAllister from comment #5) > Another fix may be needed: http://mx.gw.com/pipermail/file/2014/001339.html Actually, isn't that what Christos did in the commit https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 linked in the Description of this bug (Comment 0)? This email has been sent on Feb 12 and Christos committed this the very same day (and it does what's described in the email above). If I'm right, it should be fixed completely in File github repo.
PHP commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c Follow up commit correcting memory leak: http://git.php.net/?p=php-src.git;a=commitdiff;h=10eb007
file-5.14-15.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Upstream (file) commit which fix the memory leak: https://github.com/glensc/file/commit/c0c0032b9e9eb57b91fefef905a3b018bab492d9
file-5.11-12.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This has been corrected in upstream PHP 5.5.10: http://www.php.net/ChangeLog-5.php#5.5.10 https://bugs.php.net/bug.php?id=66731
file was fixed upstream in version 5.17. Note that upstream mailing list announcement initially incorrectly announced that version as 5.18: http://mx.gw.com/pipermail/file/2014/001340.html http://mx.gw.com/pipermail/file/2014/001341.html
This issue affects file versions 5.00 and later. 5.00 is the version that introduced the support for "indirect" type test: http://mx.gw.com/pipermail/file/2009/000311.html A reproducer that was posted to the upstream list only affects versions 5.12 and later, when additional tests using "indirect" were added that trigger infinite recursion on the publicly posted test case: https://github.com/file/file/commit/918400e In previous version, the default magic file does not contain test that triggers infinite recursion. It is possible to trigger deep recursion with sufficiently large file. This issue can cause an application using libmagic to crash when exhausting all stack memory. This also triggers high CPU usage before all stack memory is exhausted. This does not lead to code execution.
(In reply to Tomas Hoger from comment #28) > This issue affects file versions 5.00 and later. 5.00 is the version that > introduced the support for "indirect" type test Overview of file versions embedded in selected PHP versions: PHP 5.3.3 - file 5.03 PHP 5.4.16 - file 5.14 PHP 5.5.6 - file 5.14
Statement: This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 5. This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 7.
IssueDescription: A denial of service flaw was found in the way the File Information (fileinfo) extension handled indirect rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2014:1012 https://rhn.redhat.com/errata/RHSA-2014-1012.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1606 https://rhn.redhat.com/errata/RHSA-2014-1606.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html