Bug 1072220 - (CVE-2014-2270) CVE-2014-2270 file: out-of-bounds access in search rules with offsets from input file
CVE-2014-2270 file: out-of-bounds access in search rules with offsets from in...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
David Kutálek
impact=moderate,public=20131220,repor...
: Security
Depends On: 1073554 1073555 1073556 1073557 1094481 1094482 1094483 1094484 1114520 1114521 1119563 1119564 1120503 1120504 1149768
Blocks: 1065838 1072232 1101912 1149858
  Show dependency treegraph
 
Reported: 2014-03-04 01:50 EST by Murray McAllister
Modified: 2015-10-15 14:15 EDT (History)
24 users (show)

See Also:
Fixed In Version: file 5.17, php 5.5.10
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way the File Information (fileinfo) extension handled search rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-31 05:15:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Murray McAllister 2014-03-04 01:50:18 EST
A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code.

Upstream report: http://bugs.gw.com/view.php?id=313

Upstream fix: https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801
Comment 1 Murray McAllister 2014-03-04 01:52:02 EST
CVE request: http://seclists.org/oss-sec/2014/q1/473
Comment 4 Murray McAllister 2014-03-04 02:41:29 EST
Note that the arbitrary code execution impact is a guess. The issue is still being investigated.
Comment 5 Remi Collet 2014-03-04 04:13:06 EST
Notice, this upstream patch doesn't seems correct.

+#define OFFSET_OOB(n, o, i)	((n) < (o) || (i) >= ((n) - (o)))

At least, it breaks php test suite for this extension.

A better fix seems to be

+#define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))

Under investigation...
Comment 7 Remi Collet 2014-03-05 01:14:22 EST
Additional File upstream commit:
https://github.com/glensc/file/commit/70c65d2e1841491f59168db1f905e8b14083fb1c
Comment 8 Vincent Danen 2014-03-05 14:07:34 EST
CVE-2014-2270 has been assigned to this issue:

http://seclists.org/oss-sec/2014/q1/504
Comment 9 Vincent Danen 2014-03-06 11:03:19 EST
This has been corrected in upstream PHP 5.5.10:

http://www.php.net/ChangeLog-5.php#5.5.10
https://bugs.php.net/bug.php?id=66820
Comment 10 Vincent Danen 2014-03-06 11:55:19 EST
At a quick glance, this looks to be applicable to even file 4.10, so this should affect pretty much everything we ship.

I don't know how likely it is that file would be used on a Windows Portable Executable (PE) file but in mixed environments (or with something like clamav, etc.) I suppose it's possible that these types of files may be processed by PHP or file.
Comment 11 Vincent Danen 2014-03-06 12:06:58 EST
Also, for Fedora, it looks like sleuthkit might embed file:

sleuthkit-4.0.2-2.fc19: (source) sleuthkit-4.0.2.tar.gz: sleuthkit-4.0.2/framework/TskModules/c_FileTypeSigModule/file-5.08/src/softmagic.c

The spec file has a requires on file, but no buildrequires on file-devel.  I've not had an opportunity to look closer to see exactly what that means.
Comment 14 Vincent Danen 2014-03-06 12:09:03 EST
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1073557]
Comment 15 Vincent Danen 2014-03-06 12:09:08 EST
Created file tracking bugs for this issue:

Affects: fedora-all [bug 1073555]
Comment 16 Fedora Update System 2014-03-12 08:30:58 EDT
file-5.14-17.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Tomas Hoger 2014-03-24 16:39:52 EDT
(In reply to Vincent Danen from comment #11)
> Also, for Fedora, it looks like sleuthkit might embed file:
> 
> sleuthkit-4.0.2-2.fc19: (source) sleuthkit-4.0.2.tar.gz:
> sleuthkit-4.0.2/framework/TskModules/c_FileTypeSigModule/file-5.08/src/
> softmagic.c

The code is not built, hence Fedora sleuthkit is not affected.
Comment 20 Tomas Hoger 2014-03-25 16:41:41 EDT
This issue is not specific to PE parsing and is related to how file handles offsets read from file in "search" type rules.  This problem is exposed by PE parsing rules in the default magic file.

In mget(), when processing a rule using 32bit offset read form a file, it is possible to have offset set to 0xffffffff.  In call to mcopy(), ms->search is set up for "search" rules, with ms->search.s pointing out of bounds.  Back in mget(), subsequent check to see if there is enough data there is this check for "search" rules: (nbytes < (offset + m->vallen)).  This check is bypassed, as offset is 32bit, causing this addition to wrap around.  Out of bounds access occurs when file tries to compare data pointed to by ms->search.s with pattern specified in the magic file.

There is difference between 32bit and 64bit systems.  ms->search.s is set using:

ms->search.s = RCAST(const char *, s) + offset;

On 32bit systems, this also wraps, causing ms->search.s to point to memory a little before s, an accessible memory, avoiding the crash.  On 64bit systems, ms->search.s is likely to point to unmapped memory, leading to crash.

Impact of this issue is limited to crash, or unlikely limited information leak (test if memory at the fixed offset from the memory holding input contains specific string from magic file rule).
Comment 28 Fedora Update System 2014-03-27 00:47:44 EDT
file-5.11-13.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 43 Huzaifa S. Sidhpurwala 2014-07-18 01:25:33 EDT
Statement:

This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 5. This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 7.
Comment 44 Martin Prpic 2014-07-28 07:12:39 EDT
IssueDescription:

A denial of service flaw was found in the way the File Information (fileinfo) extension handled search rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
Comment 45 errata-xmlrpc 2014-08-06 01:15:20 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:1012 https://rhn.redhat.com/errata/RHSA-2014-1012.html
Comment 47 errata-xmlrpc 2014-10-14 04:29:30 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1606 https://rhn.redhat.com/errata/RHSA-2014-1606.html
Comment 48 errata-xmlrpc 2014-10-30 15:47:25 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html

Note You need to log in before you can comment on or make changes to this bug.