Bug 1079846 – CVE-2013-7345 file: extensive backtracking in awk rule regular expression

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1079846 - (CVE-2013-7345) CVE-2013-7345 file: extensive backtracking in awk rule regular expression

Summary:	CVE-2013-7345 file: extensive backtracking in awk rule regular expression

Status:	CLOSED ERRATA

Aliases:	CVE-2013-7345

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20111231,repor...
Keywords:	Security

Depends On:	1079847 1079848 1080180 1080181 1083712 1120981 1149768
Blocks:	1065838 1079850 1149858
	Show dependency tree / graph

Reported:	2014-03-24 02:45 EDT by Murray McAllister
Modified:	2015-11-25 05:08 EST (History)
CC List:	20 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A denial of service flaw was found in the File Information (fileinfo) extension rules for detecting AWK files. A remote attacker could use this flaw to cause a PHP application using fileinfo to consume an excessive amount of CPU.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-10-31 05:20:03 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Regression fix from Debian packages (322 bytes, patch) 2014-03-24 16:02 EDT, Tomas Hoger	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1013	normal	SHIPPED_LIVE	Moderate: php security update	2014-08-06 06:05:17 EDT
Red Hat Product Errata	RHSA-2014:1765	normal	SHIPPED_LIVE	Important: php54-php security update	2014-10-30 19:45:24 EDT

Groups: None (edit)

Description Murray McAllister 2014-03-24 02:45:43 EDT

A flaw was reported in the rules file uses to detect AWK scripts. A malicious input file could cause the file utility to use 100% CPU.

Upstream bug: http://bugs.gw.com/view.php?id=164
Upstream fix: https://github.com/file/file/commit/ef2329cf71acb59204dd981e2c6cce6c81fe467c

Comment 1 Murray McAllister 2014-03-24 02:47:28 EDT

Created file tracking bugs for this issue:

Affects: fedora-all [bug 1079847]

Comment 6 Tomas Hoger 2014-03-24 06:05:03 EDT

Relevant regular expression check for AWK file type was introduced via the following commit:

https://github.com/file/file/commit/e6b4015#diff-632ed2944e6b92e4b16ae8447f4f6e66

It first appeared in version 5.05.

Comment 7 Tomas Hoger 2014-03-24 16:02:44 EDT

Created attachment 878158 [details]
Regression fix from Debian packages

Debian released updated advisory DSA 2873-2 that corrects regression introduced by the fix for this issue.  Certain perl files with BEGIN are detected as awk scripts after the fix.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742265
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742262

Debian security update lowers strength of the awk regex rule.  Reportedly, this upstream fix addresses the problem too:

https://github.com/file/file/commit/afe6b9f
http://bugs.gw.com/view.php?id=333

Comment 9 Tomas Hoger 2014-03-24 16:48:18 EDT

Created php tracking bugs for this issue:

Affects: fedora-all [bug 1080181]

Comment 10 Tomas Hoger 2014-03-24 16:52:07 EDT

Statement:

This issue did not affect the versions of file as shipped with Red Hat Enterprise Linux 5, 6, and 7, the versions of php as shipped with Red Hat Enterprise Linux 5 and 6, and the versions of php53 as shipped with Red Hat Enterprise Linux 5.

Comment 11 Remi Collet 2014-03-25 06:08:55 EDT

Upstream PHP patch:
http://git.php.net/?p=php-src.git;a=commit;h=4374a52e9d13c480b4620c80a48591c6f883664b

Comment 12 Fedora Update System 2014-03-27 00:51:56 EDT

file-5.14-20.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2014-04-15 11:45:48 EDT

php-5.5.11-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2014-04-15 11:57:50 EDT

php-5.5.11-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Martin Prpič 2014-08-05 09:51:15 EDT

IssueDescription:

A denial of service flaw was found in the File Information (fileinfo) extension rules for detecting AWK files. A remote attacker could use this flaw to cause a PHP application using fileinfo to consume an excessive amount of CPU.

Comment 22 errata-xmlrpc 2014-08-06 02:05:37 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1013 https://rhn.redhat.com/errata/RHSA-2014-1013.html

Comment 24 errata-xmlrpc 2014-10-30 15:47:31 EDT

This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html

Note You need to log in before you can comment on or make changes to this bug.

bgollahe
carnil
dkutalek
drieden
fedora
harald
jkaluza
jkurik
jorton
jrusnack
kwizart
mmaslano
mmcgrath
packaging-team-maint
pfrields
pmatilai
rcollet
thoger
vdanen
webstack-team