Hide Forgot
It was discovered the original upstream fix for the CVE-2013-7345 issue (bug 1079846) did not sufficiently address the problem. A specially-crafted input file could still cause file to use an excessive amount of CPU time when trying to detect file type using awk regular expression rule.
Patch proposed from Jan Kaluza: 0 search/16384 BEGIN >0 regex =^\\s{0,100}BEGIN\\s{0,100}[{] awk script text Not fixed upstream yet.
Acknowledgment: Name: Jan Kaluža (Red Hat Web Stack Team)
(In reply to Francisco Alonso from comment #1) > Patch proposed from Jan Kaluza: > > > 0 search/16384 BEGIN > >0 regex =^\\s{0,100}BEGIN\\s{0,100}[{] awk script text This fix is also insufficient and easy to bypass. The first rule can be satisfied by having BEGIN somewhere in the first 16384 bytes of the input, but in a way that it does not satisfy the regex of the subsequent rule, making the regex do the full exhaustive search.
Upstream commit: https://github.com/file/file/commit/0b478f445b6b7540b58af5d1fe583fa9e48fd745
Hi Francisco Is the assignment CVE-2014-0235 correct? On https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0235 apparently this is for Microsoft Internet Explorer 9. Thanks for clarification, and Regards, Salvatore
Hi Salvatore, We have assigned this CVE from our internal pool. Thanks for ask in OSS mailing list and we will wait the MITRE answer to assign a new CVE for this issue. Best, Francisco Alonso.
Created php tracking bugs for this issue: Affects: fedora-all [bug 1114444]
Created file tracking bugs for this issue: Affects: fedora-all [bug 1114443]
(In reply to Francisco Alonso from comment #7) > Upstream commit: > https://github.com/file/file/commit/0b478f445b6b7540b58af5d1fe583fa9e48fd745 As noted in comment 5, this fix is insufficient and the additional check can be easily bypassed.
This is the change that actually made it to file 5.19: https://github.com/file/file/commit/71a8b6c0d758acb0f73e2e51421a711b5e9d6668 It relies on the following new feature that introduced regex/<length> syntax that makes it possible to limit the maximum length of the input matched by a regex defined in magic file: https://github.com/file/file/commit/74cafd7de9ec99a14f4480927580e501c8f852c3 https://github.com/file/file/commit/69a5a43b3b71f53b0577f41264a073f495799610 https://github.com/file/file/commit/758e066df72fb1ac08d2eea91ddc3973d259e991 This additional commit introduced a limit of 8k applied to all regex rules by default (note that it's one of the multiple changes in the commit): https://github.com/file/file/commit/4a284c89d6ef11aca34da65da7d673050a5ea320
The CVE-2014-0235 id previously used here was replaced by CVE-2014-3538, as CVE-2014-0235 was previously incorrectly used for a flaw in Microsoft Internet Explorer 9: http://seclists.org/oss-sec/2014/q2/704 http://seclists.org/oss-sec/2014/q2/710 http://seclists.org/oss-sec/2014/q3/18
file-5.19-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This is corrected in upstream PHP 5.5.16: http://php.net/ChangeLog-5.php#5.5.16
As noted in comment 13, the fix that was applied corrected more than just the problematic awk rule by adding limit on the length of the input any regular expression can match.
IssueDescription: Multiple flaws were found in the File Information (fileinfo) extension regular expression rules for detecting various files. A remote attacker could use either of these flaws to cause a PHP application using fileinfo to consume an excessive amount of CPU.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1327 https://rhn.redhat.com/errata/RHSA-2014-1327.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2155 https://rhn.redhat.com/errata/RHSA-2015-2155.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0760 https://rhn.redhat.com/errata/RHSA-2016-0760.html