Bug 1104863 – CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1104863 - (CVE-2014-3478) CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size

Summary:	CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size

Status:	NEW

Aliases:	CVE-2014-3478

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20140627,repor...
Keywords:	Security

Depends On:	1114448 1114450 1140026 1140027 1149768 1149774 1238984 1238985
Blocks:	1065838 1101912 1104865 1149858 1210268
	Show dependency tree / graph

Reported:	2014-06-04 16:48 EDT by Francisco Alonso
Modified:	2018-01-29 20:02 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A buffer overflow flaw was found in the way the File Information (fileinfo) extension processed certain Pascal strings. A remote attacker able to make a PHP application using fileinfo convert a specially crafted Pascal string provided by an image file could cause that application to crash.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
PHP Bug Tracker	67410	None	None	None	Never
Red Hat Product Errata	RHSA-2014:1327	normal	SHIPPED_LIVE	Moderate: php security update	2014-09-30 09:09:42 EDT
Red Hat Product Errata	RHSA-2014:1765	normal	SHIPPED_LIVE	Important: php54-php security update	2014-10-30 19:45:24 EDT
Red Hat Product Errata	RHSA-2014:1766	normal	SHIPPED_LIVE	Important: php55-php security update	2014-10-30 19:45:12 EDT
Red Hat Product Errata	RHSA-2015:2155	normal	SHIPPED_LIVE	Moderate: file security and bug fix update	2015-11-19 03:39:11 EST

Groups: None (edit)

Description Francisco Alonso 2014-06-04 16:48:14 EDT

A flaw was found in the way file compute the truncated pascal string size in mconvert() function. 

Upstream commit:
https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08


Acknowledgment:

This issue was discovered by Francisco Alonso of Red Hat Product Security.

Comment 2 Remi Collet 2014-06-10 08:07:14 EDT

PHP commit:

http://git.php.net/?p=php-src.git;a=commit;h=e77659a8c87272e5061738a31430d2111482c426

Comment 3 Francisco Alonso 2014-06-30 02:19:43 EDT

Created php tracking bugs for this issue:

Affects: fedora-all [bug 1114450]

Comment 4 Francisco Alonso 2014-06-30 02:19:46 EDT

Created file tracking bugs for this issue:

Affects: fedora-all [bug 1114448]

Comment 7 Fedora Update System 2014-07-05 10:53:46 EDT

file-5.19-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Murray McAllister 2014-07-08 00:56:38 EDT

Statement:

This issue did not affect the versions of file, php, and php53 as shipped with Red Hat Enterprise Linux 5 and 6.

This issue affects the versions of file as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 12 Martin Prpič 2014-09-25 08:12:26 EDT

IssueDescription:

A buffer overflow flaw was found in the way the File Information (fileinfo) extension processed certain Pascal strings. A remote attacker able to make a PHP application using fileinfo convert a specially crafted Pascal string provided by an image file could cause that application to crash.

Comment 13 errata-xmlrpc 2014-09-30 05:10:02 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1327 https://rhn.redhat.com/errata/RHSA-2014-1327.html

Comment 16 errata-xmlrpc 2014-10-30 15:46:14 EDT

This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html

Comment 17 errata-xmlrpc 2014-10-30 15:47:45 EDT

This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html

Comment 21 errata-xmlrpc 2015-11-19 03:09:04 EST

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2155 https://rhn.redhat.com/errata/RHSA-2015-2155.html

Note You need to log in before you can comment on or make changes to this bug.