Colin Percival discovered that the fix for CVE-2007-1536 created an integer overflow flaw in file. This new flaw has been assigned CVE-2007-2799. Here is the information from Colin: + len = ms->o.size - ms->o.left; + /* * 4 is for octal representation, + 1 is for NUL */ + psize = len * 4 + 1; + assert(psize > len); On a 32-bit system, if len is 1.35GB, len * 4 + 1 = 5.4GB == 1.4GB, so the assert will pass. The buffer will then be overflowed (by as much as the attacker wants, although of course he'll run into unwriteable addresses eventually). This looks pretty exploitable... I think the right solution is to apply - assert(psize > len); + if (len > (SIZE_T_MAX - 1) / 4) { + file_oomem(ms); + return NULL; + } and add #include <limits.h> to the top (in place of the #include <assert.h> which the earlier patch adds).
Martin, Can you ensure this fix makes it upstream? They have not been told of this yet.
Upstream was notified.
RHEL 4.5.z and 5.0.z packages are built, rpmdiff tests are in progress. Upstream released file-4.21, to which I probably update in fc6, fc7 and devel.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0391.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0836