Bug 497913 - (CVE-2009-1515) CVE-2009-1515 file: heap-based buffer overflow in cdf_read_sat()
CVE-2009-1515 file: heap-based buffer overflow in cdf_read_sat()
Status: CLOSED RAWHIDE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=debian,reporte...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-27 16:28 EDT by Vincent Danen
Modified: 2016-03-04 07:05 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-16 03:02:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2009-04-27 16:28:45 EDT
A bug reported to Debian [1] affects file 5.x which is only available in the forthcoming Fedora 11.  When running file on an MSI file, file crashes.  The following link causes a crash with file 5.x: http://www.python.org/ftp/python/2.6.2/python-2.6.2.msi.  Tested with file 4.x on Fedora 10, RHEL5, and RHEL4 and the file is properly identified.

% file python-2.6.2.msi 
*** glibc detected *** file: munmap_chunk(): invalid pointer: 0x0000000001a8cf50 ***

There is currently no patch to correct the issue that I can find.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525820
Comment 1 Daniel Novotny 2009-04-28 04:58:16 EDT
hello,
I have reported the issue to file upstream
Comment 2 Vincent Danen 2009-05-01 19:22:46 EDT
Secunia has issued an advisory about this: http://secunia.com/advisories/34881/
Comment 3 Vincent Danen 2009-05-04 15:28:28 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1515 to
the following vulnerability:

Name: CVE-2009-1515
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1515
Assigned: 20090504
Reference: MISC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=515603
Reference: MISC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525820
Reference: CONFIRM:ftp://ftp.astron.com/pub/file/file-5.01.tar.gz
Reference: BID:34745
Reference: URL: http://www.securityfocus.com/bid/34745
Reference: OSVDB:54100
Reference: URL: http://www.osvdb.org/54100
Reference: SECUNIA:34881
Reference: URL: http://secunia.com/advisories/34881

Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c
in Christos Zoulas file 5.00 allows user-assisted remote attackers to
execute arbitrary code via a crafted compound document file, as
demonstrated by a .msi, .doc, or .mpp file.  NOTE: some of these
details are obtained from third party information.


Despite the allusion to it above, file 5.01 does *not* fix what the python.msi file breaks.
Comment 4 Vincent Danen 2009-05-04 15:45:09 EDT
file 5.02 which was released today corrects the issue:

~/Download/tmp/file-5.02/src/ >% ./file --magic=../magic/magic.mgc ~/Desktop/python-2.6.2.msi       
/home/vdanen/Desktop/python-2.6.2.msi: CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Title: Installation Database, Subject: Python 2.6.2, Author: Python Software Foundation, Template: Intel;1033, Revision Number: {7D2E52BC-98BB-493F-BC14-CFF942D2FB84}, Number of Words: 2, Number of Pages: 200, Name of Creating Application: Python MSI Library
~/Download/tmp/file-5.02/src/ >% ./file --magic=../magic/magic.mgc --version                 
lt-file-5.02
magic file from ../magic/magic.mgc
Comment 5 Daniel Novotny 2009-05-05 05:58:38 EDT
Hello,
I updated to 5.02 in rawhide (F12).
F11 has development freeze right now, so I cannot put the new version there...
Comment 6 Vincent Danen 2009-05-05 12:47:00 EDT
Hi, Daniel.  I just got the go-ahead from Jesse so you can push this for F11 despite the freeze.  If you could do that, that would be fantastic.

Thanks!
Comment 7 Daniel Novotny 2009-05-06 05:19:10 EDT
OK, built and filed a ticket in releng trac
( https://fedorahosted.org/rel-eng/ticket/1740 )
Comment 8 Daniel Novotny 2009-05-06 08:33:05 EDT
file-5.02-1.fc11 was successfully tagged into f11-final
Comment 9 Vincent Danen 2009-05-11 11:37:28 EDT
Sorry, Daniel, but 5.03 is out now with more CDF-related security fixes:

http://mx.gw.com/pipermail/file/2009/000383.html

There is no CVE name as of yet.
Comment 10 Daniel Novotny 2009-05-12 06:31:53 EDT
(In reply to comment #9)
> Sorry, Daniel, but 5.03 is out now with more CDF-related security fixes:
OK, requested dist-f11 tag
https://fedorahosted.org/rel-eng/ticket/1785

(F12 already done yesterday)
Comment 11 Daniel Novotny 2009-05-13 04:26:43 EDT
file-5.03-1.fc11 successfully tagged into f11-final

Note You need to log in before you can comment on or make changes to this bug.