Bug 498682 - (CVE-2009-0947, CVE-2009-0948) CVE-2009-0947, CVE-2009-0948 file: multiple memory corruption issues
CVE-2009-0947, CVE-2009-0948 file: multiple memory corruption issues
Status: CLOSED NEXTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://web.nvd.nist.gov/view/vuln/det...
impact=moderate,source=vendorsec,repo...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-01 17:17 EDT by Vincent Danen
Modified: 2009-05-11 11:40 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-11 11:40:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch from Apple to correct the issues (1.92 KB, patch)
2009-05-01 17:21 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Vincent Danen 2009-05-01 17:17:37 EDT
Drew Yao of Apple Product Security discovered several memory corruption issues in file 5.00 in the CDF parsing implementation.

The first is an integer overflow in cdf_read_property_info(), and the second is an integer overflow in cdf_read_sat().  Both have been assigned CVE-2009-0947.

The third issue is buffer overflows in cdf_read_sat(), cdf_read_long_sector_chain(), and cdf_read_ssat().  These issues have been assigned CVE-2009-0948.

These issues only affect file 5.00, and not earlier versions, due to introduced support for CDF (Common Document Format) files in file 5.00.  Because of this, only Fedora 11 is affected by these issues.
Comment 2 Vincent Danen 2009-05-01 17:21:52 EDT
Created attachment 342155 [details]
patch from Apple to correct the issues

This is a proposed patch from Drew Yao that corrects the issues.
Comment 4 Vincent Danen 2009-05-01 17:41:03 EDT
Upstream released 5.01:

http://mx.gw.com/pipermail/file/2009/000379.html

The announcement notes the CDF issues, but doesn't note the memory corruption issues.

The upstream author also notes:

"These were not the only memory corrupting issues; 5.01 was released
yesterday to address the ones you found and more (Such as DoS
attacks with looping sector chains)."

There are no CVE's assigned based on the upstream changelog, so I suspect this embargo will be short-lived.
Comment 5 Vincent Danen 2009-05-04 15:54:33 EDT
Upstream has released 5.02 which corrects these issues.
Comment 7 Vincent Danen 2009-05-11 11:40:30 EDT
File has been updated to 5.02 in Fedora 11, fixing these issues.

Note You need to log in before you can comment on or make changes to this bug.