Drew Yao of Apple Product Security discovered several memory corruption issues in file 5.00 in the CDF parsing implementation.
The first is an integer overflow in cdf_read_property_info(), and the second is an integer overflow in cdf_read_sat(). Both have been assigned CVE-2009-0947.
The third issue is buffer overflows in cdf_read_sat(), cdf_read_long_sector_chain(), and cdf_read_ssat(). These issues have been assigned CVE-2009-0948.
These issues only affect file 5.00, and not earlier versions, due to introduced support for CDF (Common Document Format) files in file 5.00. Because of this, only Fedora 11 is affected by these issues.
Created attachment 342155 [details]
patch from Apple to correct the issues
This is a proposed patch from Drew Yao that corrects the issues.
Upstream released 5.01:
The announcement notes the CDF issues, but doesn't note the memory corruption issues.
The upstream author also notes:
"These were not the only memory corrupting issues; 5.01 was released
yesterday to address the ones you found and more (Such as DoS
attacks with looping sector chains)."
There are no CVE's assigned based on the upstream changelog, so I suspect this embargo will be short-lived.
Upstream has released 5.02 which corrects these issues.
File has been updated to 5.02 in Fedora 11, fixing these issues.