Bug 1072220 (CVE-2014-2270) - CVE-2014-2270 file: out-of-bounds access in search rules with offsets from input file
Summary: CVE-2014-2270 file: out-of-bounds access in search rules with offsets from in...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-2270
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: David Kutálek
URL:
Whiteboard:
Depends On: 1073554 1073555 1073556 1073557 1094481 1094482 1094483 1094484 1114520 1114521 1119563 1119564 1120503 1120504 1149768
Blocks: 1065838 1072232 1101912 1149858
TreeView+ depends on / blocked
 
Reported: 2014-03-04 06:50 UTC by Murray McAllister
Modified: 2021-02-17 06:48 UTC (History)
24 users (show)

Fixed In Version: file 5.17, php 5.5.10
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way the File Information (fileinfo) extension handled search rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
Clone Of:
Environment:
Last Closed: 2014-10-31 09:15:01 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1012 0 normal SHIPPED_LIVE Moderate: php53 and php security update 2014-08-06 09:14:44 UTC
Red Hat Product Errata RHSA-2014:1606 0 normal SHIPPED_LIVE Moderate: file security and bug fix update 2014-10-14 01:39:32 UTC
Red Hat Product Errata RHSA-2014:1765 0 normal SHIPPED_LIVE Important: php54-php security update 2014-10-30 23:45:24 UTC

Description Murray McAllister 2014-03-04 06:50:18 UTC 
A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code.

Upstream report: http://bugs.gw.com/view.php?id=313

Upstream fix: https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801
Comment 1 Murray McAllister 2014-03-04 06:52:02 UTC 
CVE request: http://seclists.org/oss-sec/2014/q1/473
Comment 4 Murray McAllister 2014-03-04 07:41:29 UTC 
Note that the arbitrary code execution impact is a guess. The issue is still being investigated.
Comment 5 Remi Collet 2014-03-04 09:13:06 UTC 
Notice, this upstream patch doesn't seems correct.

+#define OFFSET_OOB(n, o, i)	((n) < (o) || (i) >= ((n) - (o)))

At least, it breaks php test suite for this extension.

A better fix seems to be

+#define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))

Under investigation...
Comment 6 Remi Collet 2014-03-04 20:00:24 UTC 
PHP upstream commit:

http://git.php.net/?p=php-src.git;a=commitdiff;h=a33759fd275b32ed0bbe89796fe2953b3cb0b41f
Comment 7 Remi Collet 2014-03-05 06:14:22 UTC 
Additional File upstream commit:
https://github.com/glensc/file/commit/70c65d2e1841491f59168db1f905e8b14083fb1c
Comment 8 Vincent Danen 2014-03-05 19:07:34 UTC 
CVE-2014-2270 has been assigned to this issue:

http://seclists.org/oss-sec/2014/q1/504
Comment 9 Vincent Danen 2014-03-06 16:03:19 UTC 
This has been corrected in upstream PHP 5.5.10:

http://www.php.net/ChangeLog-5.php#5.5.10
https://bugs.php.net/bug.php?id=66820
Comment 10 Vincent Danen 2014-03-06 16:55:19 UTC 
At a quick glance, this looks to be applicable to even file 4.10, so this should affect pretty much everything we ship.

I don't know how likely it is that file would be used on a Windows Portable Executable (PE) file but in mixed environments (or with something like clamav, etc.) I suppose it's possible that these types of files may be processed by PHP or file.
Comment 11 Vincent Danen 2014-03-06 17:06:58 UTC 
Also, for Fedora, it looks like sleuthkit might embed file:

sleuthkit-4.0.2-2.fc19: (source) sleuthkit-4.0.2.tar.gz: sleuthkit-4.0.2/framework/TskModules/c_FileTypeSigModule/file-5.08/src/softmagic.c

The spec file has a requires on file, but no buildrequires on file-devel.  I've not had an opportunity to look closer to see exactly what that means.
Comment 14 Vincent Danen 2014-03-06 17:09:03 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1073557]
Comment 15 Vincent Danen 2014-03-06 17:09:08 UTC 
Created file tracking bugs for this issue:

Affects: fedora-all [bug 1073555]
Comment 16 Fedora Update System 2014-03-12 12:30:58 UTC 
file-5.14-17.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Tomas Hoger 2014-03-24 20:39:52 UTC 
(In reply to Vincent Danen from comment #11)
> Also, for Fedora, it looks like sleuthkit might embed file:
> 
> sleuthkit-4.0.2-2.fc19: (source) sleuthkit-4.0.2.tar.gz:
> sleuthkit-4.0.2/framework/TskModules/c_FileTypeSigModule/file-5.08/src/
> softmagic.c

The code is not built, hence Fedora sleuthkit is not affected.
Comment 20 Tomas Hoger 2014-03-25 20:41:41 UTC 
This issue is not specific to PE parsing and is related to how file handles offsets read from file in "search" type rules.  This problem is exposed by PE parsing rules in the default magic file.

In mget(), when processing a rule using 32bit offset read form a file, it is possible to have offset set to 0xffffffff.  In call to mcopy(), ms->search is set up for "search" rules, with ms->search.s pointing out of bounds.  Back in mget(), subsequent check to see if there is enough data there is this check for "search" rules: (nbytes < (offset + m->vallen)).  This check is bypassed, as offset is 32bit, causing this addition to wrap around.  Out of bounds access occurs when file tries to compare data pointed to by ms->search.s with pattern specified in the magic file.

There is difference between 32bit and 64bit systems.  ms->search.s is set using:

ms->search.s = RCAST(const char *, s) + offset;

On 32bit systems, this also wraps, causing ms->search.s to point to memory a little before s, an accessible memory, avoiding the crash.  On 64bit systems, ms->search.s is likely to point to unmapped memory, leading to crash.

Impact of this issue is limited to crash, or unlikely limited information leak (test if memory at the fixed offset from the memory holding input contains specific string from magic file rule).
Comment 28 Fedora Update System 2014-03-27 04:47:44 UTC 
file-5.11-13.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 43 Huzaifa S. Sidhpurwala 2014-07-18 05:25:33 UTC 
Statement:

This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 5. This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 7.
Comment 44 Martin Prpič 2014-07-28 11:12:39 UTC 
IssueDescription:

A denial of service flaw was found in the way the File Information (fileinfo) extension handled search rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
Comment 45 errata-xmlrpc 2014-08-06 05:15:20 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:1012 https://rhn.redhat.com/errata/RHSA-2014-1012.html
Comment 47 errata-xmlrpc 2014-10-14 08:29:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1606 https://rhn.redhat.com/errata/RHSA-2014-1606.html
Comment 48 errata-xmlrpc 2014-10-30 19:47:25 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html
Note You need to log in before you can comment on or make changes to this bug.