A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code. Upstream report: http://bugs.gw.com/view.php?id=313 Upstream fix: https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801
CVE request: http://seclists.org/oss-sec/2014/q1/473
Note that the arbitrary code execution impact is a guess. The issue is still being investigated.
Notice, this upstream patch doesn't seems correct. +#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) >= ((n) - (o))) At least, it breaks php test suite for this extension. A better fix seems to be +#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) Under investigation...
PHP upstream commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=a33759fd275b32ed0bbe89796fe2953b3cb0b41f
Additional File upstream commit: https://github.com/glensc/file/commit/70c65d2e1841491f59168db1f905e8b14083fb1c
CVE-2014-2270 has been assigned to this issue: http://seclists.org/oss-sec/2014/q1/504
This has been corrected in upstream PHP 5.5.10: http://www.php.net/ChangeLog-5.php#5.5.10 https://bugs.php.net/bug.php?id=66820
At a quick glance, this looks to be applicable to even file 4.10, so this should affect pretty much everything we ship. I don't know how likely it is that file would be used on a Windows Portable Executable (PE) file but in mixed environments (or with something like clamav, etc.) I suppose it's possible that these types of files may be processed by PHP or file.
Also, for Fedora, it looks like sleuthkit might embed file: sleuthkit-4.0.2-2.fc19: (source) sleuthkit-4.0.2.tar.gz: sleuthkit-4.0.2/framework/TskModules/c_FileTypeSigModule/file-5.08/src/softmagic.c The spec file has a requires on file, but no buildrequires on file-devel. I've not had an opportunity to look closer to see exactly what that means.
Created php tracking bugs for this issue: Affects: fedora-all [bug 1073557]
Created file tracking bugs for this issue: Affects: fedora-all [bug 1073555]
file-5.14-17.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Vincent Danen from comment #11) > Also, for Fedora, it looks like sleuthkit might embed file: > > sleuthkit-4.0.2-2.fc19: (source) sleuthkit-4.0.2.tar.gz: > sleuthkit-4.0.2/framework/TskModules/c_FileTypeSigModule/file-5.08/src/ > softmagic.c The code is not built, hence Fedora sleuthkit is not affected.
This issue is not specific to PE parsing and is related to how file handles offsets read from file in "search" type rules. This problem is exposed by PE parsing rules in the default magic file. In mget(), when processing a rule using 32bit offset read form a file, it is possible to have offset set to 0xffffffff. In call to mcopy(), ms->search is set up for "search" rules, with ms->search.s pointing out of bounds. Back in mget(), subsequent check to see if there is enough data there is this check for "search" rules: (nbytes < (offset + m->vallen)). This check is bypassed, as offset is 32bit, causing this addition to wrap around. Out of bounds access occurs when file tries to compare data pointed to by ms->search.s with pattern specified in the magic file. There is difference between 32bit and 64bit systems. ms->search.s is set using: ms->search.s = RCAST(const char *, s) + offset; On 32bit systems, this also wraps, causing ms->search.s to point to memory a little before s, an accessible memory, avoiding the crash. On 64bit systems, ms->search.s is likely to point to unmapped memory, leading to crash. Impact of this issue is limited to crash, or unlikely limited information leak (test if memory at the fixed offset from the memory holding input contains specific string from magic file rule).
file-5.11-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 5. This issue did not affect the php packages as shipped with Red Hat Enterprise Linux 7.
IssueDescription: A denial of service flaw was found in the way the File Information (fileinfo) extension handled search rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2014:1012 https://rhn.redhat.com/errata/RHSA-2014-1012.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1606 https://rhn.redhat.com/errata/RHSA-2014-1606.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html