clone 738832 -1 reassign -1 php5 retitle -1 'CVE-2014-1943: crafted files might result in long computation times' thanks
Hi, On Thu, Feb 13, 2014 at 11:30:44AM +0100, Christoph Biedl wrote: > Package: file > Version: 5.11-2 > Severity: grave > Tags: security > > [ Re-sent to BTS by request of the security team, also updated ] > > a bug in the handling of "indirect" magic rules of libmagic leads to > an infinite recursion when trying to determine the file type of > certain files. The has been assigned CVE-2014-1943. Additionally, > other well-crafted files might result in long computation times (five > seconds for a single file while using 100% CPU) and overlong results > (~400k line), something some applications that operate on the file > result might not handle in a sane way. > > The issue has been made public by Bernd Melchers who initially found > this bug: http://mx.gw.com/pipermail/file/2014/001327.html > > Impact is two-layered. The bug itself has been introduced years ago > (pre oldstable). From jessie on, the default magic file as shipped in > the package contains a file magic rule that is exploitable for a > segmentation fault. > > In other words: > > jessie: Always affected and in full scale. > > squeeze/wheezy: Segmentation fault when using non-standard magic > files that use "indirect" in a certain way. Still vulnerable for the > "computation time" and "overlong" issues mentioned above. > > Upstream released 5.17 last night, fixing the bug for all > reproducers I have in my collection. Backporting the patch is not > trivial but hopefully feasible. I'll give that a try later the day. I clone this bugreport, as php5 embedding a modified copy of libmagic would also be affected by CVE-2014-1943. The two relevant commits for file/5.16 were https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f and https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 (updates for src:file itself are currently beeing prepared) Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
