Bug#739012: [php-maint] Bug#738832: Segmentation fault in libmagic (src:file) [CVE-2014-1943]
On Sat, Feb 15, 2014 at 12:48 AM, Lior Kaplan kap...@debian.org wrote: The question is: do we want to patch this ourselves, or wait for PHP to provide the fix based on the linked commits? I guess the latter would be best, unless it will take them too much time. Fix by upstream (from the PHP 5.4 branch): http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c547014646e71862df3664e3ff33d7143d Kaplan
Bug#739012: [php-maint] Bug#738832: Segmentation fault in libmagic (src:file) [CVE-2014-1943]
Hi! On Tue, Feb 18, 2014 at 04:58:08PM +0200, Lior Kaplan wrote: On Sat, Feb 15, 2014 at 12:48 AM, Lior Kaplan kap...@debian.org wrote: The question is: do we want to patch this ourselves, or wait for PHP to provide the fix based on the linked commits? I guess the latter would be best, unless it will take them too much time. Fix by upstream (from the PHP 5.4 branch): http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c547014646e71862df3664e3ff33d7143d Thanks for the update and apologies for not replying earlier to the bug. In addition Ondřej has already prepared packages for squeeze-security and wheezy-security which currently are building. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#738832: Segmentation fault in libmagic (src:file) [CVE-2014-1943]
clone 738832 -1 reassign -1 php5 retitle -1 'CVE-2014-1943: crafted files might result in long computation times' thanks Hi, On Thu, Feb 13, 2014 at 11:30:44AM +0100, Christoph Biedl wrote: Package: file Version: 5.11-2 Severity: grave Tags: security [ Re-sent to BTS by request of the security team, also updated ] a bug in the handling of indirect magic rules of libmagic leads to an infinite recursion when trying to determine the file type of certain files. The has been assigned CVE-2014-1943. Additionally, other well-crafted files might result in long computation times (five seconds for a single file while using 100% CPU) and overlong results (~400k line), something some applications that operate on the file result might not handle in a sane way. The issue has been made public by Bernd Melchers who initially found this bug: http://mx.gw.com/pipermail/file/2014/001327.html Impact is two-layered. The bug itself has been introduced years ago (pre oldstable). From jessie on, the default magic file as shipped in the package contains a file magic rule that is exploitable for a segmentation fault. In other words: jessie: Always affected and in full scale. squeeze/wheezy: Segmentation fault when using non-standard magic files that use indirect in a certain way. Still vulnerable for the computation time and overlong issues mentioned above. Upstream released 5.17 last night, fixing the bug for all reproducers I have in my collection. Backporting the patch is not trivial but hopefully feasible. I'll give that a try later the day. I clone this bugreport, as php5 embedding a modified copy of libmagic would also be affected by CVE-2014-1943. The two relevant commits for file/5.16 were https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f and https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 (updates for src:file itself are currently beeing prepared) Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#739012: [php-maint] Bug#738832: Segmentation fault in libmagic (src:file) [CVE-2014-1943]
On Fri, Feb 14, 2014 at 11:53 PM, Salvatore Bonaccorso car...@debian.orgwrote: I clone this bugreport, as php5 embedding a modified copy of libmagic would also be affected by CVE-2014-1943. Thanks. I've looked at the build logs it does seems like the fileinfo extension uses the internal libmagic during build (verified upstream forced this since PHP 5.3.0 at http://git.php.net/?p=php-src.git;a=commitdiff;h=ccc012d3f656236c29c075a9e5dfbe850e00915b ) But I'm still not sure why do we have a libmagic-dev build-dep and a hard coded dependency on libmagic1 for the various SAPIs. But that's a side note... The question is: do we want to patch this ourselves, or wait for PHP to provide the fix based on the linked commits? I guess the latter would be best, unless it will take them too much time. Kaplan
Bug#738832: Segmentation fault in libmagic (src:file) [CVE-2014-1943]
Package: file Version: 5.11-2 Severity: grave Tags: security [ Re-sent to BTS by request of the security team, also updated ] a bug in the handling of indirect magic rules of libmagic leads to an infinite recursion when trying to determine the file type of certain files. The has been assigned CVE-2014-1943. Additionally, other well-crafted files might result in long computation times (five seconds for a single file while using 100% CPU) and overlong results (~400k line), something some applications that operate on the file result might not handle in a sane way. The issue has been made public by Bernd Melchers who initially found this bug: http://mx.gw.com/pipermail/file/2014/001327.html Impact is two-layered. The bug itself has been introduced years ago (pre oldstable). From jessie on, the default magic file as shipped in the package contains a file magic rule that is exploitable for a segmentation fault. In other words: jessie: Always affected and in full scale. squeeze/wheezy: Segmentation fault when using non-standard magic files that use indirect in a certain way. Still vulnerable for the computation time and overlong issues mentioned above. Upstream released 5.17 last night, fixing the bug for all reproducers I have in my collection. Backporting the patch is not trivial but hopefully feasible. I'll give that a try later the day. Christoph -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
