[php-maint] Bug#738832: Segmentation fault in libmagic (src:file) [CVE-2014-1943]
carnil at debian.org
Fri Feb 14 21:53:04 UTC 2014
clone 738832 -1
reassign -1 php5
retitle -1 'CVE-2014-1943: crafted files might result in long computation times'
On Thu, Feb 13, 2014 at 11:30:44AM +0100, Christoph Biedl wrote:
> Package: file
> Version: 5.11-2
> Severity: grave
> Tags: security
> [ Re-sent to BTS by request of the security team, also updated ]
> a bug in the handling of "indirect" magic rules of libmagic leads to
> an infinite recursion when trying to determine the file type of
> certain files. The has been assigned CVE-2014-1943. Additionally,
> other well-crafted files might result in long computation times (five
> seconds for a single file while using 100% CPU) and overlong results
> (~400k line), something some applications that operate on the file
> result might not handle in a sane way.
> The issue has been made public by Bernd Melchers who initially found
> this bug: http://mx.gw.com/pipermail/file/2014/001327.html
> Impact is two-layered. The bug itself has been introduced years ago
> (pre oldstable). From jessie on, the default magic file as shipped in
> the package contains a file magic rule that is exploitable for a
> segmentation fault.
> In other words:
> jessie: Always affected and in full scale.
> squeeze/wheezy: Segmentation fault when using non-standard magic
> files that use "indirect" in a certain way. Still vulnerable for the
> "computation time" and "overlong" issues mentioned above.
> Upstream released 5.17 last night, fixing the bug for all
> reproducers I have in my collection. Backporting the patch is not
> trivial but hopefully feasible. I'll give that a try later the day.
I clone this bugreport, as php5 embedding a modified copy of libmagic
would also be affected by CVE-2014-1943.
The two relevant commits for file/5.16 were
(updates for src:file itself are currently beeing prepared)
More information about the pkg-php-maint