Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2013-7345: #703993 - file: possible DoS in awk magic

The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.

CVE
#mac#linux#debian#dos#js#git#php#perl#amd#ibm

Debian Bug report logs - #703993
file: possible DoS in awk magic

Reported by: Carsten Wolff [email protected]

Date: Tue, 26 Mar 2013 14:48:02 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in versions file/5.11-2, file/1:5.11-2.1, file/5.04-5+squeeze2

Fixed in versions file/1:5.17-0.1, file/5.11-2+deb7u2, file/5.04-5+squeeze4

Done: Christoph Biedl [email protected]

Bug is archived. No further changes may be made.

Forwarded to http://bugs.gw.com/view.php?id=164

Toggle useless messages

Report forwarded to [email protected], Daniel Baumann [email protected]:
Bug#703993; Package file. (Tue, 26 Mar 2013 14:48:06 GMT) (full text, mbox, link).

Acknowledgement sent to Carsten Wolff [email protected]:
New Bug report received and forwarded. Copy sent to Daniel Baumann [email protected]. (Tue, 26 Mar 2013 14:48:06 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

Package: file Version: 5.04-5+squeeze2 Severity: important Tags: security, patch

Hi,

there’s a DoS risk in the magic for awk scripts, which causes excessive runtimes of `file` on files which cause lots of backtracking in the regex engine, like files with many, many newlines:

dd ibs=1000000 count=1 if=/dev/zero | tr ‘\0’ ‘\n’ > newlines

time file newlines

newlines: ASCII text real 3m51.005s user 3m50.418s sys 0m0.124s

There is a bugreport and Patch at the upstream bugtracker: http://bugs.gw.com/view.php?id=164

In Squeeze, the culprit awk-magic comes from debian/patches/101-magic-update- awk.patch. In wheezy, sid and experimental, the regex is part of upstream’s magic/Magdir/commands.

Cheers, Carsten

– System Information: Debian Release: 6.0.7 APT prefers stable APT policy: (700, ‘stable’), (500, ‘stable-updates’) Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash

Versions of packages file depends on: ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib ii libmagic1 5.04-5+squeeze2 File type determination library us ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime

file recommends no packages.

file suggests no packages.

– no debconf information

Marked as found in versions file/5.11-2. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Wed, 27 Mar 2013 05:51:04 GMT) (full text, mbox, link).

Marked as found in versions file/1:5.11-2.1. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Wed, 27 Mar 2013 05:51:05 GMT) (full text, mbox, link).

Marked as fixed in versions file/1:5.17-0.1. Request was from Christoph Biedl [email protected] to [email protected]. (Tue, 25 Feb 2014 22:24:04 GMT) (full text, mbox, link).

Added tag(s) upstream and fixed-upstream. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Tue, 04 Mar 2014 21:00:11 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Tue, 04 Mar 2014 21:00:15 GMT) (full text, mbox, link).

Notification sent to Carsten Wolff [email protected]:
Bug acknowledged by developer. (Tue, 04 Mar 2014 21:00:16 GMT) (full text, mbox, link).

Message sent on to Carsten Wolff [email protected]:
Bug#703993. (Tue, 04 Mar 2014 21:00:19 GMT) (full text, mbox, link).

Message #22 received at [email protected] (full text, mbox, reply):

close 703993 1:5.17-0.1 thanks

https://github.com/glensc/file/commit/ef2329cf71acb59204dd981e2c6cce6c81fe467c is contained in 1:5.17-0.1

Reply sent to Christoph Biedl [email protected]:
You have taken responsibility. (Sun, 16 Mar 2014 19:51:11 GMT) (full text, mbox, link).

Notification sent to Carsten Wolff [email protected]:
Bug acknowledged by developer. (Sun, 16 Mar 2014 19:51:11 GMT) (full text, mbox, link).

Message #27 received at [email protected] (full text, mbox, reply):

Source: file Source-Version: 5.11-2+deb7u2

We believe that the bug you reported is fixed in the latest version of file, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Christoph Biedl [email protected] (supplier of updated file package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Format: 1.8 Date: Wed, 05 Mar 2014 22:48:58 +0100 Source: file Binary: file libmagic1 libmagic-dev python-magic python-magic-dbg Architecture: source amd64 Version: 5.11-2+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Daniel Baumann [email protected] Changed-By: Christoph Biedl [email protected] Description: file - Determines file type using “magic” numbers libmagic-dev - File type determination library using “magic” numbers (developmen libmagic1 - File type determination library using “magic” numbers python-magic - File type determination library using “magic” numbers (Python bin python-magic-dbg - File type determination library using “magic” numbers (Python bin Closes: 703993 Changes: file (5.11-2+deb7u2) wheezy-security; urgency=high . * Backport upstream commit FILE5_14-2-gef2329c: limit [awk detection] to 100 repetitions to avoid excessive backtracking. Closes: #703993 * Backport upstream commit FILE5_16-24-g4475585 and FILE5_17-20-g70c65d2: Check properly for exceeding the offset. (CVE-2014-2270) Checksums-Sha1: cb8f402694a8b6fbbd5071b137ce1eb4bd1674a9 1999 file_5.11-2+deb7u2.dsc 52f68e2c3163978c04a96c6107d71aa7c996583c 26672 file_5.11-2+deb7u2.debian.tar.xz d6218833bf832c77dca0f99a26d95444056a2101 52056 file_5.11-2+deb7u2_amd64.deb 423bb55f8ee818d755da9d8643331a82cceb7598 202228 libmagic1_5.11-2+deb7u2_amd64.deb 680806a1242adbaa360e4c21b2253d8aa6ac07d7 91964 libmagic-dev_5.11-2+deb7u2_amd64.deb 8d42beb48bbeb5e83b41ca63072975edc094d7f3 38554 python-magic_5.11-2+deb7u2_amd64.deb b26eea7d8e41a23c791c1cceb5fc95e9c3c67802 936 python-magic-dbg_5.11-2+deb7u2_amd64.deb Checksums-Sha256: 308cbdf4b9230cf62e9af54b8ccb8e629eb733f6c5e1c4e0532c357fe872a708 1999 file_5.11-2+deb7u2.dsc 241d61ae3b17a8b9572a5c6aa1ae66ff6de6a2aae4accff4afcc9e81dab3651c 26672 file_5.11-2+deb7u2.debian.tar.xz 23a1cff9044c10424e373ccc0f2e391c15c0ec00e2e852096f457fb9bd82fdd7 52056 file_5.11-2+deb7u2_amd64.deb 4077cea33c1fb965468e0a5c501f40bef992787979748ef4985a960823e7ce61 202228 libmagic1_5.11-2+deb7u2_amd64.deb 06be2bbd2503904315b8ad788d474851d06e1b97d71a4b9891611619a41f4325 91964 libmagic-dev_5.11-2+deb7u2_amd64.deb db2fe370759d42a33c22153d8e316a0d172d981d48372fd4930f63ad6ff8d2b7 38554 python-magic_5.11-2+deb7u2_amd64.deb 3eb0f040fa22446d5ba8c66cabca01c8fe3cdadfe2f7d99b64088ff15b282b45 936 python-magic-dbg_5.11-2+deb7u2_amd64.deb Files: 67f6b6cb15e7e13e3416e5c8de38828b 1999 utils standard file_5.11-2+deb7u2.dsc 7650ffeb29a3712f3f5c5fcd1a3de6c5 26672 utils standard file_5.11-2+deb7u2.debian.tar.xz c4794a96c2bdbdd775dcf9930a469e84 52056 utils standard file_5.11-2+deb7u2_amd64.deb 5d0a99ee95ce4a6c7981004d3ce503fc 202228 libs standard libmagic1_5.11-2+deb7u2_amd64.deb a1f6c5f1641e27a850da7540408f3216 91964 libdevel optional libmagic-dev_5.11-2+deb7u2_amd64.deb 290d20da45bfcb639ba6fd9544da8e1e 38554 python extra python-magic_5.11-2+deb7u2_amd64.deb 748fe5c584fb9e27e40c717636df3105 936 debug extra python-magic-dbg_5.11-2+deb7u2_amd64.deb

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIcBAEBCgAGBQJTHIvAAAoJEAVMuPMTQ89EUCQQAI0sjI61w373hCodwIMa54Nt xaDKj3rEnv610Ho7W+g6wUFAUDEJkycJx23NYCeadPiuE9ejkaIYPuplsIEe66Ys 5SBr+3kQKg6zNo3H0mbK805KFyBV8eQzhzotp8NK0himV7w4LsgglCaOknxVNLjI ud7WbUgneLmhPQTOtsFMH+QoijW50Nz2AQUbmoYQhdPBpUC+ac//JjsCgkiKz/l8 2sa8h8y+tw/ScDM6GIkfq3y11sFUXWrHsOf6B0DzaM6c9TFXLs2nxDy5ne/XMFsZ 276dL0+TbC37XgwBpllENplXilJ+vMjxxmD06mxZ9cspkKGNXwtDtwSnQwop1fIz A438rcfBX43pi3fiwZaxDXpowPOteE1a4I6NoMzYKnFbFI+256X1gNBA/pzc0Drc Nfh+eMIqgEzfhV+bM3Vzz08qO0QScqTN4LN7tiziAQGR0m/dAhoeAWuEk1dsynWh 3Wc+qKqbwVy+IsXwlpOXCd/285ij6iHgKPTI1B1y3oZaz+AjME3GhVqrohk2iHr3 R3crIfULBKlgfjAaBdSovXiD4Og8bnhWRckHeDoVttZSaMWOhdIbKeosNuSoHiMO Fcukgtm91Wbv5WLrrGDqqScpwfA1Vu2z7aLA85qnVjiQh/LAVf7Xc1Q3D2CKZtH4 M4BWTlygstrM1euocAD+ =azzH -----END PGP SIGNATURE-----

Reply sent to Christoph Biedl [email protected]:
You have taken responsibility. (Sun, 16 Mar 2014 19:51:15 GMT) (full text, mbox, link).

Notification sent to Carsten Wolff [email protected]:
Bug acknowledged by developer. (Sun, 16 Mar 2014 19:51:15 GMT) (full text, mbox, link).

Message #32 received at [email protected] (full text, mbox, reply):

Source: file Source-Version: 5.04-5+squeeze4

We believe that the bug you reported is fixed in the latest version of file, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Christoph Biedl [email protected] (supplier of updated file package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Format: 1.8 Date: Wed, 05 Mar 2014 22:41:59 +0100 Source: file Binary: file libmagic1 libmagic-dev python-magic python-magic-dbg Architecture: source amd64 Version: 5.04-5+squeeze4 Distribution: squeeze-security Urgency: high Maintainer: Daniel Baumann [email protected] Changed-By: Christoph Biedl [email protected] Description: file - Determines file type using “magic” numbers libmagic-dev - File type determination library using “magic” numbers (developmen libmagic1 - File type determination library using “magic” numbers python-magic - File type determination library using “magic” numbers (Python bin python-magic-dbg - File type determination library using “magic” numbers (Python bin Closes: 703993 Changes: file (5.04-5+squeeze4) squeeze-security; urgency=high . * Backport upstream commit FILE5_14-2-gef2329c: limit [awk detection] to 100 repetitions to avoid excessive backtracking. Closes: #703993 * Backport upstream commit FILE5_04-2-g0d74a0e: fix segv from loop overrun * Backport upstream commit FILE5_04-47-gb05926f: Use ‘%s’ format to print untrusted string. * Backport upstream commit FILE5_16-24-g4475585 and FILE5_17-20-g70c65d2: Check properly for exceeding the offset. (CVE-2014-2270) Checksums-Sha1: 79fcc1a87198d41b8be909a693f24ccddf6e42df 2031 file_5.04-5+squeeze4.dsc b4919c07d28b4ce5b442948cc2170961ae74f9c3 65275 file_5.04-5+squeeze4.diff.gz 757e0bd2c230612248a78bf24cceb70c3e4edf30 50244 file_5.04-5+squeeze4_amd64.deb 00ad0b40e003cf0cab559729dbc1519b2024f208 235682 libmagic1_5.04-5+squeeze4_amd64.deb 261094d21a58fedea164decf1ba58a9f78c38215 108528 libmagic-dev_5.04-5+squeeze4_amd64.deb 03899b2131a65d716d29ad525f49c40e9fe42574 38856 python-magic_5.04-5+squeeze4_amd64.deb 5a44520eb5dddf4cd3680e3892ab73e8988cad08 32456 python-magic-dbg_5.04-5+squeeze4_amd64.deb Checksums-Sha256: a0314f2debcca78143bf5acf210b26d09d61a5a50e638f91f372bf665f9238c2 2031 file_5.04-5+squeeze4.dsc b388f4fccd9fcbf324df0f2ce1f2fd2a3bd1ea0f4a0bf04f767655966e0c65c4 65275 file_5.04-5+squeeze4.diff.gz 315837d00da9209ba11ab42599ab7d90108e3ef53e884070920c9fa39f48e7ff 50244 file_5.04-5+squeeze4_amd64.deb 3513d66e3254f579a026d6827f9b90278ac1b958f95584636ac92f3f785dbdfe 235682 libmagic1_5.04-5+squeeze4_amd64.deb 6e4c29bd2275cc3731cc8618d706d97ce57f1159d26ca4bdc1e9d5d3f6d7362a 108528 libmagic-dev_5.04-5+squeeze4_amd64.deb af3a88dd39cf0efb36a686cd8badef0c04f1eb83d60a83698ab5f9c891337824 38856 python-magic_5.04-5+squeeze4_amd64.deb 6ae1edeb492143c2330fc2b4b425cf80e164de468c8688cf2a750e1ac14b9356 32456 python-magic-dbg_5.04-5+squeeze4_amd64.deb Files: a8f230d66f6b7c7e53eff0fc98204d50 2031 utils standard file_5.04-5+squeeze4.dsc b51f978aaed65da1597d8f9abeb47408 65275 utils standard file_5.04-5+squeeze4.diff.gz 069e458c1bdc29f8cfe47fabafb0f394 50244 utils standard file_5.04-5+squeeze4_amd64.deb 6b7bc299c6e1531f550dafcd354084ce 235682 libs standard libmagic1_5.04-5+squeeze4_amd64.deb 083eed03a4810ebde59928fa1422f334 108528 libdevel optional libmagic-dev_5.04-5+squeeze4_amd64.deb 0e20b7772b1a4a0eac1f310696af35bb 38856 python extra python-magic_5.04-5+squeeze4_amd64.deb 1eaeaabb01851507dd8957ef96969a98 32456 debug extra python-magic-dbg_5.04-5+squeeze4_amd64.deb

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIcBAEBCgAGBQJTHJw5AAoJEAVMuPMTQ89EA8oP/1IPyUEudIneF9hGQypLpUVs ZLkOsFyxe87L+Vz7Rfk3aOdw7sdfXzHeZ219u7N3WGeQhCxjaP1U5IoU1VzQ3FT6 7urd2qxM2quH+ktxOrTNJm2wLTI8gWtbck4ulGil/qp0pM/kZPOa3n/WoCAweap6 tAHjLyh6vZoW5Yu7J8sTaFhmuwzgF5U6pTTAJk2DpL3YmxesX8yzKfASIL+lBkUK b8NCLqaThw9/9NA356Bxzfsgy8aHvMQ8NPCgu0j6y0GZlqLlCEEC+o8Bei9Fj240 x5F2LSiNPVLNTp4WJUMPjuIdJ1h8BaoMmaIMzMpJDL6QRM5o6er3h1fkuEoxly8b 1YM9CCwrKTSXXBdzEWQffCb2zxLAvvKAnK9redV1BNHSVCebhYiM/IsPaOyqBs/t YaUP/ZzYW/vOggGDai8NQlwyjXalQAcRBrtIyUjd2ShuqowvUUfvgqU+P8BnIPtk 4X+f16jpuDc9kso8KKtL+fWod2uZzRTKNybi829KQajlEU8TFFJgwDMdHkRDyNdf 31vQ4O6+6OdT+cWsTE0ijF9lihy0BaTXkn2mUQUrZzk9cfhoiey1E55cGNpEn161 JaNDO3E7l6ZQS4WeR5A+1zIsR58E6KhaUS5inhn9Ez4Cadqs7c/F3isJQ39qxKrr CLv3h/s681cpmG/NGsmt =jxD8 -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request [email protected] to [email protected]. (Mon, 14 Apr 2014 07:31:30 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Mon Oct 31 15:01:10 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Related news

CVE-2016-5771: PHP: PHP 5 ChangeLog

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.

CVE-2016-5771: PHP: PHP 5 ChangeLog

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.

CVE-2014-3479: PHP: PHP 5 ChangeLog

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.

CVE-2014-3479: PHP: PHP 5 ChangeLog

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.

CVE-2014-2270: crashes when checking softmagic for some corrupt PE executables

softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907