Bug 174217 - sys-apps/file < 4.21-r1 Denial of Service (CVE-2007-2026)
Bug#: 174217 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: aetius@gentoo.org
Component: Vulnerabilities
URL:  http://sourceforge.net/mailarchive/forum.php?thread_name=755AF709E5B77E6EA58479D5%40foxx.lsit.ucsb.edu&forum_name=amavis-user
Summary: sys-apps/file < 4.21-r1 Denial of Service (CVE-2007-2026)
Keywords:  
Status Whiteboard: A3 [glsaupdate]
Opened: 2007-04-11 21:16 0000
Description:   Opened: 2007-04-11 21:16 0000 
file-4.20 has a problem with current glibc (I'm on 2.5) handling of a
particular regular expression that identifies OS/2 REXX files.  

This came up in the above URL as a potential Denial of Service for anything
that uses file to identify files, includes file code.  I've verified the
behavior as a DoS (checking the sample file takes file on the order of 30
minutes).

vapier has already patched this in 4.20-r1, we just need to stabilize it and
remove 4.20.  

The issue is not present in file-4.19 (also tested and verified), and is
probably not present in lower versions either.

------- Comment #1 From Matt Drew 2007-04-11 21:18:24 0000 ------- 
setting status, arches please stabilize sys-apps/file-4.20-r1, thanks!

------- Comment #2 From Christoph Mende 2007-04-11 21:28:45 0000 ------- 
Seems like it's already stable:
angelos@odin ~ % grep KEYWORDS /usr/portage/sys-apps/file/file-4.20-r1.ebuild 
16:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc
~sparc-fbsd x86 ~x86-fbsd"

------- Comment #3 From Jeroen Roovers 2007-04-11 21:35:30 0000 ------- 
Nothing to do. :)

------- Comment #4 From Matt Drew 2007-04-11 21:46:48 0000 ------- 
yes, I am an idiot. Moving to glsa status.

------- Comment #5 From Raphael Marichez 2007-04-17 22:36:05 0000 ------- 
GLSA 200704-13, thanks everybody!

------- Comment #6 From Sune Kloppenborg Jeppesen 2007-06-07 11:41:22 0000 ------- 
*** Bug 181099 has been marked as a duplicate of this bug. ***

------- Comment #7 From Sune Kloppenborg Jeppesen 2007-06-07 11:45:48 0000 ------- 
*** Bug 181179 has been marked as a duplicate of this bug. ***

------- Comment #8 From Sune Kloppenborg Jeppesen 2007-06-07 12:35:38 0000 ------- 
Reopening since it seems like it was not properly fixed in 4.21 which is now
stable on some arches.

http://marc.info/?l=amavis-user&m=118107086309360&w=2

Vapier please patch.

------- Comment #9 From Raphael Marichez 2007-06-07 22:13:48 0000 ------- 
(In reply to comment #8)
> Reopening since it seems like it was not properly fixed in 4.21 which is now
> stable on some arches.
> 
> http://marc.info/?l=amavis-user&m=118107086309360&w=2
> 


i think it is already fixed. "update to file 4.21 or newer"

CVE-2007-2799/GLSA-200705-25 fixes a buffer overflow introduced by the
incorrect fix of CVE-2007-1536/GLSA-200703-26.

CVE-2007-2026/GLSA-200704-13 is the regexp DoS issue.

All these issues are fixed in file-4.21.

Letme reclose this bug, feel free to reopen if you disagree.

------- Comment #10 From Sune Kloppenborg Jeppesen 2007-06-08 06:13:15 0000 ------- 
Here we go again:) See under 4. Additional information

An unrelated CVE-2007-2026 DoS vulnerability of a file(1) utility
linked with a POSIX regex(3) library on Linux systems (but not *BSD
systems) is still unresolved in file-4.21, because the offending
two lines in a file 'magic' were not removed by mistake, even though
their correct replacements were added.

------- Comment #11 From Raphael Marichez 2007-06-09 21:45:20 0000 ------- 
you're right... i've checked the source, indeed... (lol) back to [ebuild]
status then. The following lines should probably be removed from the msdos
magic file, but i have not seen any confirmation.

100 regex/c =^\\s*call\\s+rxfuncadd.*sysloadfu OS/2 REXX batch file text
100 regex/c =^\\s*say\ ['"] OS/2 REXX batch file text

------- Comment #12 From Jakub Moc (RETIRED) 2007-06-13 20:40:58 0000 ------- 
*** Bug 181946 has been marked as a duplicate of this bug. ***

------- Comment #13 From Matt Drew 2007-07-02 18:48:03 0000 ------- 
any word on this?  The source hasn't been updated since May 24th - we could
just remove the lines ourselves?

------- Comment #14 From SpanKY 2007-07-11 05:50:42 0000 ------- 
added 4.21-r1 with patch to remove second regex

------- Comment #15 From Pierre-Yves Rofes 2007-07-14 22:19:50 0000 ------- 
and here we go again :)
arches, please test and mark stable. Target keywords are:
file-4.21-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64
s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"

------- Comment #16 From Joshua Kinard 2007-07-15 08:36:50 0000 ------- 
mips stable.

------- Comment #17 From Jonas Pedersen 2007-07-15 09:22:53 0000 ------- 
sys-apps/file-4.21-r1  USE="python"

1. Emerges on AMD64. 
2. No collisions etc. 
3. Old version is vulnerable to the file mentioned in URL while 4.21-r1 isn't. 

I known it have not been in the tree for 30 days, but this is security so
please mark stable. 


Portage 2.1.2.9 (default-linux/amd64/2006.1/desktop, gcc-4.1.2, glibc-2.5-r3,
2.6.20-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.20-gentoo-r8 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Wed, 11 Jul 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[enabled]
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O3 -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild
/etc/splash /etc/terminfo"
CXXFLAGS="-march=nocona -O3 -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer
multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/
http://ftp.du.se/pub/os/gentoo http://trumpetti.atm.tut.fi/gentoo/
http://ftp.snt.utwente.nl/pub/os/linux/gentoo
http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acpi aiglx alsa amd64 arts atk berkdb bitmap-fonts cairo cdr cli
cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss
encode fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer
gtk gtk2 hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde libg++ lm_sensors
mad midi mikmod mjpeg mozilla mp3 mpeg mplayer msn mudflap ncurses nls nptl
nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python
qt qt3 qt4 quicktime readline reflection samba sdl session spell spl sse3 ssl
tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis
xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000
atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968
fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx
via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop
empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi
null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard
mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216
lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

------- Comment #18 From Raúl Porcel 2007-07-15 12:07:35 0000 ------- 
alpha/ia64/x86 stable

------- Comment #19 From Steve Dibb 2007-07-15 16:13:05 0000 ------- 
amd64 stable

------- Comment #20 From Tobias Scherbaum 2007-07-15 21:06:10 0000 ------- 
ppc stable

------- Comment #21 From Jeroen Roovers 2007-07-16 05:40:15 0000 ------- 
Stable for HPPA.

------- Comment #22 From Gustavo Zacarias (RETIRED) 2007-07-16 12:16:30 0000 ------- 
sparc stable.

------- Comment #23 From Markus Rothe 2007-07-16 18:52:49 0000 ------- 
=sys-apps/file-4.21-r1 stable on ppc64

------- Comment #24 From Sune Kloppenborg Jeppesen 2007-07-16 19:26:08 0000 ------- 
Ready for GLSA Update of GLSA 200704-13

------- Comment #25 From Pierre-Yves Rofes 2007-09-17 18:06:53 0000 ------- 
glsa 200704-13 finally updated, sorry for the delay.