Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 505534 (CVE-2013-7345) - <sys-apps/file-5.15: denial of service (CPU consumption) when processing certain files (CVE-2013-7345)
Summary: <sys-apps/file-5.15: denial of service (CPU consumption) when processing cert...
Status: RESOLVED FIXED
Alias: CVE-2013-7345
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-24 09:05 UTC by Agostino Sarubbo
Modified: 2014-08-29 09:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
file-5.11-CVE-2013-7345.patch (file-5.11-CVE-2013-7345.patch,817 bytes, patch)
2014-07-27 19:06 UTC, Andrey Ovcharov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-24 09:05:27 UTC
From ${URL} :

A flaw was reported in the rules file uses to detect AWK scripts. A malicious input file could cause the 
file utility to use 100% CPU.

Upstream bug: http://bugs.gw.com/view.php?id=164
Upstream fix: https://github.com/file/file/commit/ef2329cf71acb59204dd981e2c6cce6c81fe467c


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-22 17:04:38 UTC
The patch from [0] is applied in the CSV repository as "limit to 100 repetitions to avoid excessive backtracking Carsten Wolff" on Mon Mar 25 14:06:55 2013 +0000 released as part of 5.15. 5.17 is already stable in the portage tree. And older versions are already cleaned. 

@security: Please vote on GLSA. 

[0] http://bugs.gw.com/view.php?id=164
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-07-06 21:49:37 UTC
New GLSA Request Filed.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-07-07 15:41:17 UTC
CVE-2013-7345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7345):
  The BEGIN regular expression in the awk script detector in
  magic/Magdir/commands in file before 5.15 uses multiple wildcards with
  unlimited repetitions, which allows context-dependent attackers to cause a
  denial of service (CPU consumption) via a crafted ASCII file that triggers a
  large amount of backtracking, as demonstrated via a file with many newline
  characters.
Comment 4 Andrey Ovcharov 2014-07-27 19:06:50 UTC
Created attachment 381672 [details, diff]
file-5.11-CVE-2013-7345.patch
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-08-29 09:10:30 UTC
This issue was resolved and addressed in
 GLSA 201408-08 at http://security.gentoo.org/glsa/glsa-201408-08.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).