Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 629872 (CVE-2017-1000249)

Summary: <sys-apps/file-5.32: stack based buffer overflow
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system, flopwiki, polynomial-c
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2017/09/05/3
Whiteboard: A2 [glsa cve]
Package list:
=sys-apps/file-5.32
 Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-09-04 12:04:08 UTC 
** EMBARGOED CONFIDENTIAL 2017-09-05 **

first affected version is file 5.29, released on 2016-10-25.
It is fixed in 5.32 

##
Tentative CVE description

[PRODUCT]: file
[VERSION]: file() after commit 9611f31313a93aa036389c5f3b15eea53510d4d1
(Oct 2016) Can you provide an acuall release #?
[PROBLEMTYPE]: CWE-121
[REFERENCES]:
https://github.com/file/file/commit/35c94dc6acc418f1ad7f6241a6680e5327495793
https://github.com/file/file/commit/9611f31313a93aa036389c5f3b15eea53510d4d1
[DESCRIPTION]: An issue in file() was introduced in commit
9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker
overwrite a fixed 20 bytes stack buffer with a specially crafted .notes
section in an ELF binary. There are systems like amavisd-new that
automatically run file(1) on every email attachment, so let's hope
people compile with -fstack-protector in place and it holds. This was
fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017).
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-09-05 16:31:48 UTC 
Public in http://www.openwall.com/lists/oss-security/2017/09/05/3
Comment 2 D'juan McDonald (domhnall) 2017-09-11 20:56:00 UTC 
*** Bug 630732 has been marked as a duplicate of this bug. ***
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-09-11 22:50:58 UTC 
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-09-16 14:52:19 UTC 
@maintainer: ping for stabilization decision
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-09-22 23:49:21 UTC 
<base-system hat>
@ Arches,

please test and mark stable: =sys-apps/file-5.32
</base-system hat>
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-09-22 23:51:01 UTC 
x86 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-23 13:07:07 UTC 
ia64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-23 19:01:46 UTC 
hppa stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-23 19:39:54 UTC 
ppc64 stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-24 18:50:59 UTC 
ppc stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2017-09-26 09:33:45 UTC 
Stable on alpha.
Comment 12 Manuel Rüger (RETIRED) gentoo-dev 2017-09-26 22:29:03 UTC 
amd64 stable
Comment 13 Markus Meier gentoo-dev 2017-09-29 04:54:14 UTC 
arm stable, tested by Yury German
Comment 14 Markus Meier gentoo-dev 2017-09-29 04:55:34 UTC 
all arches done.
Comment 15 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-29 15:26:02 UTC 
Thank you all,

@Maintainers please proceed to remove vulnerable versions.

Gentoo Security Padawan
ChrisADR
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-09-30 15:16:30 UTC 
Old vulnerable ebuilds dropped.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2017-10-08 13:27:24 UTC 
This issue was resolved and addressed in
 GLSA 201710-02 at https://security.gentoo.org/glsa/201710-02
by GLSA coordinator Aaron Bauman (b-man).