Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 72521

Summary: sys-apps/file-4.12 heads up
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A2 [glsa] jaervosz
Package list:
Runtime testing required: ---
Bug Depends on: 73786    
Bug Blocks:    

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-25 20:31:46 UTC
Stack smashing bug in file/src/readelf.c:donote() mentioned in file's
changelog does not look so harmless.

--- file-4.10/ChangeLog
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-25 20:31:46 UTC
Stack smashing bug in file/src/readelf.c:donote() mentioned in file's
changelog does not look so harmless.

--- file-4.10/ChangeLog 2004-07-25 00:38:54 +0400
+++ file-4.12/ChangeLog 2004-11-24 20:39:06 +0300
@@ -1,3 +1,30 @@
+2004-11-24 12:39  Christos Zoulas  <christos@zoulas.com>
+
+       * Stack smash fix, and ELF more conservative reading.
+         Jakub Bogusz <qboosh@pld-linux.org>
+
+2004-11-20 18:50  Christos Zoulas  <christos@zoulas.com>
+
+       * New FreeBSD version parsing code:
+         Jon Noack <noackjr@alumni.rice.edu>
+
+       * Hackish support for ucs16 strings <christos@zoulas.com>
+
+2004-11-13 03:07  Christos Zoulas  <christos@zoulas.com>
+
+       * print the file name and line number in syntax errors.
+
+2004 10-12 10:50  Christos Zoulas  <christos@zoulas.com>
+
+       * Fix stack overwriting on 0 length strings: Tim Waugh
+           <twaugh@redhat.com> Ned Ludd <solar@gentoo.org>
+
+2004-09-27 11:30  Christos Zoulas  <christos@zoulas.com>
+
+       * Remove 3rd and 4th copyright clause; approved by Ian Darwin.
+
+       * Fix small memory leaks; caught by: Tamas Sarlos 
+           <stamas@csillag.ilab.sztaki.hu>
 
 2004-07-24 16:33  Christos Zoulas  <christos@zoulas.com>
 
Comment 2 solar (RETIRED) gentoo-dev 2004-11-26 18:45:58 UTC
I've already put a new one of these in the tree as ~arch-all
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-11-29 08:11:52 UTC
Waiting for a public disclosure date.
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-07 04:23:21 UTC
looks public

http://securitytracker.com/alerts/2004/Dec/1012433.html

'File' Stack Overflow in Processing ELF Headers May Permit Arbitrary Code Execution
SecurityTracker Alert ID:  1012433
SecurityTracker URL:  http://securitytracker.com/id?1012433
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 6 2004

Impact:  Execution of arbitrary code via local system, Execution of arbitrary code via network
Version(s): prior to 4.12
Description:  A vulnerability was reported in 'file'. A user may be able to execute arbitrary code on the target system.

Trustix reported a vulnerability in the ELF header parsing code in 'file'. A user may be able to create a specially crafted ELF file that, when processed using 'file', may be able to modify the stack and potentially execute arbitrary code.

Impact:  A user may be able to execute arbitrary code on the target system.
Solution:  No solution was available at the time of this entry.
Cause:  Not specified
Underlying OS:  Linux (Any), UNIX (Any)
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-07 04:56:49 UTC
Arches please mark 4.12 stable.

Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"

Note to sh: no arch alias exists so someone (vapier?) please mark it sh.
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-07 06:16:34 UTC
sparc stable.
Comment 7 Mike Doty (RETIRED) gentoo-dev 2004-12-07 06:33:58 UTC
stable on amd64
Comment 8 solar (RETIRED) gentoo-dev 2004-12-07 08:32:27 UTC
stable on x86
Comment 9 Daniel Black (RETIRED) gentoo-dev 2004-12-07 13:13:48 UTC
ppc stable.
Comment 10 Joshua Kinard gentoo-dev 2004-12-08 01:36:56 UTC
mips can't stable this revision unless we can get the file-4.xx-mips-gentoo.diff patch to apply, otherwise, file gives bad output on mips systems that mess up configure scripts.

The interesting thing is, the patch applies fine outside of portage, but applying within the ebuild, the dry-run sweep creates .orig files that cause epatch to fail on the second pass.  We got a workaround for this?
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2004-12-08 02:29:13 UTC
Alpha stable.
Comment 12 Joshua Kinard gentoo-dev 2004-12-08 03:01:28 UTC
Okay, disregard Comment #9; seems the patch we use it responsible for the .orig file breaking things.  Will fix && stabilize in the morning.
Comment 13 Hardave Riar (RETIRED) gentoo-dev 2004-12-08 13:14:03 UTC
Stable on mips.
Comment 14 Guy Martin (RETIRED) gentoo-dev 2004-12-10 04:50:11 UTC
Stable on hppa.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-12-10 08:31:51 UTC
ppc64 please mark stable so that the GLSA can go out.
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2004-12-10 23:35:29 UTC
stable on ppc64
Comment 17 SpanKY gentoo-dev 2004-12-12 17:45:15 UTC
stable for everyone else now too
Comment 18 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-13 14:47:19 UTC
GLSA 200412-07

thanks everyone
Comment 19 Jeremy Huddleston (RETIRED) gentoo-dev 2004-12-13 20:28:50 UTC
lta Magdir/xenix Magdir/xo65 Magdir/xwindows Magdir/zilog Magdir/zyxel; do \
  if test -f ./$frag; then \
    f=./$frag; \
  else \
    f=$frag; \
  fi; \
          cat $f; \
done >> magic
/usr/bin/file -C -m magic
WARNING: type lestring16 >0 Description: %15.15s invalid
file: could not find any magic files!
make[2]: *** [magic.mgc] Error 255
make[2]: Leaving directory `/usr/tmp/portage/file-4.12/work/file-4.12/magic'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/tmp/portage/file-4.12/work/file-4.12'
make: *** [all] Error 2

!!! ERROR: sys-apps/file-4.12 failed.
!!! Function src_compile, Line 51, Exitcode 2
!!! emake failed
!!! If you need support, post the topmost build error, NOT this status message.

Portage 2.0.51-r3 (hardened/x86, gcc-3.3.2, glibc-2.3.2-r12, 2.4.27-grsec-2.0.1 i686)
=================================================================
System uname: 2.4.27-grsec-2.0.1 i686 Pentium III (Coppermine)
Gentoo Base System version 1.4.3.13
Autoconf: sys-devel/autoconf-2.59-r4
Automake: sys-devel/automake-1.8.3
Binutils: sys-devel/binutils-2.14.90.0.8-r1
Headers:  sys-kernel/linux-headers-2.4.19-r1,sys-kernel/linux-headers-2.4.21-r1
Libtools: sys-devel/libtool-1.5.2-r7
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-march=pentium3 -mcpu=pentium3 -O2 -pipe"
CHOST="i686-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=pentium3 -mcpu=pentium3 -O2 -pipe"
DISTDIR="/usr/local/download/portage/distfiles"
FEATURES="autoaddcvs ccache distlocks sandbox strict userpriv usersandbox"
GENTOO_MIRRORS="http://gentoo.osuosl.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage//packages/x86/"
PORTAGE_TMPDIR="/usr/tmp"
PORTDIR="/usr/portage/"
PORTDIR_OVERLAY="/usr/local/download/portage"
SYNC="rsync://rsync14.us.gentoo.org/gentoo-portage"
USE="X509 aalib acl apache2 bcmath berkdb bzlib calendar chroot clamav cpdflib crypt cscope ctype curl curlwrappers dba dbase dbm dbx dio dlloader doc emacs emacs-w3 exif ext-png ext-zlib fam filepro flash flatfile freetds ftp gd gdbm gif gpm guile hardened iconv idea imagemagick imap informix innodb ipalias java javamail javascript jdepend jikes jpeg justify kerberos krb4 lcms libedit libwww maildir mcal mdb mhash migemo mime mmx mnogosearch motif msession mysql mysqli nagios-dns nagios-ntp nagios-ping nagios-ssh ncurses nis nls oav oci8 odbc pam parse-clocks pcntl pdflib perl pg-hier pg-intdatetime pg-vacuumdelay php pic pie plotutils png pnp posix postgres prelude propolice python readline recode ruby samba sasl session sharedmem simplexml skey slang snmp soap sockets spell spl sqlite sse ssl svg sysvipc tcpd tetex tidy tiff tokenizer truetype usb virus-scan wddx wmf x86 xchatnogtk xchattext xface xml xml2 xmlrpc xpm xsl yaz zeo zlib"

sys-apps/file-4.06 is the currently installed version... I'll test out others...
Comment 20 SpanKY gentoo-dev 2004-12-13 20:53:18 UTC
learn to use bugzilla :P (error filed as Bug 73786)
Comment 21 Jeremy Huddleston (RETIRED) gentoo-dev 2004-12-13 22:35:42 UTC
vapier: That bug is preventing this security bug from being resolved (regardless of whether or not you mark it 'RESOLVED' because a secure package is not available to our users who can't emerge it.

That bug should have been resolved before this was marked stable.
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-13 23:44:30 UTC
eradicator: I agree this should have been fixed before if we were alerted to the fact that there was a bug.
Comment 23 Jeremy Huddleston (RETIRED) gentoo-dev 2004-12-14 00:20:58 UTC
bug #73786: 2004-12-08 04:17 PST
GLSA:       2004-12-13 14:47 PST

The bug was filed 5 days before the GLSA was announced.  base-system should have mentioned this problem here and dealt with it so the GLSA could be released...
Comment 24 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-14 00:40:27 UTC
eradicator: you're right however base-system is not on this bug and security were only just alerted:

Tue Dec 14 07:35:43 2004
Comment 25 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-14 00:40:27 UTC
eradicator: you're right however base-system is not on this bug and security were only just alerted:

Tue Dec 14 07:35:43 2004 

http://bugs.gentoo.org/show_bug.cgi?id=72521


eradicator@gentoo.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  BugsThisDependsOn|                            |73786