Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 532768 - <sys-apps/file-5.22: two denial of service issues (CVE-2014-{9620,9621})
Summary: <sys-apps/file-5.22: two denial of service issues (CVE-2014-{9620,9621})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-17 08:45 UTC by Agostino Sarubbo
Modified: 2015-03-16 19:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-17 08:45:52 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=1175083:

A denial of service issue (resource consumption) was reported in the way file(1) handled strings in 
ELF binaries. Using file(1) on a specially-crafted ELF binary could lead to a denial of service.

Upstream report:

http://mx.gw.com/pipermail/file/2014/001654.html

Upstream fix:

https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c

Reference:

http://seclists.org/oss-sec/2014/q4/1067



From https://bugzilla.redhat.com/show_bug.cgi?id=1175082:

A denial of service issue (resource consumption) was reported in the way file(1) processed ELF notes. Using file(1) on a specially-crafted ELF binary could lead to a denial of service.

Upstream report:

http://mx.gw.com/pipermail/file/2014/001653.html

Upstream fix:

https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4

Reference:

http://seclists.org/oss-sec/2014/q4/1067


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2015-01-03 20:58:17 UTC 
The fixed version is 5.22: http://mx.gw.com/pipermail/file/2015/001660.html
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-01-04 00:10:09 UTC 
(In reply to Agostino Sarubbo from comment #1)
> The fixed version is 5.22: http://mx.gw.com/pipermail/file/2015/001660.html

Which is already in the tree. Feel free to start stabilization process.
Comment 3 Agostino Sarubbo gentoo-dev 2015-01-09 16:14:16 UTC 
Arches, please test and mark stable:
=sys-apps/file-5.22
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-01-09 16:44:01 UTC 
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-11 11:13:54 UTC 
Stable for HPPA.
Comment 6 Andreas Schürch gentoo-dev 2015-01-11 15:20:59 UTC 
x86 done.
Comment 7 Markus Meier gentoo-dev 2015-01-11 21:03:46 UTC 
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-01-13 10:21:22 UTC 
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-01-14 13:51:53 UTC 
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-01-15 08:40:48 UTC 
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-01-16 08:09:49 UTC 
ia64 stable
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-01-18 02:27:10 UTC 
With only one arch left, filing a new GLSA for writing up.

Will wait on full stabilization before release.
Comment 13 Agostino Sarubbo gentoo-dev 2015-01-25 11:21:57 UTC 
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-01-27 12:36:44 UTC 
+  27 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> -file-5.17.ebuild,
+  -file-5.19.ebuild, -file-5.20-r1.ebuild, -file-5.21.ebuild,
+  -files/file-5.20-elf-note.patch:
+  Removed vulnerable versions.
+
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-02-01 02:39:22 UTC 
CVE-2014-9621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9621):
  The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a
  denial of service via a long string.

CVE-2014-9620 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9620):
  The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a
  denial of service via a large number of notes.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2015-03-16 19:44:09 UTC 
This issue was resolved and addressed in
 GLSA 201503-08 at https://security.gentoo.org/glsa/201503-08
by GLSA coordinator Mikle Kolyada (Zlogene).