Stack smashing bug in file/src/readelf.c:donote() mentioned in file's changelog does not look so harmless. --- file-4.10/ChangeLog
Stack smashing bug in file/src/readelf.c:donote() mentioned in file's changelog does not look so harmless. --- file-4.10/ChangeLog 2004-07-25 00:38:54 +0400 +++ file-4.12/ChangeLog 2004-11-24 20:39:06 +0300 @@ -1,3 +1,30 @@ +2004-11-24 12:39 Christos Zoulas <christos@zoulas.com> + + * Stack smash fix, and ELF more conservative reading. + Jakub Bogusz <qboosh@pld-linux.org> + +2004-11-20 18:50 Christos Zoulas <christos@zoulas.com> + + * New FreeBSD version parsing code: + Jon Noack <noackjr@alumni.rice.edu> + + * Hackish support for ucs16 strings <christos@zoulas.com> + +2004-11-13 03:07 Christos Zoulas <christos@zoulas.com> + + * print the file name and line number in syntax errors. + +2004 10-12 10:50 Christos Zoulas <christos@zoulas.com> + + * Fix stack overwriting on 0 length strings: Tim Waugh + <twaugh@redhat.com> Ned Ludd <solar@gentoo.org> + +2004-09-27 11:30 Christos Zoulas <christos@zoulas.com> + + * Remove 3rd and 4th copyright clause; approved by Ian Darwin. + + * Fix small memory leaks; caught by: Tamas Sarlos + <stamas@csillag.ilab.sztaki.hu> 2004-07-24 16:33 Christos Zoulas <christos@zoulas.com>
I've already put a new one of these in the tree as ~arch-all
Waiting for a public disclosure date.
looks public http://securitytracker.com/alerts/2004/Dec/1012433.html 'File' Stack Overflow in Processing ELF Headers May Permit Arbitrary Code Execution SecurityTracker Alert ID: 1012433 SecurityTracker URL: http://securitytracker.com/id?1012433 CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site) Date: Dec 6 2004 Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network Version(s): prior to 4.12 Description: A vulnerability was reported in 'file'. A user may be able to execute arbitrary code on the target system. Trustix reported a vulnerability in the ELF header parsing code in 'file'. A user may be able to create a specially crafted ELF file that, when processed using 'file', may be able to modify the stack and potentially execute arbitrary code. Impact: A user may be able to execute arbitrary code on the target system. Solution: No solution was available at the time of this entry. Cause: Not specified Underlying OS: Linux (Any), UNIX (Any)
Arches please mark 4.12 stable. Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86" Note to sh: no arch alias exists so someone (vapier?) please mark it sh.
sparc stable.
stable on amd64
stable on x86
ppc stable.
mips can't stable this revision unless we can get the file-4.xx-mips-gentoo.diff patch to apply, otherwise, file gives bad output on mips systems that mess up configure scripts. The interesting thing is, the patch applies fine outside of portage, but applying within the ebuild, the dry-run sweep creates .orig files that cause epatch to fail on the second pass. We got a workaround for this?
Alpha stable.
Okay, disregard Comment #9; seems the patch we use it responsible for the .orig file breaking things. Will fix && stabilize in the morning.
Stable on mips.
Stable on hppa.
ppc64 please mark stable so that the GLSA can go out.
stable on ppc64
stable for everyone else now too
GLSA 200412-07 thanks everyone
lta Magdir/xenix Magdir/xo65 Magdir/xwindows Magdir/zilog Magdir/zyxel; do \ if test -f ./$frag; then \ f=./$frag; \ else \ f=$frag; \ fi; \ cat $f; \ done >> magic /usr/bin/file -C -m magic WARNING: type lestring16 >0 Description: %15.15s invalid file: could not find any magic files! make[2]: *** [magic.mgc] Error 255 make[2]: Leaving directory `/usr/tmp/portage/file-4.12/work/file-4.12/magic' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/tmp/portage/file-4.12/work/file-4.12' make: *** [all] Error 2 !!! ERROR: sys-apps/file-4.12 failed. !!! Function src_compile, Line 51, Exitcode 2 !!! emake failed !!! If you need support, post the topmost build error, NOT this status message. Portage 2.0.51-r3 (hardened/x86, gcc-3.3.2, glibc-2.3.2-r12, 2.4.27-grsec-2.0.1 i686) ================================================================= System uname: 2.4.27-grsec-2.0.1 i686 Pentium III (Coppermine) Gentoo Base System version 1.4.3.13 Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.3 Binutils: sys-devel/binutils-2.14.90.0.8-r1 Headers: sys-kernel/linux-headers-2.4.19-r1,sys-kernel/linux-headers-2.4.21-r1 Libtools: sys-devel/libtool-1.5.2-r7 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=pentium3 -mcpu=pentium3 -O2 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium3 -mcpu=pentium3 -O2 -pipe" DISTDIR="/usr/local/download/portage/distfiles" FEATURES="autoaddcvs ccache distlocks sandbox strict userpriv usersandbox" GENTOO_MIRRORS="http://gentoo.osuosl.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/usr/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/download/portage" SYNC="rsync://rsync14.us.gentoo.org/gentoo-portage" USE="X509 aalib acl apache2 bcmath berkdb bzlib calendar chroot clamav cpdflib crypt cscope ctype curl curlwrappers dba dbase dbm dbx dio dlloader doc emacs emacs-w3 exif ext-png ext-zlib fam filepro flash flatfile freetds ftp gd gdbm gif gpm guile hardened iconv idea imagemagick imap informix innodb ipalias java javamail javascript jdepend jikes jpeg justify kerberos krb4 lcms libedit libwww maildir mcal mdb mhash migemo mime mmx mnogosearch motif msession mysql mysqli nagios-dns nagios-ntp nagios-ping nagios-ssh ncurses nis nls oav oci8 odbc pam parse-clocks pcntl pdflib perl pg-hier pg-intdatetime pg-vacuumdelay php pic pie plotutils png pnp posix postgres prelude propolice python readline recode ruby samba sasl session sharedmem simplexml skey slang snmp soap sockets spell spl sqlite sse ssl svg sysvipc tcpd tetex tidy tiff tokenizer truetype usb virus-scan wddx wmf x86 xchatnogtk xchattext xface xml xml2 xmlrpc xpm xsl yaz zeo zlib" sys-apps/file-4.06 is the currently installed version... I'll test out others...
learn to use bugzilla :P (error filed as Bug 73786)
vapier: That bug is preventing this security bug from being resolved (regardless of whether or not you mark it 'RESOLVED' because a secure package is not available to our users who can't emerge it. That bug should have been resolved before this was marked stable.
eradicator: I agree this should have been fixed before if we were alerted to the fact that there was a bug.
bug #73786: 2004-12-08 04:17 PST GLSA: 2004-12-13 14:47 PST The bug was filed 5 days before the GLSA was announced. base-system should have mentioned this problem here and dealt with it so the GLSA could be released...
eradicator: you're right however base-system is not on this bug and security were only just alerted: Tue Dec 14 07:35:43 2004
eradicator: you're right however base-system is not on this bug and security were only just alerted: Tue Dec 14 07:35:43 2004 http://bugs.gentoo.org/show_bug.cgi?id=72521 eradicator@gentoo.org changed: What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn| |73786