Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629872 (CVE-2017-1000249) - <sys-apps/file-5.32: stack based buffer overflow
Summary: <sys-apps/file-5.32: stack based buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2017-1000249
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa cve]
Keywords:
: 630732 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-09-04 12:04 UTC by Kristian Fiskerstrand
Modified: 2017-10-08 13:27 UTC (History)
3 users (show)

See Also:
Package list:
=sys-apps/file-5.32
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2017-09-04 12:04:08 UTC
** EMBARGOED CONFIDENTIAL 2017-09-05 **

first affected version is file 5.29, released on 2016-10-25.
It is fixed in 5.32 

##
Tentative CVE description

[PRODUCT]: file
[VERSION]: file() after commit 9611f31313a93aa036389c5f3b15eea53510d4d1
(Oct 2016) Can you provide an acuall release #?
[PROBLEMTYPE]: CWE-121
[REFERENCES]:
https://github.com/file/file/commit/35c94dc6acc418f1ad7f6241a6680e5327495793
https://github.com/file/file/commit/9611f31313a93aa036389c5f3b15eea53510d4d1
[DESCRIPTION]: An issue in file() was introduced in commit
9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker
overwrite a fixed 20 bytes stack buffer with a specially crafted .notes
section in an ELF binary. There are systems like amavisd-new that
automatically run file(1) on every email attachment, so let's hope
people compile with -fstack-protector in place and it holds. This was
fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017).
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2017-09-05 16:31:48 UTC
Public in http://www.openwall.com/lists/oss-security/2017/09/05/3
Comment 2 D'juan McDonald (domhnall) 2017-09-11 20:56:00 UTC
*** Bug 630732 has been marked as a duplicate of this bug. ***
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-11 22:50:58 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2017-09-16 14:52:19 UTC
@maintainer: ping for stabilization decision
Comment 5 Thomas Deutschmann gentoo-dev Security 2017-09-22 23:49:21 UTC
<base-system hat>
@ Arches,

please test and mark stable: =sys-apps/file-5.32
</base-system hat>
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-09-22 23:51:01 UTC
x86 stable
Comment 7 Sergei Trofimovich gentoo-dev 2017-09-23 13:07:07 UTC
ia64 stable
Comment 8 Sergei Trofimovich gentoo-dev 2017-09-23 19:01:46 UTC
hppa stable
Comment 9 Sergei Trofimovich gentoo-dev 2017-09-23 19:39:54 UTC
ppc64 stable
Comment 10 Sergei Trofimovich gentoo-dev 2017-09-24 18:50:59 UTC
ppc stable
Comment 11 Tobias Klausmann gentoo-dev 2017-09-26 09:33:45 UTC
Stable on alpha.
Comment 12 Manuel Rüger gentoo-dev 2017-09-26 22:29:03 UTC
amd64 stable
Comment 13 Markus Meier gentoo-dev 2017-09-29 04:54:14 UTC
arm stable, tested by Yury German
Comment 14 Markus Meier gentoo-dev 2017-09-29 04:55:34 UTC
all arches done.
Comment 15 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-29 15:26:02 UTC
Thank you all,

@Maintainers please proceed to remove vulnerable versions.

Gentoo Security Padawan
ChrisADR
Comment 16 Thomas Deutschmann gentoo-dev Security 2017-09-30 15:16:30 UTC
Old vulnerable ebuilds dropped.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2017-10-08 13:27:24 UTC
This issue was resolved and addressed in
 GLSA 201710-02 at https://security.gentoo.org/glsa/201710-02
by GLSA coordinator Aaron Bauman (b-man).