Bugzilla – Bug 864589
VUL-0: CVE-2014-1943: file: infinite recursion
Last modified: 2016-04-27 20:01:59 UTC
CVE-2014-1943 A flaw was found in the way the file utility determined the type of a file. A malicious input file could cause the file utility to use 100% CPU, or trigger infinite recursion, causing the file utility to crash or, potentially, execute arbitrary code. References: https://bugzilla.redhat.com/show_bug.cgi?id=1065836 https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70
What was the reason to ignore my own report? *** This bug has been marked as a duplicate of bug 864343 ***
bugbot adjusting priority
SR #224613 for openSUSE 13.1 - Add the upstream patches 0001-count-indirect-recursion-as-recursion.patch 0001-prevent-infinite-recursion.patch to solve bnc#864589 - CVE-2014-1943: file: infinite recursion
Hmm ... the file package of openSUSE 12.3 as well as for SLES11 seems not to be afftected as there is no recursion. That is that https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 can not be applied. Only the simple overflow check of https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f can be ported back.
SR #224615 for openSUSE 12.3 - Port the upstream patch 0001-count-indirect-recursion-as-recursion.patch back to avoid overflow, related to bnc#864589 as file-5.11 does not do a recursive match detection
This is an autogenerated message for OBS integration: This bug (864589) was mentioned in https://build.opensuse.org/request/show/224613 13.1 / file https://build.opensuse.org/request/show/224615 12.3 / file
The file-4.21 found in SLES10-SP4 is not affected as file_softmagic() is not called in mget() in file-4.21/src/softmagic.c, that is there is no FILE_INDIRECT case.
The file-4.24 found in SLES11-SP3 is not affected as file_softmagic() is not called in mget() in file-4.24/src/softmagic.c, that is there is no FILE_INDIRECT case.
For openSUSE 12.3 and 13.1 I've submitted
This is an autogenerated message for OBS integration: This bug (864589) was mentioned in https://build.opensuse.org/request/show/224629 13.1 / file https://build.opensuse.org/request/show/224630 12.3 / file
This is an autogenerated message for OBS integration: This bug (864589) was mentioned in https://build.opensuse.org/request/show/224639 13.1 / file https://build.opensuse.org/request/show/224644 12.3 / file
openSUSE-SU-2014:0364-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 864589,866750 CVE References: CVE-2014-1943,CVE-2014-2270 Sources used: openSUSE 13.1 (src): file-5.15-4.10.1, python-magic-5.15-4.10.1 openSUSE 12.3 (src): file-5.11-12.6.1, python-magic-5.11-12.6.1
openSUSE-SU-2014:0367-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 864589,866750 CVE References: CVE-2014-1943,CVE-2014-2270 Sources used: openSUSE 11.4 (src): file-5.04-16.1, python-magic-5.04-16.1