Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <548FBE54.1030203@redhat.com>
Date: Tue, 16 Dec 2014 16:08:36 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: file(1): multiple denial of service issues (resource consumption),
 CVE-2014-8116 and CVE-2014-8117

Hello,

Thomas Jarosch of Intra2net AG reported a number of denial of service 
issues (resource consumption) in the ELF parser used by file(1). These 
issues were fixed in the 5.21 release of file(1), but by mistake are 
missing from the changelog.

The important commits are:

https://github.com/file/file/commit/b4c01141e5367f247b84dcaf6aefbb4e741842b8
https://github.com/file/file/commit/d7cdad007c507e6c79f51f058dd77fab70ceb9f6
https://github.com/file/file/commit/6f737ddfadb596d7d4a993f7ed2141ffd664a81c

There were a few regressions along the way, so the following are also 
all needed:

https://github.com/file/file/commit/8a905717660395b38ec4966493f6f1cf2f33946c
https://github.com/file/file/commit/90018fe22ff8b74a22fcd142225b0a00f3f12677
https://github.com/file/file/commit/6bf45271eb8e0e6577b92042ce2003ba998d1686

Please credit "Thomas Jarosch of Intra2net AG".

Details of what CVE is for what:

""
================================================
Please use CVE-2014-8116 for these two:

https://github.com/file/file/commit/b4c01141e5367f247b84dcaf6aefbb4e741842b8
limit the number of program and section header number of sections to be
http://cwe.mitre.org/data/definitions/400.html
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

https://github.com/file/file/commit/d7cdad007c507e6c79f51f058dd77fab70ceb9f6
Stop reporting bad capabilities after the first few.
http://cwe.mitre.org/data/definitions/400.html
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

================================================
Please use CVE-2014-8117 for this one:

https://github.com/file/file/commit/6f737ddfadb596d7d4a993f7ed2141ffd664a81c
reduce recursion level from 20 to 10 and make a symbolic constant for it.
http://cwe.mitre.org/data/definitions/674.html
CWE-674: Uncontrolled Recursion
""

Red Hat's bugs (to be opened shortly):

https://bugzilla.redhat.com/show_bug.cgi?id=1171580
https://bugzilla.redhat.com/show_bug.cgi?id=1174606

Regards,

--
Murray McAllister / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.