Debian Bug report logs -
#703993
file: possible DoS in awk magic
Reported by: Carsten Wolff <carsten@wolffcarsten.de>
Date: Tue, 26 Mar 2013 14:48:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in versions file/5.11-2, file/1:5.11-2.1, file/5.04-5+squeeze2
Fixed in versions file/1:5.17-0.1, file/5.11-2+deb7u2, file/5.04-5+squeeze4
Done: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Bug is archived. No further changes may be made.
Forwarded to http://bugs.gw.com/view.php?id=164
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@progress-technologies.net>:
Bug#703993; Package file.
(Tue, 26 Mar 2013 14:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Carsten Wolff <carsten@wolffcarsten.de>:
New Bug report received and forwarded. Copy sent to Daniel Baumann <daniel.baumann@progress-technologies.net>.
(Tue, 26 Mar 2013 14:48:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: file
Version: 5.04-5+squeeze2
Severity: important
Tags: security, patch
Hi,
there's a DoS risk in the magic for awk scripts, which causes excessive
runtimes of `file` on files which cause lots of backtracking in the regex
engine, like files with many, many newlines:
# dd ibs=1000000 count=1 if=/dev/zero | tr '\0' '\n' > newlines
# time file newlines
newlines: ASCII text
real 3m51.005s
user 3m50.418s
sys 0m0.124s
There is a bugreport and Patch at the upstream bugtracker:
http://bugs.gw.com/view.php?id=164
In Squeeze, the culprit awk-magic comes from debian/patches/101-magic-update-
awk.patch. In wheezy, sid and experimental, the regex is part of upstream's
magic/Magdir/commands.
Cheers,
Carsten
-- System Information:
Debian Release: 6.0.7
APT prefers stable
APT policy: (700, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages file depends on:
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libmagic1 5.04-5+squeeze2 File type determination library us
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
file recommends no packages.
file suggests no packages.
-- no debconf information
Marked as found in versions file/5.11-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 27 Mar 2013 05:51:04 GMT) (full text, mbox, link).
Marked as found in versions file/1:5.11-2.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 27 Mar 2013 05:51:05 GMT) (full text, mbox, link).
Marked as fixed in versions file/1:5.17-0.1.
Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
to control@bugs.debian.org.
(Tue, 25 Feb 2014 22:24:04 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 04 Mar 2014 21:00:11 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 04 Mar 2014 21:00:15 GMT) (full text, mbox, link).
Notification sent
to Carsten Wolff <carsten@wolffcarsten.de>:
Bug acknowledged by developer.
(Tue, 04 Mar 2014 21:00:16 GMT) (full text, mbox, link).
Message sent on
to Carsten Wolff <carsten@wolffcarsten.de>:
Bug#703993.
(Tue, 04 Mar 2014 21:00:19 GMT) (full text, mbox, link).
Message #22 received at 703993-submitter@bugs.debian.org (full text, mbox, reply):
close 703993 1:5.17-0.1
thanks
https://github.com/glensc/file/commit/ef2329cf71acb59204dd981e2c6cce6c81fe467c is contained in 1:5.17-0.1
Reply sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
You have taken responsibility.
(Sun, 16 Mar 2014 19:51:11 GMT) (full text, mbox, link).
Notification sent
to Carsten Wolff <carsten@wolffcarsten.de>:
Bug acknowledged by developer.
(Sun, 16 Mar 2014 19:51:11 GMT) (full text, mbox, link).
Message #27 received at 703993-close@bugs.debian.org (full text, mbox, reply):
Source: file
Source-Version: 5.11-2+deb7u2
We believe that the bug you reported is fixed in the latest version of
file, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 703993@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Biedl <debian.axhn@manchmal.in-ulm.de> (supplier of updated file package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 05 Mar 2014 22:48:58 +0100
Source: file
Binary: file libmagic1 libmagic-dev python-magic python-magic-dbg
Architecture: source amd64
Version: 5.11-2+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Daniel Baumann <daniel.baumann@progress-technologies.net>
Changed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Description:
file - Determines file type using "magic" numbers
libmagic-dev - File type determination library using "magic" numbers (developmen
libmagic1 - File type determination library using "magic" numbers
python-magic - File type determination library using "magic" numbers (Python bin
python-magic-dbg - File type determination library using "magic" numbers (Python bin
Closes: 703993
Changes:
file (5.11-2+deb7u2) wheezy-security; urgency=high
.
* Backport upstream commit FILE5_14-2-gef2329c:
limit [awk detection] to 100 repetitions to avoid excessive
backtracking. Closes: #703993
* Backport upstream commit FILE5_16-24-g4475585 and
FILE5_17-20-g70c65d2:
Check properly for exceeding the offset. (CVE-2014-2270)
Checksums-Sha1:
cb8f402694a8b6fbbd5071b137ce1eb4bd1674a9 1999 file_5.11-2+deb7u2.dsc
52f68e2c3163978c04a96c6107d71aa7c996583c 26672 file_5.11-2+deb7u2.debian.tar.xz
d6218833bf832c77dca0f99a26d95444056a2101 52056 file_5.11-2+deb7u2_amd64.deb
423bb55f8ee818d755da9d8643331a82cceb7598 202228 libmagic1_5.11-2+deb7u2_amd64.deb
680806a1242adbaa360e4c21b2253d8aa6ac07d7 91964 libmagic-dev_5.11-2+deb7u2_amd64.deb
8d42beb48bbeb5e83b41ca63072975edc094d7f3 38554 python-magic_5.11-2+deb7u2_amd64.deb
b26eea7d8e41a23c791c1cceb5fc95e9c3c67802 936 python-magic-dbg_5.11-2+deb7u2_amd64.deb
Checksums-Sha256:
308cbdf4b9230cf62e9af54b8ccb8e629eb733f6c5e1c4e0532c357fe872a708 1999 file_5.11-2+deb7u2.dsc
241d61ae3b17a8b9572a5c6aa1ae66ff6de6a2aae4accff4afcc9e81dab3651c 26672 file_5.11-2+deb7u2.debian.tar.xz
23a1cff9044c10424e373ccc0f2e391c15c0ec00e2e852096f457fb9bd82fdd7 52056 file_5.11-2+deb7u2_amd64.deb
4077cea33c1fb965468e0a5c501f40bef992787979748ef4985a960823e7ce61 202228 libmagic1_5.11-2+deb7u2_amd64.deb
06be2bbd2503904315b8ad788d474851d06e1b97d71a4b9891611619a41f4325 91964 libmagic-dev_5.11-2+deb7u2_amd64.deb
db2fe370759d42a33c22153d8e316a0d172d981d48372fd4930f63ad6ff8d2b7 38554 python-magic_5.11-2+deb7u2_amd64.deb
3eb0f040fa22446d5ba8c66cabca01c8fe3cdadfe2f7d99b64088ff15b282b45 936 python-magic-dbg_5.11-2+deb7u2_amd64.deb
Files:
67f6b6cb15e7e13e3416e5c8de38828b 1999 utils standard file_5.11-2+deb7u2.dsc
7650ffeb29a3712f3f5c5fcd1a3de6c5 26672 utils standard file_5.11-2+deb7u2.debian.tar.xz
c4794a96c2bdbdd775dcf9930a469e84 52056 utils standard file_5.11-2+deb7u2_amd64.deb
5d0a99ee95ce4a6c7981004d3ce503fc 202228 libs standard libmagic1_5.11-2+deb7u2_amd64.deb
a1f6c5f1641e27a850da7540408f3216 91964 libdevel optional libmagic-dev_5.11-2+deb7u2_amd64.deb
290d20da45bfcb639ba6fd9544da8e1e 38554 python extra python-magic_5.11-2+deb7u2_amd64.deb
748fe5c584fb9e27e40c717636df3105 936 debug extra python-magic-dbg_5.11-2+deb7u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTHIvAAAoJEAVMuPMTQ89EUCQQAI0sjI61w373hCodwIMa54Nt
xaDKj3rEnv610Ho7W+g6wUFAUDEJkycJx23NYCeadPiuE9ejkaIYPuplsIEe66Ys
5SBr+3kQKg6zNo3H0mbK805KFyBV8eQzhzotp8NK0himV7w4LsgglCaOknxVNLjI
ud7WbUgneLmhPQTOtsFMH+QoijW50Nz2AQUbmoYQhdPBpUC+ac//JjsCgkiKz/l8
2sa8h8y+tw/ScDM6GIkfq3y11sFUXWrHsOf6B0DzaM6c9TFXLs2nxDy5ne/XMFsZ
276dL0+TbC37XgwBpllENplXilJ+vMjxxmD06mxZ9cspkKGNXwtDtwSnQwop1fIz
A438rcfBX43pi3fiwZaxDXpowPOteE1a4I6NoMzYKnFbFI+256X1gNBA/pzc0Drc
Nfh+eMIqgEzfhV+bM3Vzz08qO0QScqTN4LN7tiziAQGR0m/dAhoeAWuEk1dsynWh
3Wc+qKqbwVy+IsXwlpOXCd/285ij6iHgKPTI1B1y3oZaz+AjME3GhVqrohk2iHr3
R3crIfULBKlgfjAaBdSovXiD4Og8bnhWRckHeDoVttZSaMWOhdIbKeosNuSoHiMO
Fcukgtm91Wbv5WLrrGDqqScpwfA1Vu2z7aLA85qnVjiQh/LAVf7Xc1Q3D2CKZtH4
M4BWTlygstrM1euocAD+
=azzH
-----END PGP SIGNATURE-----
Reply sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
You have taken responsibility.
(Sun, 16 Mar 2014 19:51:15 GMT) (full text, mbox, link).
Notification sent
to Carsten Wolff <carsten@wolffcarsten.de>:
Bug acknowledged by developer.
(Sun, 16 Mar 2014 19:51:15 GMT) (full text, mbox, link).
Message #32 received at 703993-close@bugs.debian.org (full text, mbox, reply):
Source: file
Source-Version: 5.04-5+squeeze4
We believe that the bug you reported is fixed in the latest version of
file, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 703993@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Biedl <debian.axhn@manchmal.in-ulm.de> (supplier of updated file package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 05 Mar 2014 22:41:59 +0100
Source: file
Binary: file libmagic1 libmagic-dev python-magic python-magic-dbg
Architecture: source amd64
Version: 5.04-5+squeeze4
Distribution: squeeze-security
Urgency: high
Maintainer: Daniel Baumann <daniel@lists.debian-maintainers.org>
Changed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Description:
file - Determines file type using "magic" numbers
libmagic-dev - File type determination library using "magic" numbers (developmen
libmagic1 - File type determination library using "magic" numbers
python-magic - File type determination library using "magic" numbers (Python bin
python-magic-dbg - File type determination library using "magic" numbers (Python bin
Closes: 703993
Changes:
file (5.04-5+squeeze4) squeeze-security; urgency=high
.
* Backport upstream commit FILE5_14-2-gef2329c:
limit [awk detection] to 100 repetitions to avoid excessive
backtracking. Closes: #703993
* Backport upstream commit FILE5_04-2-g0d74a0e:
fix segv from loop overrun
* Backport upstream commit FILE5_04-47-gb05926f:
Use '%s' format to print untrusted string.
* Backport upstream commit FILE5_16-24-g4475585 and
FILE5_17-20-g70c65d2:
Check properly for exceeding the offset. (CVE-2014-2270)
Checksums-Sha1:
79fcc1a87198d41b8be909a693f24ccddf6e42df 2031 file_5.04-5+squeeze4.dsc
b4919c07d28b4ce5b442948cc2170961ae74f9c3 65275 file_5.04-5+squeeze4.diff.gz
757e0bd2c230612248a78bf24cceb70c3e4edf30 50244 file_5.04-5+squeeze4_amd64.deb
00ad0b40e003cf0cab559729dbc1519b2024f208 235682 libmagic1_5.04-5+squeeze4_amd64.deb
261094d21a58fedea164decf1ba58a9f78c38215 108528 libmagic-dev_5.04-5+squeeze4_amd64.deb
03899b2131a65d716d29ad525f49c40e9fe42574 38856 python-magic_5.04-5+squeeze4_amd64.deb
5a44520eb5dddf4cd3680e3892ab73e8988cad08 32456 python-magic-dbg_5.04-5+squeeze4_amd64.deb
Checksums-Sha256:
a0314f2debcca78143bf5acf210b26d09d61a5a50e638f91f372bf665f9238c2 2031 file_5.04-5+squeeze4.dsc
b388f4fccd9fcbf324df0f2ce1f2fd2a3bd1ea0f4a0bf04f767655966e0c65c4 65275 file_5.04-5+squeeze4.diff.gz
315837d00da9209ba11ab42599ab7d90108e3ef53e884070920c9fa39f48e7ff 50244 file_5.04-5+squeeze4_amd64.deb
3513d66e3254f579a026d6827f9b90278ac1b958f95584636ac92f3f785dbdfe 235682 libmagic1_5.04-5+squeeze4_amd64.deb
6e4c29bd2275cc3731cc8618d706d97ce57f1159d26ca4bdc1e9d5d3f6d7362a 108528 libmagic-dev_5.04-5+squeeze4_amd64.deb
af3a88dd39cf0efb36a686cd8badef0c04f1eb83d60a83698ab5f9c891337824 38856 python-magic_5.04-5+squeeze4_amd64.deb
6ae1edeb492143c2330fc2b4b425cf80e164de468c8688cf2a750e1ac14b9356 32456 python-magic-dbg_5.04-5+squeeze4_amd64.deb
Files:
a8f230d66f6b7c7e53eff0fc98204d50 2031 utils standard file_5.04-5+squeeze4.dsc
b51f978aaed65da1597d8f9abeb47408 65275 utils standard file_5.04-5+squeeze4.diff.gz
069e458c1bdc29f8cfe47fabafb0f394 50244 utils standard file_5.04-5+squeeze4_amd64.deb
6b7bc299c6e1531f550dafcd354084ce 235682 libs standard libmagic1_5.04-5+squeeze4_amd64.deb
083eed03a4810ebde59928fa1422f334 108528 libdevel optional libmagic-dev_5.04-5+squeeze4_amd64.deb
0e20b7772b1a4a0eac1f310696af35bb 38856 python extra python-magic_5.04-5+squeeze4_amd64.deb
1eaeaabb01851507dd8957ef96969a98 32456 debug extra python-magic-dbg_5.04-5+squeeze4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTHJw5AAoJEAVMuPMTQ89EA8oP/1IPyUEudIneF9hGQypLpUVs
ZLkOsFyxe87L+Vz7Rfk3aOdw7sdfXzHeZ219u7N3WGeQhCxjaP1U5IoU1VzQ3FT6
7urd2qxM2quH+ktxOrTNJm2wLTI8gWtbck4ulGil/qp0pM/kZPOa3n/WoCAweap6
tAHjLyh6vZoW5Yu7J8sTaFhmuwzgF5U6pTTAJk2DpL3YmxesX8yzKfASIL+lBkUK
b8NCLqaThw9/9NA356Bxzfsgy8aHvMQ8NPCgu0j6y0GZlqLlCEEC+o8Bei9Fj240
x5F2LSiNPVLNTp4WJUMPjuIdJ1h8BaoMmaIMzMpJDL6QRM5o6er3h4fkuEoxly8b
1YM9CCwrKTSXXBdzEWQffCb2zxLAvvKAnK9redV1BNHSVCebhYiM/IsPaOyqBs/t
YaUP/ZzYW/vOggGDai8NQlwyjXalQAcRBrtIyUjd2ShuqowvUUfvgqU+P8BnIPtk
4X+f16jpuDc9kso8KKtL+fWod2uZzRTKNybi829KQajlEU8TFFJgwDMdHkRDyNdf
31vQ4O6+6OdT+cWsTE0ijF9lihy0BaTXkn2mUQUrZzk9cfhoiey1E55cGNpEn161
JaNDO3E7l6ZQS4WeR5A+1zIsR58E6KhaUS5inhn9Ez4Cadqs7c/F3isJQ39qxKrr
CLv3h/s681cpmG/NGsmt
=jxD8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 14 Apr 2014 07:31:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:38:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon