Date: Tue, 05 Sep 2017 18:24:24 +0200 From: Thomas Jarosch <thomas.jarosch@...ra2net.com> To: oss-security@...ts.openwall.com Subject: CVE-2017-1000249: file: stack based buffer overflow Hello oss security, file(1) versions 5.29, 5.30 and 5.31 contain a stack based buffer overflow when parsing a specially crafted input file. The issue lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary file. There are systems like amavisd-new that automatically run file(1) on every email attachment. To prevent an automated exploit by email, another layer of protection like -fstack-protector is needed. Upstream fix: https://github.com/file/file/commit/35c94dc6acc418f1ad7f6241a6680e5327495793 The issue was introduced with this code change in October 2016: https://github.com/file/file/commit/9611f31313a93aa036389c5f3b15eea53510d4d1 file-5.32 has been released including the fix: ftp://ftp.astron.com/pub/file/file-5.32.tar.gz ftp://ftp.astron.com/pub/file/file-5.32.tar.gz.asc [An official release announcement on the file mailinglist will follow once a temporary outage of the mailinglist is solved] The cppcheck tool helped to discover the issue: ---- [readelf.c:514]: (warning) Logical disjunction always evaluates to true: descsz >= 4 || descsz <= 20. ---- Credits: The issue has been found by Thomas Jarosch of Intra2net AG. Code fix and new release provided by Christos Zoulas. Fixed packages from distributions should start to be available soon. Timeline (key entries): 2017-08-26: Notified the maintainer Christos Zoulas 2017-08-27: Christos pushed a fix to CVS / git with innocent looking commit message 2017-08-28: Notified Redhat security team to coordinate release and request CVE ID. Redhat responds it's better to directly contact the distros list instead through them. 2017-09-01: Notified distros mailinglist, asking for CVE ID and requesting embargo until 2017-09-08 2017-09-01: CVE-2017-1000249 ID is assigned 2017-09-04: After discussion that the issue is semi-public already, moved embargo date to 2017-09-05 2017-09-05: Public release Best regards, Thomas Jarosch / Intra2net AG Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ