Date: Tue, 16 Dec 2014 16:08:36 +1100 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com Subject: file(1): multiple denial of service issues (resource consumption), CVE-2014-8116 and CVE-2014-8117 Hello, Thomas Jarosch of Intra2net AG reported a number of denial of service issues (resource consumption) in the ELF parser used by file(1). These issues were fixed in the 5.21 release of file(1), but by mistake are missing from the changelog. The important commits are: https://github.com/file/file/commit/b4c01141e5367f247b84dcaf6aefbb4e741842b8 https://github.com/file/file/commit/d7cdad007c507e6c79f51f058dd77fab70ceb9f6 https://github.com/file/file/commit/6f737ddfadb596d7d4a993f7ed2141ffd664a81c There were a few regressions along the way, so the following are also all needed: https://github.com/file/file/commit/8a905717660395b38ec4966493f6f1cf2f33946c https://github.com/file/file/commit/90018fe22ff8b74a22fcd142225b0a00f3f12677 https://github.com/file/file/commit/6bf45271eb8e0e6577b92042ce2003ba998d1686 Please credit "Thomas Jarosch of Intra2net AG". Details of what CVE is for what: "" ================================================ Please use CVE-2014-8116 for these two: https://github.com/file/file/commit/b4c01141e5367f247b84dcaf6aefbb4e741842b8 limit the number of program and section header number of sections to be http://cwe.mitre.org/data/definitions/400.html CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') https://github.com/file/file/commit/d7cdad007c507e6c79f51f058dd77fab70ceb9f6 Stop reporting bad capabilities after the first few. http://cwe.mitre.org/data/definitions/400.html CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') ================================================ Please use CVE-2014-8117 for this one: https://github.com/file/file/commit/6f737ddfadb596d7d4a993f7ed2141ffd664a81c reduce recursion level from 20 to 10 and make a symbolic constant for it. http://cwe.mitre.org/data/definitions/674.html CWE-674: Uncontrolled Recursion "" Red Hat's bugs (to be opened shortly): https://bugzilla.redhat.com/show_bug.cgi?id=1171580 https://bugzilla.redhat.com/show_bug.cgi?id=1174606 Regards, -- Murray McAllister / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.