Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 05 Sep 2017 18:24:24 +0200
From: Thomas Jarosch <thomas.jarosch@...ra2net.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-1000249: file: stack based buffer overflow

Hello oss security,

file(1) versions 5.29, 5.30 and 5.31 contain a stack based
buffer overflow when parsing a specially crafted input file.

The issue lets an attacker overwrite a fixed 20 bytes stack buffer
with a specially crafted .notes section in an ELF binary file.

There are systems like amavisd-new that automatically run file(1)
on every email attachment. To prevent an automated exploit by email,
another layer of protection like -fstack-protector is needed.

Upstream fix:
https://github.com/file/file/commit/35c94dc6acc418f1ad7f6241a6680e5327495793

The issue was introduced with this code change in October 2016:
https://github.com/file/file/commit/9611f31313a93aa036389c5f3b15eea53510d4d1

file-5.32 has been released including the fix:
ftp://ftp.astron.com/pub/file/file-5.32.tar.gz
ftp://ftp.astron.com/pub/file/file-5.32.tar.gz.asc

[An official release announcement on the file mailinglist
will follow once a temporary outage of the mailinglist is solved]


The cppcheck tool helped to discover the issue:
----
[readelf.c:514]: (warning) Logical disjunction always evaluates to true:
descsz >= 4 || descsz <= 20.
----


Credits:
The issue has been found by Thomas Jarosch of Intra2net AG.
Code fix and new release provided by Christos Zoulas.


Fixed packages from distributions should start to be available soon.


Timeline (key entries):
2017-08-26: Notified the maintainer Christos Zoulas
2017-08-27: Christos pushed a fix to CVS / git
            with innocent looking commit message

2017-08-28: Notified Redhat security team to coordinate release
            and request CVE ID. Redhat responds it's better to directly
            contact the distros list instead through them.

2017-09-01: Notified distros mailinglist, asking for CVE ID
            and requesting embargo until 2017-09-08
2017-09-01: CVE-2017-1000249 ID is assigned

2017-09-04: After discussion that the issue is semi-public already,
            moved embargo date to 2017-09-05
2017-09-05: Public release


Best regards,
Thomas Jarosch / Intra2net AG

Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.