oss-sec mailing list archives
CVE Request: file: crashes when checking softmagic for some corrupt PE executables
From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 3 Mar 2014 23:32:12 +0100
Hi file can be made to crash when checking some corrupt PE executables, and so could be used to mount a denial of service for file, or an application using file/libmagic. Upstream bugreport: http://bugs.gw.com/view.php?id=313
Some corrupt PE executables contain invalid offset information in their internal directories that libmagic attempts to follow and run string searches on. mcopy() does not do bounds checking on the indirect offset read from the file and sets up ms->search with invalid pointers and lengths. The offending line in my case is the msdos magic file is 121:(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archiveThe offset read indirectly was invalid and its bounds were not checked in mcopy.
Upstream has fixed this with following commit: https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801 Can a CVE be assigned for this issue? Regards, Salvatore
Current thread:
- CVE Request: file: crashes when checking softmagic for some corrupt PE executables Salvatore Bonaccorso (Mar 03)
- Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables cve-assign (Mar 05)
- Re: Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables Salvatore Bonaccorso (Mar 05)
- Re: Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables Stuart Henderson (Mar 13)
- <Possible follow-ups>
- Re: Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables mancha (Mar 05)
- Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables cve-assign (Mar 05)