1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
Thomas Jarosch of Intra2net AG reported a denial of service issue (resource
consumption) in the ELF parser used by file(1).
Using file(1) on a specially-crafted ELF binary could lead to a denial of
service (resource consumption).
Patch: Stop reporting bad capabilities after the first few.
https://github.com/file/file/commit/d7cdad007c507e6c79f51f058dd77fab70ceb9f6
Patch: Don't bail if there was no error, buf could have been NULL on entry.
https://github.com/file/file/commit/6bf45271eb8e0e6577b92042ce2003ba998d1686
(!!! not needed, as code vulnerable code was introduced later !!!)
Patch: limit the number of program and section header number of sections
https://github.com/file/file/commit/b4c01141e5367f247b84dcaf6aefbb4e741842b8
but use adapted values from:
https://github.com/file/file/commit/8a905717660395b38ec4966493f6f1cf2f33946c
Patch: limit recursion level
CVE-2014-8117
set recursion level to 10 as done in:
https://github.com/file/file/commit/6f737ddfadb596d7d4a993f7ed2141ffd664a81c
bump to 15 as done in:
https://github.com/file/file/commit/90018fe22ff8b74a22fcd142225b0a00f3f12677
Index: php5-5.3.3/ext/fileinfo/libmagic/readelf.c
===================================================================
--- php5-5.3.3.orig/ext/fileinfo/libmagic/readelf.c 2015-01-21 13:54:56.000000000 +0100
+++ php5-5.3.3/ext/fileinfo/libmagic/readelf.c 2015-01-21 15:58:20.000000000 +0100
@@ -60,6 +60,17 @@
private uint32_t getu32(int, uint32_t);
private uint64_t getu64(int, uint64_t);
+#define MAX_PHNUM 256
+#define MAX_SHNUM 1024
+
+private int
+toomany(struct magic_set *ms, const char *name, uint16_t num)
+{
+ if (file_printf(ms, ", too many %s header sections (%u)", name, num) == -1)
+ return -1;
+ return 0;
+}
+
private uint16_t
getu16(int swap, uint16_t value)
{
@@ -397,13 +408,13 @@
if (namesz & 0x80000000) {
(void)file_printf(ms, ", bad note name size 0x%lx",
(unsigned long)namesz);
- return offset;
+ return 0;
}
if (descsz & 0x80000000) {
(void)file_printf(ms, ", bad note description size 0x%lx",
(unsigned long)descsz);
- return offset;
+ return 0;
}
@@ -827,6 +838,7 @@
Elf32_Shdr sh32;
Elf64_Shdr sh64;
int stripped = 1;
+ size_t nbadcap = 0;
void *nbuf;
off_t noff;
uint64_t cap_hw1 = 0; /* SunOS 5.x hardware capabilites */
@@ -895,6 +907,9 @@
case SHT_SUNW_cap:
{
off_t coff;
+
+ if (nbadcap > 5)
+ break;
if ((off = lseek(fd, (off_t)0, SEEK_CUR)) ==
(off_t)-1) {
file_badread(ms);
@@ -935,6 +950,8 @@
(unsigned long long)xcap_tag,
(unsigned long long)xcap_val) == -1)
return -1;
+ if (nbadcap++ > 2)
+ coff = xsh_size;
break;
}
}
@@ -1141,7 +1158,7 @@
int flags = 0;
Elf32_Ehdr elf32hdr;
Elf64_Ehdr elf64hdr;
- uint16_t type;
+ uint16_t type, phnum, shnum;
if (ms->flags & (MAGIC_MIME|MAGIC_APPLE))
return 0;
Index: php5-5.3.3/ext/fileinfo/libmagic/elfclass.h
===================================================================
--- php5-5.3.3.orig/ext/fileinfo/libmagic/elfclass.h 2008-11-02 17:13:49.000000000 +0100
+++ php5-5.3.3/ext/fileinfo/libmagic/elfclass.h 2015-01-21 15:54:42.000000000 +0100
@@ -35,9 +35,11 @@
switch (type) {
#ifdef ELFCORE
case ET_CORE:
+ phnum = elf_getu16(swap, elfhdr.e_phnum);
+ if (phnum > MAX_PHNUM)
+ return toomany(ms, "program", phnum);
if (dophn_core(ms, clazz, swap, fd,
- (off_t)elf_getu(swap, elfhdr.e_phoff),
- elf_getu16(swap, elfhdr.e_phnum),
+ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
(size_t)elf_getu16(swap, elfhdr.e_phentsize),
fsize, &flags) == -1)
return -1;
@@ -45,18 +47,25 @@
#endif
case ET_EXEC:
case ET_DYN:
+ phnum = elf_getu16(swap, elfhdr.e_phnum);
+ if (phnum > MAX_PHNUM)
+ return toomany(ms, "program", phnum);
+ shnum = elf_getu16(swap, elfhdr.e_shnum);
+ if (shnum > MAX_SHNUM)
+ return toomany(ms, "section", shnum);
if (dophn_exec(ms, clazz, swap, fd,
- (off_t)elf_getu(swap, elfhdr.e_phoff),
- elf_getu16(swap, elfhdr.e_phnum),
+ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
(size_t)elf_getu16(swap, elfhdr.e_phentsize),
- fsize, &flags, elf_getu16(swap, elfhdr.e_shnum))
+ fsize, &flags, shnum))
== -1)
return -1;
/*FALLTHROUGH*/
case ET_REL:
+ shnum = elf_getu16(swap, elfhdr.e_shnum);
+ if (shnum > MAX_SHNUM)
+ return toomany(ms, "section", shnum);
if (doshn(ms, clazz, swap, fd,
- (off_t)elf_getu(swap, elfhdr.e_shoff),
- elf_getu16(swap, elfhdr.e_shnum),
+ (off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
(size_t)elf_getu16(swap, elfhdr.e_shentsize),
&flags,
elf_getu16(swap, elfhdr.e_machine)) == -1)
Index: php5-5.3.3/ext/fileinfo/libmagic/softmagic.c
===================================================================
--- php5-5.3.3.orig/ext/fileinfo/libmagic/softmagic.c 2015-01-21 14:40:10.000000000 +0100
+++ php5-5.3.3/ext/fileinfo/libmagic/softmagic.c 2015-01-21 16:01:47.000000000 +0100
@@ -1017,7 +1017,7 @@
uint32_t offset = ms->offset;
union VALUETYPE *p = &ms->ms_value;
- if (recursion_level >= 20) {
+ if (recursion_level >= 15) {
file_error(ms, 0, "recursion nesting exceeded");
return -1;
}
|
