Debian Bug report logs - #783108
file: OOM and/or segfault

Package: file; Maintainer for file is Christoph Biedl <debian.axhn@manchmal.in-ulm.de>; Source for file is src:file (PTS, buildd, popcon).

Reported by: Henri Salo <henri@nerv.fi>

Date: Wed, 22 Apr 2015 08:39:01 UTC

Severity: grave

Tags: security, unreproducible, upstream

Done: Henri Salo <henri@nerv.fi>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#783099; Package src:php5. (Wed, 22 Apr 2015 08:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Wed, 22 Apr 2015 08:39:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Source: php5
Version: 5.6.7+dfsg-1
Severity: grave
Tags: security, upstream, fixed-upstream

Hi,

the following vulnerability was published for PHP5,

"""
When calling finfo::file() or finfo::buffer() with a crafted string, PHP will
crash by either segfaulting or trying to allocate an large amount of memory
(4GiB).

This was found in the wild when a user uploaded a file (running finfo on
arbitrary files uploaded by users is one of its main use cases.). I've since
anonymised the file, and made it more minimal. At this stage, very small changes
to the string make it produce different behaviour - removing the remaining 'a',
's', or 'y' characters, for instance, will allow finfo to process it fine.
"""

For further information see:
  https://bugs.php.net/bug.php?id=68819
  https://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVN11hAAoJECet96ROqnV0NFwP/1WyM6/jYhMkuyyjIDuGJLR6
5agci0HcM64R5It7Dvoy7HPtP431Qg5XvtJBn2P5YRq9Kgh1g0T7NeA4jbQIQEQs
lj/zO4zfBSnhCvkCbsqhLDYDASx1M2esXgfXy4EDejBPvVMSPtSr3GjVt9Ptufty
/GgA3FRf+XDDNNDebGsDVvkKH5pAvK7QN8R8UsmG8uiEYP9+vdlwdAK5pykrWsGa
yZEm7x/OXjETTnjIoz+0p89ExFBBuNyryhMQGVfiJxivTMHaHMBuZ/2BlBhIM0S2
VTf42JtlLTmG6NZW71OplY2kN1f+p+ADXy/OUtwbV700tuk58wIwt+r5Ymqa9wmA
crO2xyNm2CgA0K6Vew0vEYBWVc7fFQQuGhQX6lKOwng3OXaM3Xo9BzEvrOGVrTgz
sw7ilWb4kfUTjtZoAYVOqL0YTafMi3CzjmH3MzeFMyxMRtYlqgc7S+KrqJXWMX2A
TlqA2WhAOMIHNG8xxuXdwlzzVRoPakY0Jkgx5XdUlU9QdNmeIljcxdPAIXHAeEAj
IPSBQFUjAZABB7GWKgZcyJv6p2Z9nc5GkQ9RYm297QtGbPVYGUfmBZsJOloJfXIF
V4dRZWkVoonbaC5WtjaGPyOIHnl35AZ7Hl4MkQ5JMzScbN3u1BooY1+NXNBsHTPL
JLN2O58YQiTodP1AZWfx
=y0h8
-----END PGP SIGNATURE-----

Bug 783099 cloned as bugs 783107, 783108 Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 22 Apr 2015 10:21:11 GMT) (full text, mbox, link).

Changed Bug title to 'file: OOM and/or segfault' from 'php5: Fileinfo on specific file causes spurious OOM and/or segfault' Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 22 Apr 2015 10:21:12 GMT) (full text, mbox, link).

No longer marked as found in versions php5/5.6.7+dfsg-1. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 22 Apr 2015 10:27:05 GMT) (full text, mbox, link).

Marked as found in versions file/1:5.22+15-2. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 22 Apr 2015 10:27:06 GMT) (full text, mbox, link).

Removed tag(s) fixed-upstream. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 22 Apr 2015 10:33:08 GMT) (full text, mbox, link).

Bug reassigned from package 'src:php5' to 'file'. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 22 Apr 2015 10:39:16 GMT) (full text, mbox, link).

No longer marked as found in versions file/1:5.22+15-2. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 22 Apr 2015 10:39:17 GMT) (full text, mbox, link).

Added tag(s) unreproducible. Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de> to control@bugs.debian.org. (Thu, 23 Apr 2015 07:45:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Bug#783108; Package file. (Thu, 23 Apr 2015 14:57:08 GMT) (full text, mbox, link).

Acknowledgement sent to "Lennart Sorensen" <lsorense@csclub.uwaterloo.ca>:
Extra info received and forwarded to list. Copy sent to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>. (Thu, 23 Apr 2015 14:57:08 GMT) (full text, mbox, link).

Message #26 received at 783108@bugs.debian.org (full text, mbox, reply):

Taken from testcase in php bug report and run on amd64 sid.

/tmp/test.php:

<?php

$string = '';

// These two in any order
$string .= "\r\n";
$string .= "''''";

// Total string length > 8192
$string .= str_repeat(chr(rand(32, 127)), 8184);

// Ending in this string
$string .= "say";

$finfo = new finfo();
$type = $finfo->buffer($string);
var_dump($type);

?>

Run as 'php5 /tmp/test.php' (using php5-cli) and you get:

Segmentation fault

Change 8184 to 4184 and you get:

string(60) "ASCII text, with very long lines, with CRLF line terminators"

So clearly this bug exists.

-- 
Len Sorensen

Message #31 received at 783108@bugs.debian.org (full text, mbox, reply):

Applying the patch linked to above
(https://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd)
makes the segfault go away and the expected output occur.

So this bug IS in php (and also exist in file apparently).  Reassigning to
file is wrong, given the bug exists in php as reported.  A separate bug
for file ought to be created if it can be reproduced there.

-- 
Len Sorensen

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#783108; Package file. (Fri, 24 Apr 2015 08:12:08 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Extra info received and forwarded to list. (Fri, 24 Apr 2015 08:12:08 GMT) (full text, mbox, link).

Message #36 received at 783108@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Lennart Sorensen wrote...

> Applying the patch linked to above
> (https://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd)
> makes the segfault go away and the expected output occur.
> 
> So this bug IS in php (and also exist in file apparently).  Reassigning to
> file is wrong, given the bug exists in php as reported.  A separate bug
> for file ought to be created if it can be reproduced there.

The report against php5 is #783107. This is #783108 against file. However, do
you have any indication file is affected? I'd already written an analysis about
this but accidentially sent it to #783099, I could not reproduce the segfaults
using file.

If you have different information, please provide it.

    Christoph

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Bug#783108; Package file. (Fri, 24 Apr 2015 13:48:08 GMT) (full text, mbox, link).

Acknowledgement sent to "Lennart Sorensen" <lsorense@csclub.uwaterloo.ca>:
Extra info received and forwarded to list. Copy sent to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>. (Fri, 24 Apr 2015 13:48:08 GMT) (full text, mbox, link).

Message #41 received at 783108@bugs.debian.org (full text, mbox, reply):

On Fri, Apr 24, 2015 at 10:01:19AM +0200, Christoph Biedl wrote:
> The report against php5 is #783107. This is #783108 against file. However, do
> you have any indication file is affected? I'd already written an analysis about
> this but accidentially sent it to #783099, I could not reproduce the segfaults
> using file.
> 
> If you have different information, please provide it.

Well the report seemed to be against php5 initially and then changed
which seemed very confusing especially since there was no explanation
included with the changing of the bug.

I only noticed afterwards that the other bug against php5 existed.
So some time wasted because the state of the bug report was completely
confusing.

-- 
Len Sorensen

Reply sent to Henri Salo <henri@nerv.fi>:
You have taken responsibility. (Sun, 13 Dec 2015 09:39:05 GMT) (full text, mbox, link).

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Sun, 13 Dec 2015 09:39:05 GMT) (full text, mbox, link).

Message #46 received at 783108-done@bugs.debian.org (full text, mbox, reply):

Hi,

I made the bug split, because in IRC conversation someone said that file should
be handled separately and I made the mistake not to make proper research before
creating new issue. For the current situation please see information from Debian
security tracker:

  https://security-tracker.debian.org/tracker/CVE-2015-4604
  https://security-tracker.debian.org/tracker/CVE-2015-4605

I am very sorry about the confusion and I will avoid it in the future as best as
I can.

-- 
Henri Salo

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 Jan 2016 07:25:57 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 02:51:50 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #783108 file: OOM and/or segfault

Debian Bug report logs - #783108
file: OOM and/or segfault