Fwd: [oss-security] CVE-2017-1000249: file: stack based buffer overflow

Tue Sep 5 21:15:35 CEST 2017

Hello amavis users,

recently there has been a code defect in file(1).
This affects amavisd-new since it automatically runs file on
every incoming email attachment.

Affected versions are file 5.29, 5.30 and 5.31.
Many distributions compile their software with -fstack-protector,
so this provides an additional level of mitigation.

Please watch out for updated packages from your distribution,
they should start flowing the next days.

Best regards,
Thomas Jarosch

-------- Forwarded Message --------
Subject: [oss-security] CVE-2017-1000249: file: stack based buffer overflow
Date: Tue, 05 Sep 2017 18:24:24 +0200
From: Thomas Jarosch <thomas.jarosch at intra2net.com>
Reply-To: oss-security at lists.openwall.com
Organization: Intra2net AG
To: oss-security at lists.openwall.com

Hello oss security,

file(1) versions 5.29, 5.30 and 5.31 contain a stack based
buffer overflow when parsing a specially crafted input file.

The issue lets an attacker overwrite a fixed 20 bytes stack buffer
with a specially crafted .notes section in an ELF binary file.

There are systems like amavisd-new that automatically run file(1)
on every email attachment. To prevent an automated exploit by email,
another layer of protection like -fstack-protector is needed.

Upstream fix:
https://github.com/file/file/commit/35c94dc6acc418f1ad7f6241a6680e5327495793

The issue was introduced with this code change in October 2016:
https://github.com/file/file/commit/9611f31313a93aa036389c5f3b15eea53510d4d1

file-5.32 has been released including the fix:
ftp://ftp.astron.com/pub/file/file-5.32.tar.gz
ftp://ftp.astron.com/pub/file/file-5.32.tar.gz.asc

[An official release announcement on the file mailinglist
will follow once a temporary outage of the mailinglist is solved]

The cppcheck tool helped to discover the issue:
----
[readelf.c:514]: (warning) Logical disjunction always evaluates to true:
descsz >= 4 || descsz <= 20.
----

Credits:
The issue has been found by Thomas Jarosch of Intra2net AG.
Code fix and new release provided by Christos Zoulas.

Fixed packages from distributions should start to be available soon.

Timeline (key entries):
2017-08-26: Notified the maintainer Christos Zoulas
2017-08-27: Christos pushed a fix to CVS / git
            with innocent looking commit message

2017-08-28: Notified Redhat security team to coordinate release
            and request CVE ID. Redhat responds it's better to directly
            contact the distros list instead through them.

2017-09-01: Notified distros mailinglist, asking for CVE ID
            and requesting embargo until 2017-09-08
2017-09-01: CVE-2017-1000249 ID is assigned

2017-09-04: After discussion that the issue is semi-public already,
            moved embargo date to 2017-09-05
2017-09-05: Public release

Best regards,
Thomas Jarosch / Intra2net AG