RHSA-2014:1606 - Security Advisory

Topic

Updated file packages that fix multiple security issues and several bugs
are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

The "file" command is used to identify a particular file according to the
type of data contained in the file. The command can identify various file
types, including ELF binaries, system libraries, RPM packages, and
different graphics formats.

Multiple denial of service flaws were found in the way file parsed certain
Composite Document Format (CDF) files. A remote attacker could use either
of these flaws to crash file, or an application using file, via a specially
crafted CDF file. (CVE-2014-0237, CVE-2014-0238, CVE-2014-3479,
CVE-2014-3480, CVE-2012-1571)

Two denial of service flaws were found in the way file handled indirect and
search rules. A remote attacker could use either of these flaws to cause
file, or an application using file, to crash or consume an excessive amount
of CPU. (CVE-2014-1943, CVE-2014-2270)

This update also fixes the following bugs:

• Previously, the output of the "file" command contained redundant white

spaces. With this update, the new STRING_TRIM flag has been introduced to
remove the unnecessary white spaces. (BZ#664513)

• Due to a bug, the "file" command could incorrectly identify an XML

document as a LaTex document. The underlying source code has been modified
to fix this bug and the command now works as expected. (BZ#849621)

• Previously, the "file" command could not recognize .JPG files and

incorrectly labeled them as "Minix filesystem". This bug has been fixed and
the command now properly detects .JPG files. (BZ#873997)

• Under certain circumstances, the "file" command incorrectly detected

NETpbm files as "x86 boot sector". This update applies a patch to fix this
bug and the command now detects NETpbm files as expected. (BZ#884396)

• Previously, the "file" command incorrectly identified ASCII text files as

a .PIC image file. With this update, a patch has been provided to address
this bug and the command now correctly recognizes ASCII text files.
(BZ#980941)

• On 32-bit PowerPC systems, the "from" field was missing from the output

of the "file" command. The underlying source code has been modified to fix
this bug and "file" output now contains the "from" field as expected.
(BZ#1037279)

• The "file" command incorrectly detected text files as "RRDTool DB version

ool - Round Robin Database Tool". This update applies a patch to fix this
bug and the command now correctly detects text files. (BZ#1064463)

• Previously, the "file" command supported only version 1 and 2 of the QCOW

format. As a consequence, file was unable to detect a "qcow2 compat=1.1"
file created on Red Hat Enterprise Linux 7. With this update, support for
QCOW version 3 has been added so that the command now detects such files as
expected. (BZ#1067771)

All file users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 664513 - too many spaces ...
• BZ - 805197 - CVE-2012-1571 file: out of bounds read in CDF parser
• BZ - 849621 - file is coming back with 'LaTeX document text' instead of 'XML document text'
• BZ - 873997 - file thinks the attached jpg is "Minix filesystem, V2, 50968 zones"
• BZ - 884396 - file detects netpbm files as x86 boot sector type sometimes
• BZ - 980941 - file reported wrong file type (reported .PIC image file instead of ASCII text file)
• BZ - 1064463 - text file detected as 'RRDTool DB version ool - Round Robin Database Tool'
• BZ - 1065836 - CVE-2014-1943 file: unrestricted recursion in handling of indirect type rules
• BZ - 1067771 - file unable to detect qcow2 compat=1.1 img created by RHEL7
• BZ - 1072220 - CVE-2014-2270 file: out-of-bounds access in search rules with offsets from input file
• BZ - 1098155 - CVE-2014-0238 file: CDF property info parsing nelements infinite loop
• BZ - 1098193 - CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS
• BZ - 1104858 - CVE-2014-3480 file: cdf_count_chain insufficient boundary check
• BZ - 1104869 - CVE-2014-3479 file: cdf_check_stream_offset insufficient boundary check

CVEs

• CVE-2014-0237
• CVE-2014-0238
• CVE-2014-3479
• CVE-2014-3480
• CVE-2014-1943
• CVE-2014-2270
• CVE-2012-1571

References

• https://access.redhat.com/security/updates/classification/#moderate