[Secure-testing-commits] r29399 - data/CVE

[Raphaël Hertzog]

Author: hertzog
Date: 2014-10-14 14:40:19 +0000 (Tue, 14 Oct 2014)
New Revision: 29399

Modified:
   data/CVE/list
Log:
Mark CVE-2013-7345/php5/squeeze as not-affected, but the wheezy one is affected

The verification done is this one:
$ cd ext/fileinfo
$ cat >test.c <<END
END
$ cat data_file.c >>test.c
$ cat >>test.c <<END
int main(int argc, char *argv[]) {
    int fd, res;
    fd = open("magic.mgc", O_RDWR|O_CREAT, 0644);
    res = sizeof(php_magic_database);
    if(res != write(fd, php_magic_database, sizeof(php_magic_database))) {
        printf("Did not write everything...\n");
    };
    close(fd);
    return 0;
}
END
$ gcc -o test ./test.c
$ ./test
$ strings magic.mgc | grep "BEGIN"
[...]

If the output contains "^\s*BEGIN\s*[{]" then you are affected,
otherwise you are not. In squeeze we don't have the problematic
regex at all. In unstable, we have the fixed regex.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-10-14 14:40:12 UTC (rev 29398)
+++ data/CVE/list	2014-10-14 14:40:19 UTC (rev 29399)
@@ -14378,6 +14378,14 @@
 	NOTE: http://bugs.gw.com/view.php?id=164
 	NOTE: fixed in commit ef2329cf71acb59204dd981e2c6cce6c81fe467c
 	- php5 5.6.0+dfsg-1
+	[squeeze] - php5 <not-affected>
+	NOTE: Wheezy's php5 is vulnerable in 5.4.4-14+deb7u14. Verified by rebuilding
+	NOTE: magic.mgc out of ext/fileinfo/data_info.c and "strings magic.mgc |grep BEGIN"
+	NOTE: returns "^\s*BEGIN\s*[{]". Same test in squeeze does not
+	NOTE: report the problematic string.
+	NOTE: Good fix is to regenerate the file with "php5
+	NOTE: create_data_file.php /usr/share/file/magic.mgc > data_info.c" once
+	NOTE: you have a fixed libmagic1 installed.
 CVE-2014-5795
 	REJECTED
 CVE-2014-2245 (SQL injection vulnerability in the News module in CMS Made Simple ...)