php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #67705 extensive backtracking in rule regular expression
Submitted: 2014-07-29 06:44 UTC Modified: 2014-08-04 07:26 UTC
From: remi@php.net Assigned: remi
Status: Closed Package: Filesystem function related
PHP Version: 5.4.31 OS: irrevelant
Private report: No CVE-ID: 2014-3538
 [2014-07-29 06:44 UTC] remi@php.net
Description:
------------
It was discovered the original upstream fix for the CVE-2013-7345 (bug #66946) issue did not sufficiently address the problem.  A specially-crafted input file could still cause file to use an excessive amount of CPU time when trying to detect file type using awk regular expression rule.

See https://bugzilla.redhat.com/CVE-2014-3538



Patches

magicdata-56.patch (last revision 2014-07-29 08:32 UTC) by remi@php.net)
magicdata-54.patch (last revision 2014-07-29 08:32 UTC) by remi@php.net)
cve-2014-3538-php54.patch (last revision 2014-07-29 07:25 UTC) by remi@php.net)
cve-2014-3538.patch (last revision 2014-07-29 06:44 UTC) by remi@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-07-29 06:44 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: cve-2014-3538.patch
Revision:   1406616296
URL:        https://bugs.php.net/patch-display.php?bug=67705&patch=cve-2014-3538.patch&revision=1406616296
 [2014-07-29 06:48 UTC] remi@php.net
-Assigned To: +Assigned To: remi
 [2014-07-29 06:48 UTC] remi@php.net
Notice, this patch is mostly 

data_file.c:
https://github.com/file/file/commit/0b478f445b6b7540b58af5d1fe583fa9e48fd745
https://github.com/file/file/commit/71a8b6c0d758acb0f73e2e51421a711b5e9d6668

softmagic.c: 
https://github.com/file/file/commit/71a8b6c0d758acb0f73e2e51421a711b5e9d6668

The upstream commit also introduce a new "l modifier feature".
This have not be backported, as this imply to bump the version of the magic format, which is obviously not expected in PHP as this will introduce a BC, and break code of users relying on an external magic file.
 [2014-07-29 06:49 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2014-3538
 [2014-07-29 06:54 UTC] ab@php.net
Confirming the issue and the fix. The patch is applicable in 5.6, 5.4 and 5.5 are still vulnerable.
 [2014-07-29 07:25 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: cve-2014-3538-php54.patch
Revision:   1406618727
URL:        https://bugs.php.net/patch-display.php?bug=67705&patch=cve-2014-3538-php54.patch&revision=1406618727
 [2014-07-29 07:26 UTC] remi@php.net
cve-2014-3538-php54.patch is for php 5.4/5.5
cve-2014-3538.patch is for php 5.6+
 [2014-07-29 08:32 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: magicdata-54.patch
Revision:   1406622741
URL:        https://bugs.php.net/patch-display.php?bug=67705&patch=magicdata-54.patch&revision=1406622741
 [2014-07-29 08:32 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: magicdata-56.patch
Revision:   1406622760
URL:        https://bugs.php.net/patch-display.php?bug=67705&patch=magicdata-56.patch&revision=1406622760
 [2014-07-29 08:33 UTC] remi@php.net
magicdata-54.patch to replace ext/fileinfo/magicdata.patch in 5.4/5.5
magicdata-56.patch to replace ext/fileinfo/magicdata.patch in 5.6
 [2014-08-04 07:26 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2014-08-04 07:26 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Since it's public in the upstream, we can merge the fix now and make the bug public too.
 [2014-08-04 08:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=28786a2f82addf7035a4871157f0b63492ac608b
Log: Fix bug #67705 (extensive backtracking in rule regular expression)
 [2014-08-04 08:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=eeaec70758bfc0c0e2c0f8944c8dbeae02866206
Log: Fix bug #67705 (extensive backtracking in rule regular expression)
 [2014-08-04 08:43 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=28786a2f82addf7035a4871157f0b63492ac608b
Log: Fix bug #67705 (extensive backtracking in rule regular expression)
 [2014-08-04 08:43 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=eeaec70758bfc0c0e2c0f8944c8dbeae02866206
Log: Fix bug #67705 (extensive backtracking in rule regular expression)
 [2014-08-11 07:43 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=28786a2f82addf7035a4871157f0b63492ac608b
Log: Fix bug #67705 (extensive backtracking in rule regular expression)
 [2014-08-11 07:43 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=eeaec70758bfc0c0e2c0f8944c8dbeae02866206
Log: Fix bug #67705 (extensive backtracking in rule regular expression)
 [2014-08-14 00:52 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=28786a2f82addf7035a4871157f0b63492ac608b
Log: Fix bug #67705 (extensive backtracking in rule regular expression)
 [2014-08-14 00:52 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=eeaec70758bfc0c0e2c0f8944c8dbeae02866206
Log: Fix bug #67705 (extensive backtracking in rule regular expression)
 [2014-10-07 23:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=eeaec70758bfc0c0e2c0f8944c8dbeae02866206
Log: Fix bug #67705 (extensive backtracking in rule regular expression)
 [2014-10-07 23:24 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=eeaec70758bfc0c0e2c0f8944c8dbeae02866206
Log: Fix bug #67705 (extensive backtracking in rule regular expression)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jun 23 06:01:39 2017 UTC