search

neilharvey / FileSignatures

A small library for detecting the type of a file based on header signature (also known as magic number).
MIT License
261 stars 42 forks source link

OWASP scan found high vulnerability in 4.4.0 #55

Closed galadril closed 1 year ago

galadril commented 1 year ago
Dependency Vulnerability IDs Package Highest Severity CVE Count Confidence Evidence Count
FileSignatures:4.4.0 cpe:2.3: a :file_project:file:4.4.0:::::::* pkg:nuget/FileSignatures@4.4.0 HIGH 8 Low 3

CVE-2019-18218

cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).

CWE-787 Out-of-bounds Write

CVSSv2:

Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: HIGH (7.8)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

CONFIRM - https://security.netapp.com/advisory/ntap-20200115-0001/
DEBIAN - [DSA-4550](https://www.debian.org/security/2019/dsa-4550)
FEDORA - [FEDORA-2019-18036b898e](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D6BJVGXSCC6NMIAWX36FPWHEIFON3OSE/)
FEDORA - [FEDORA-2019-554c3c691f](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VBK6XOJR6OVWT2FUEBO7V7KCOSSLAP52/)
FEDORA - [FEDORA-2019-97dcb2762a](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV6PFCEYHYALMTT45QE2U5C5TEJZQPXJ/)
GENTOO - [GLSA-202003-24](https://security.gentoo.org/glsa/202003-24)
MISC - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780
MISC - https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
MLIST - [[debian-lts-announce] 20191023 [SECURITY] [DLA 1969-1] file security update](https://lists.debian.org/debian-lts-announce/2019/10/msg00032.html)
MLIST - [[debian-lts-announce] 20210715 [SECURITY] [DLA 2708-1] php7.0 security update](https://lists.debian.org/debian-lts-announce/2021/07/msg00008.html)
SUSE - [openSUSE-SU-2020:0677](http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00044.html)
UBUNTU - [USN-4172-1](https://usn.ubuntu.com/4172-1/)
UBUNTU - [USN-4172-2](https://usn.ubuntu.com/4172-2/)

[cpe:2.3:a:file_project:file:*:*:*:*:*:*:*:* versions up to (including) 5.37](https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Afile_project%3Afile)
...

CVE-2014-9653

readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.

CWE-20 Improper Input Validation

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

BID - [72516](http://www.securityfocus.com/bid/72516)
CONFIRM - http://bugs.gw.com/view.php?id=409
CONFIRM - http://php.net/ChangeLog-5.php
CONFIRM - http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
CONFIRM - https://github.com/file/file/commit/445c8fb0ebff85195be94cd9f7e1df89cade5c7f
DEBIAN - [DSA-3196](http://www.debian.org/security/2015/dsa-3196)
GENTOO - [GLSA-201701-42](https://security.gentoo.org/glsa/201701-42)
HP - [HPSBMU03380](http://marc.info/?l=bugtraq&m=143748090628601&w=2)
HP - [HPSBMU03409](http://marc.info/?l=bugtraq&m=144050155601375&w=2)
MLIST - [[file] 20141216 [PATCH] readelf.c: better checks for values returned by pread](http://mx.gw.com/pipermail/file/2014/001649.html)
MLIST - [[oss-security] 20150205 Re: CVE Request: PHP/file: out-of-bounds memory access in softmagic](http://openwall.com/lists/oss-security/2015/02/05/13)
REDHAT - [RHSA-2016:0760](http://rhn.redhat.com/errata/RHSA-2016-0760.html)
UBUNTU - [USN-3686-1](https://usn.ubuntu.com/3686-1/)

[cpe:2.3:a:file_project:file:*:*:*:*:*:*:*:* versions up to (including) 5.21](https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Afile_project%3Afile)
...

CVE-2014-8117

softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.

CWE-399 Resource Management Errors

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

BID - [71692](http://www.securityfocus.com/bid/71692)
CONFIRM - http://advisories.mageia.org/MGASA-2015-0040.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
CONFIRM - https://github.com/file/file/blob/00cef282a902a4a6709bbbbb933ee397768caa38/ChangeLog
CONFIRM - https://github.com/file/file/commit/6f737ddfadb596d7d4a993f7ed2141ffd664a81c
FREEBSD - [FreeBSD-SA-14:28](https://www.freebsd.org/security/advisories/FreeBSD-SA-14:28.file.asc)
MLIST - [[oss-security] 20141216 file(1): multiple denial of service issues (resource consumption), CVE-2014-8116 and CVE-2014-8117](http://seclists.org/oss-sec/2014/q4/1056)
REDHAT - [RHSA-2016:0760](http://rhn.redhat.com/errata/RHSA-2016-0760.html)
SECTRACK - [1031344](http://www.securitytracker.com/id/1031344)
SECUNIA - [61944](http://secunia.com/advisories/61944)
SECUNIA - [62081](http://secunia.com/advisories/62081)
UBUNTU - [USN-2494-1](http://www.ubuntu.com/usn/USN-2494-1)
UBUNTU - [USN-2535-1](http://www.ubuntu.com/usn/USN-2535-1)

Vulnerable Software & Versions:

[cpe:2.3:a:file_project:file:*:*:*:*:*:*:*:* versions up to (including) 5.20](https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Afile_project%3Afile)

CVE-2014-9652

The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

APPLE - [APPLE-SA-2015-09-30-3](http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html)
BID - [72505](http://www.securityfocus.com/bid/72505)
CONFIRM - http://bugs.gw.com/view.php?id=398
CONFIRM - http://php.net/ChangeLog-5.php
CONFIRM - http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
CONFIRM - https://bugs.php.net/bug.php?id=68735
CONFIRM - https://bugs.php.net/patch-display.php?bug=68735&patch=bug68735.patch&revision=1420309079
CONFIRM - https://github.com/file/file/commit/59e63838913eee47f5c120a6c53d4565af638158
CONFIRM - https://support.apple.com/HT205267
GENTOO - [GLSA-201701-42](https://security.gentoo.org/glsa/201701-42)
HP - [HPSBMU03380](http://marc.info/?l=bugtraq&m=143748090628601&w=2)
HP - [HPSBMU03409](http://marc.info/?l=bugtraq&m=144050155601375&w=2)
MLIST - [[oss-security] 20150205 Re: CVE Request: PHP/file: out-of-bounds memory access in softmagic](http://openwall.com/lists/oss-security/2015/02/05/12)
REDHAT - [RHSA-2015:1053](http://rhn.redhat.com/errata/RHSA-2015-1053.html)
REDHAT - [RHSA-2015:1066](http://rhn.redhat.com/errata/RHSA-2015-1066.html)
REDHAT - [RHSA-2015:1135](http://rhn.redhat.com/errata/RHSA-2015-1135.html)
SUSE - [SUSE-SU-2015:0424](http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00002.html)
SUSE - [SUSE-SU-2015:0436](http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00003.html)
SUSE - [openSUSE-SU-2015:0440](http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00004.html)

[cpe:2.3:a:file_project:file:*:*:*:*:*:*:*:* versions up to (including) 5.20](https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Afile_project%3Afile)
...

CVE-2014-2270

softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

References:

CONFIRM - http://bugs.gw.com/view.php?id=313
CONFIRM - http://support.apple.com/kb/HT6443
CONFIRM - http://www.php.net/ChangeLog-5.php
CONFIRM - https://github.com/file/file/commit/447558595a3650db2886cd2f416ad0beba965801
DEBIAN - [DSA-2873](http://www.debian.org/security/2014/dsa-2873)
GENTOO - [GLSA-201503-08](https://security.gentoo.org/glsa/201503-08)
MLIST - [[oss-security] 20140303 CVE Request: file: crashes when checking softmagic for some corrupt PE executables](http://seclists.org/oss-sec/2014/q1/473)
MLIST - [[oss-security] 20140305 Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables](http://seclists.org/oss-sec/2014/q1/504)
MLIST - [[oss-security] 20140305 Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables](http://seclists.org/oss-sec/2014/q1/505)
REDHAT - [RHSA-2014:1765](http://rhn.redhat.com/errata/RHSA-2014-1765.html)
SUSE - [openSUSE-SU-2014:0364](http://lists.opensuse.org/opensuse-updates/2014-03/msg00034.html)
SUSE - [openSUSE-SU-2014:0367](http://lists.opensuse.org/opensuse-updates/2014-03/msg00037.html)
SUSE - [openSUSE-SU-2014:0435](http://lists.opensuse.org/opensuse-updates/2014-03/msg00084.html)
UBUNTU - [USN-2162-1](http://www.ubuntu.com/usn/USN-2162-1)
UBUNTU - [USN-2163-1](http://www.ubuntu.com/usn/USN-2163-1)

[cpe:2.3:a:file_project:file:*:*:*:*:*:*:*:* versions up to (excluding) 5.17](https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Afile_project%3Afile)
...

CVE-2014-3479

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.

NVD-CWE-noinfo

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

References:

APPLE - [APPLE-SA-2015-04-08-2](http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html)
BID - [68241](http://www.securityfocus.com/bid/68241)
CONFIRM - http://support.apple.com/kb/HT6443
CONFIRM - http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
CONFIRM - http://www.php.net/ChangeLog-5.php
CONFIRM - https://bugs.php.net/bug.php?id=67411
CONFIRM - https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67
CONFIRM - https://support.apple.com/HT204659
DEBIAN - [DSA-2974](http://www.debian.org/security/2014/dsa-2974)
DEBIAN - [DSA-3021](http://www.debian.org/security/2014/dsa-3021)
HP - [SSRT101681](http://marc.info/?l=bugtraq&m=141017844705317&w=2)
MLIST - [[file] 20140612 file-5.19 is now available](http://mx.gw.com/pipermail/file/2014/001553.html)
REDHAT - [RHSA-2014:1765](http://rhn.redhat.com/errata/RHSA-2014-1765.html)
REDHAT - [RHSA-2014:1766](http://rhn.redhat.com/errata/RHSA-2014-1766.html)
SECUNIA - [59794](http://secunia.com/advisories/59794)
SECUNIA - [59831](http://secunia.com/advisories/59831)
SUSE - [openSUSE-SU-2014:1236](http://lists.opensuse.org/opensuse-updates/2014-09/msg00046.html)

[cpe:2.3:a:file_project:file:*:*:*:*:*:*:*:* versions up to (excluding) 5.19](https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Afile_project%3Afile)
...

CVE-2014-3480

The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.

NVD-CWE-noinfo

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

References:

APPLE - [APPLE-SA-2015-04-08-2](http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html)
BID - [68238](http://www.securityfocus.com/bid/68238)
CONFIRM - http://support.apple.com/kb/HT6443
CONFIRM - http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
CONFIRM - http://www.php.net/ChangeLog-5.php
CONFIRM - https://bugs.php.net/bug.php?id=67412
CONFIRM - https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382
CONFIRM - https://support.apple.com/HT204659
DEBIAN - [DSA-2974](http://www.debian.org/security/2014/dsa-2974)
DEBIAN - [DSA-3021](http://www.debian.org/security/2014/dsa-3021)
HP - [SSRT101681](http://marc.info/?l=bugtraq&m=141017844705317&w=2)
MLIST - [[file] 20140612 file-5.19 is now available](http://mx.gw.com/pipermail/file/2014/001553.html)
REDHAT - [RHSA-2014:1765](http://rhn.redhat.com/errata/RHSA-2014-1765.html)
REDHAT - [RHSA-2014:1766](http://rhn.redhat.com/errata/RHSA-2014-1766.html)
SECUNIA - [59794](http://secunia.com/advisories/59794)
SECUNIA - [59831](http://secunia.com/advisories/59831)
SUSE - [openSUSE-SU-2014:1236](http://lists.opensuse.org/opensuse-updates/2014-09/msg00046.html)

[cpe:2.3:a:file_project:file:*:*:*:*:*:*:*:* versions up to (excluding) 5.19](https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Afile_project%3Afile)
...

CVE-2014-3487

The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.

CWE-20 Improper Input Validation

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

References:

APPLE - [APPLE-SA-2015-04-08-2](http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html)
BID - [68120](http://www.securityfocus.com/bid/68120)
CONFIRM - http://support.apple.com/kb/HT6443
CONFIRM - http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
CONFIRM - http://www.php.net/ChangeLog-5.php
CONFIRM - https://bugs.php.net/bug.php?id=67413
CONFIRM - https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d
CONFIRM - https://support.apple.com/HT204659
DEBIAN - [DSA-2974](http://www.debian.org/security/2014/dsa-2974)
DEBIAN - [DSA-3021](http://www.debian.org/security/2014/dsa-3021)
HP - [SSRT101681](http://marc.info/?l=bugtraq&m=141017844705317&w=2)
MLIST - [[file] 20140612 file-5.19 is now available](http://mx.gw.com/pipermail/file/2014/001553.html)
REDHAT - [RHSA-2014:1765](http://rhn.redhat.com/errata/RHSA-2014-1765.html)
REDHAT - [RHSA-2014:1766](http://rhn.redhat.com/errata/RHSA-2014-1766.html)
SECUNIA - [59794](http://secunia.com/advisories/59794)
SECUNIA - [59831](http://secunia.com/advisories/59831)
SUSE - [openSUSE-SU-2014:1236](http://lists.opensuse.org/opensuse-updates/2014-09/msg00046.html)

[cpe:2.3:a:file_project:file:*:*:*:*:*:*:*:* versions up to (excluding) 5.19](https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Afile_project%3Afile)
neilharvey commented 1 year ago

This appears to be a false positive. The vulnerability is in the file utility which is a command line tool for guessing file types, similar to the purpose of this library - but we do not use it internally.