Package: file
Version: 5.00-1
Severity: critical
Heap corruption happens on some Microsoft document files (including ".doc",
".mpp" and maybe others), while reading out-of-buffer in cdf.c, line 313.
This bug is critical for mail processing, blocking mails on relay running
amavisd as spam/virus filter. Symptoms:
% file /tmp/VTB_DWH_plan_v_091_090331_gleb.mpp
*** glibc detected *** file: munmap_chunk(): invalid pointer: 0x08c48aa8 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7e231e4]
/usr/lib/libmagic.so.1(cdf_read_sat+0x23b)[0xb7f3e84b]
/usr/lib/libmagic.so.1(file_trycdf+0x6e)[0xb7f3ecce]
/usr/lib/libmagic.so.1(file_buffer+0x1ca)[0xb7f3c21a]
/usr/lib/libmagic.so.1[0xb7f2e092]
file[0x8048e3d]
file[0x804995c]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7dca775]
file[0x8048ba1]
======= Memory map: ========
08048000-0804b000 r-xp 00000000 03:0a 335446 /usr/bin/file
0804b000-0804c000 rw-p 00002000 03:0a 335446 /usr/bin/file
08c22000-08c5b000 rw-p 08c22000 00:00 0 [heap]
b7989000-b7995000 r-xp 00000000 03:05 40203 /lib/libgcc_s.so.1
b7995000-b7996000 rw-p 0000c000 03:05 40203 /lib/libgcc_s.so.1
b79a2000-b7a03000 rw-p b79a2000 00:00 0
b7a03000-b7a05000 r-xp 00000000 03:0a 20213 /usr/lib/gconv/KOI8-R.so
b7a05000-b7a06000 r--p 00001000 03:0a 20213 /usr/lib/gconv/KOI8-R.so
b7a06000-b7a07000 rw-p 00002000 03:0a 20213 /usr/lib/gconv/KOI8-R.so
b7a07000-b7a0e000 r--s 00000000 03:0a 16392
/usr/lib/gconv/gconv-modules.cache
b7a0e000-b7bbd000 rw-p 00000000 03:0a 228828 /usr/share/file/magic.mgc
b7bbd000-b7db3000 r--p 00000000 03:0a 47892 /usr/lib/locale/locale-archive
b7db3000-b7db4000 rw-p b7db3000 00:00 0
b7db4000-b7f0e000 r-xp 00000000 03:05 44190 /lib/i686/cmov/libc-2.9.so
b7f0e000-b7f0f000 ---p 0015a000 03:05 44190 /lib/i686/cmov/libc-2.9.so
b7f0f000-b7f11000 r--p 0015a000 03:05 44190 /lib/i686/cmov/libc-2.9.so
b7f11000-b7f12000 rw-p 0015c000 03:05 44190 /lib/i686/cmov/libc-2.9.so
b7f12000-b7f16000 rw-p b7f12000 00:00 0
b7f16000-b7f2a000 r-xp 00000000 03:0a 16369 /usr/lib/libz.so.1.2.3.3
b7f2a000-b7f2b000 rw-p 00013000 03:0a 16369 /usr/lib/libz.so.1.2.3.3
b7f2b000-b7f44000 r-xp 00000000 03:0a 17555 /usr/lib/libmagic.so.1.0.0
b7f44000-b7f45000 rw-p 00019000 03:0a 17555 /usr/lib/libmagic.so.1.0.0
b7f50000-b7f53000 rw-p b7f50000 00:00 0
b7f53000-b7f54000 r-xp b7f53000 00:00 0 [vdso]
b7f54000-b7f70000 r-xp 00000000 03:05 40274 /lib/ld-2.9.so
b7f70000-b7f71000 r--p 0001b000 03:05 40274 /lib/ld-2.9.so
b7f71000-b7f72000 rw-p 0001c000 03:05 40274 /lib/ld-2.9.so
bfc5c000-bfc71000 rw-p bffeb000 00:00 0 [stack]
/tmp/VTB_DWH_plan_v_091_090331_gleb.mpp: [2] 17253 abort file
/tmp/VTB_DWH_plan_v_091_090331_gleb.mpp
If an assertion like this
------------------------------------------------------------------------------
--- cdf.c.orig 2009-04-14 12:47:33.000000000 +0400
+++ cdf.c 2009-04-14 12:48:48.000000000 +0400
@@ -310,6 +310,7 @@
goto out2;
}
for (k = 0; k < (ss / sizeof(mid)) - 1; k++, i++)
+ assert(i <= sat->sat_len);
if (cdf_read_sector(fd, sat->sat_tab, ss * i, ss, h,
CDF_TOLE4(msa[k])) != (ssize_t)ss) {
DPRINTF(("Reading sector %d",
------------------------------------------------------------------------------
added to the source, no corruption happens, but file aborts with message
"cdf_read_sat: Assertion `i <= sat->sat_len' failed."
I do not understand what this code is doing, so I do not try to patch it.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Shell: /bin/sh linked to /bin/bash
Versions of packages file depends on:
ii libc6 2.9-4 GNU C Library: Shared libraries
ii libmagic1 5.00-1 File type determination library us
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
file recommends no packages.
file suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
