Vigil@nce - libmagic: use after free via apprentice_load
January 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to analyze a malicious file with
Fine Free file, to force the usage of a freed memory area in the
apprentice_load() function of libmagic, in order to trigger a
denial of service, and possibly to execute code.
Impacted products: PHP, Unix (platform)
Severity: 2/4
Creation date: 30/12/2014
DESCRIPTION OF THE VULNERABILITY
The Fine Free file (libmagic) program analyzes files, in order to
automatically recognize their type. The PHP Fileinfo module also
uses libmagic.
However, the apprentice_load() function frees a memory area
located in the stack.
An attacker can therefore invite the victim to analyze a malicious
file with Fine Free file, to force the usage of a freed memory
area in the apprentice_load() function of libmagic, in order to
trigger a denial of service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libmagic-use-after-free-via-apprentice-load-15885