View Issue Details

IDProjectCategoryView StatusLast Update
0000465fileGeneralpublic2023-07-17 15:55
Reporterpsrok1 Assigned Tochristos  
Status resolvedResolutionfixed 
PlatformAlpine Linux (in Docker)OSAlpine LinuxOS Versionv3.18
Product Version5.44 
Fixed in Version5.45 
Summary0000465: SIGSEGV crash in cdf_ctime when musl is used (malicious Office document)

We found that libmagic crashes when certain Office documents are provided.

When we use libmagic compiled with glibc, we get the following result:

bad-file-5c695a37c4eb17703e1d4b95b8c2366bcead07171d3ccb22c091a77bee9c9c81: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, Code page: 1252, Title: WinCC-Graphics-Document, Comments: Saved with Version: K6.0.2.0Saved with Version: K6.0.2.8Saved with Version: K6.0.3.0Saved with Version: K6.0.4.0Saved with Version: V6.2 incl. SP2Saved with Version: V6.2 incl. SP3 incl. HF12Saved with Version: V7.0 incl. SP3, Revision Number: 619, Total Editing Time: *Bad* 0x000000bb2bb31ea9, Last Saved Time/Date: Wed Jun 21 08:30:38 2023, Create Time/Date: Fri Feb 8 10:14:53 2002, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Grafexe, 0x80000002: 0

As you may notice, Total Editing Time is malformed and is shown as `*Bad* 0x000000bb2bb31ea9`. Unfortunately, when we use musl, we get segfault in asctime_r function called by cdf_ctime.

After checking the root cause in gdb, we found that asctime_r (used by ctime_r) expects that result will fit in buffer having 26 bytes. When it exceeds the limit: glibc returns NULL and sets errno to EOVERFLOW
(, which is then handled by cdf_ctime code. Unfortunately, musl is more cautious and calls `a_crash()` which results in `HLT` trap
causing SIGSEGV crash (

It looks like libmagic must validate time_t structure whether fields are in correct ranges before applying it to ctime_r.

Bug also occurs in earlier versions of file (git blame shows that affected code wasn't changed for several years).
Steps To ReproduceWe used the following Dockerfile:

FROM python:3.8-alpine AS build
RUN apk add --no-cache build-base autoconf automake libtool gdb

COPY file /app/file
WORKDIR /app/file
RUN autoreconf -i
RUN ./configure
RUN make

COPY bad-file-5c695a37c4eb17703e1d4b95b8c2366bcead07171d3ccb22c091a77bee9c9c81 /app/
Additional InformationTest file: 5c695a37c4eb17703e1d4b95b8c2366bcead07171d3ccb22c091a77bee9c9c81 (MALICIOUS DOCUMENT, attached zip with password 'infected'.)

Related issue:

Tagsbug, cdf



2023-07-06 12:09



2023-07-17 15:55

manager   ~0003957

Fixed, thanks!

Issue History

Date Modified Username Field Change
2023-07-06 12:09 psrok1 New Issue
2023-07-06 12:09 psrok1 Tag Attached: bug
2023-07-06 12:09 psrok1 Tag Attached: cdf
2023-07-06 12:09 psrok1 File Added:
2023-07-17 15:54 christos Assigned To => christos
2023-07-17 15:54 christos Status new => assigned
2023-07-17 15:55 christos Status assigned => resolved
2023-07-17 15:55 christos Resolution open => fixed
2023-07-17 15:55 christos Fixed in Version => 5.45
2023-07-17 15:55 christos Note Added: 0003957