Bug 13603

Summary: file new security issues CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, and CVE-2014-3487
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, rverschelde, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/603974/
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory
Source RPM: file-5.16-1.3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-06-27 17:16:03 CEST 
PHP has released versions 5.4.30 and 5.5.14 on June 26:
http://www.php.net/archive/2014.php#id2014-06-26-1

The ChangeLogs list more CVEs fixed in file/libmagic:
http://www.php.net/ChangeLog-5.php#5.4.30
http://www.php.net/ChangeLog-5.php#5.5.14

First of all, all of these issues are fixed upstream in file 5.19 (already in Cauldron).

Secondly, as it turns out, we already fixed CVE-2014-0207 in our previous file update.  I posted a comment to our previous bug about that here:
https://bugs.mageia.org/show_bug.cgi?id=13460#c9

Third, I already knew about the other issues, but just didn't have the CVEs until they were included in PHP's ChangeLog.  I had posted about them on a bug about the gd library (as both libgd and libmagic are bundled in PHP) and had already checked the patches into SVN:
https://bugs.mageia.org/show_bug.cgi?id=13021#c7

These issues also affect PHP of course, and will be included in our next PHP update:
https://bugs.mageia.org/show_bug.cgi?id=13532

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-06-27 17:32:27 CEST 
Patched packages uploaded for Mageia 3 and Mageia 4.

Note: could someone please update the advisory in Bug 13460 in SVN?  Thanks.

Advisory:
========================

Updated file packages fix security vulnerabilities:

A flaw was found in the way file parsed property information from Composite
Document Files (CDF) files, where the mconvert() function did not correctly
compute the truncated pascal string size (CVE-2014-3478).

Multiple flaws were found in the way file parsed property information from
Composite Document Files (CDF) files, due to insufficient boundary checks on
buffers (CVE-2014-3479, CVE-2014-3480, CVE-2014-3487).

Note: these issues were announced as part of the upstream PHP 5.4.30 release,
as PHP bundles file's libmagic library.  Their announcement also references
an issue in CDF file parsing, CVE-2014-0207, which was previously fixed in
the file package in MGASA-2014-0252, but was not announced at that time.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487
http://www.php.net/ChangeLog-5.php#5.4.30
========================

Updated packages in core/updates_testing:
========================
file-5.12-8.5.mga3
libmagic1-5.12-8.5.mga3
libmagic-devel-5.12-8.5.mga3
libmagic-static-devel-5.12-8.5.mga3
python-magic-5.12-8.5.mga3
file-5.16-1.4.mga4
libmagic1-5.16-1.4.mga4
libmagic-devel-5.16-1.4.mga4
libmagic-static-devel-5.16-1.4.mga4
python-magic-5.16-1.4.mga4

from SRPMS:
file-5.12-8.5.mga3.src.rpm
file-5.16-1.4.mga4.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA3TOO

David Walser 2014-06-30 23:16:22 CEST

URL: (none) => http://lwn.net/Vulnerabilities/603974/

Comment 2 David GEIGER 2014-07-03 22:00:31 CEST 
Tested mga4_32 & mga4_64,

Testing complete for new update file-5.16-1.4.mga4, Ok for me seems to work properly.

Same procedure as https://bugs.mageia.org/show_bug.cgi?id=13460#c4

$ file ~/*

Shows long list.

$ find . -maxdepth 1 -type f -exec file {} +

Shows long list.


Testing python-magic:

$ cat test_python-magic.py
import os
import magic
 
path = os.path.expanduser('~')
listing = os.listdir(path)
for infile in listing:
    ms = magic.open(magic.NONE)
    ms.load()
    tp = ms.file(os.path.join(path, infile))
    print (infile + " " + tp)


$ python test_python-magic.py

Shows a long list

CC: (none) => geiger.david68210
Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK MGA4-64-OK

Comment 3 David GEIGER 2014-07-03 22:03:03 CEST 
Tested mga3_32 & mga3_64,

Testing complete for new update file-5.12-8.5.mga3, Ok for me seems to work properly.

Same procedure as https://bugs.mageia.org/show_bug.cgi?id=13460#c4

$ file ~/*

Shows long list.

$ find . -maxdepth 1 -type f -exec file {} +

Shows long list.


Testing python-magic:

$ cat test_python-magic.py
import os
import magic
 
path = os.path.expanduser('~')
listing = os.listdir(path)
for infile in listing:
    ms = magic.open(magic.NONE)
    ms.load()
    tp = ms.file(os.path.join(path, infile))
    print (infile + " " + tp)


$ python test_python-magic.py

Shows a long list

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK

Comment 4 RĂ©mi Verschelde 2014-07-03 22:24:59 CEST 
Validated update, advisory uploaded.

Please push file to Mageia 3 & 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 5 Thomas Backlund 2014-07-04 20:54:58 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0282.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED