Bug 13667

Summary: file new security issue CVE-2014-3538
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia, oe, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/604601/
Whiteboard: MGA3TOO MGA3-32-OK MGA4-32-OK advisory
Source RPM: file-5.16-1.4.mga4.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 13701    

Description David Walser 2014-07-03 16:35:37 CEST 
Another issue fixed in file 5.19 has been assigned a CVE:
https://bugzilla.redhat.com/show_bug.cgi?id=1098222

The file package is already up to date in Cauldron.  Mageia 3 is affected.

The fix appears to be more involved than some other recent fixes, so I'll see what other distros do for backporting a fix.

I'm not sure the current status of this in PHP, but it is affected as well.

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-03 16:35:46 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-07-08 01:33:17 CEST 
Fedora has issued an advisory for this on July 1:
https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135082.html

URL: (none) => http://lwn.net/Vulnerabilities/604601/

David Walser 2014-07-09 17:18:51 CEST

Blocks: (none) => 13701

Comment 2 Oden Eriksson 2014-07-29 11:17:44 CEST 
Fixed with file-5.12-8.6.mga3 and file-5.16-1.5.mga4.

CC: (none) => oe

Comment 3 David Walser 2014-07-29 12:27:04 CEST 
Thanks Oden!

Advisory:
========================

Updated file packages fix security vulnerability:

file before 5.19 does not properly restrict the amount of data read during
a regex search, which allows remote attackers to cause a denial of service
(CPU consumption) via a crafted file that triggers backtracking during
processing of an awk rule, due to an incomplete fix for CVE-2013-7345
(CVE-2014-3538).

The Mageia 3 update also fixes a possible crash in softmagic.c due to an
improperly rediffed patch for a memory leak in a previous update (mga#13701).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538
http://www.ubuntu.com/usn/usn-2278-1/
https://bugs.mageia.org/show_bug.cgi?id=13701
https://bugs.mageia.org/show_bug.cgi?id=13667
========================

Updated packages in core/updates_testing:
========================
file-5.12-8.6.mga3
libmagic1-5.12-8.6.mga3
libmagic-devel-5.12-8.6.mga3
libmagic-static-devel-5.12-8.6.mga3
python-magic-5.12-8.6.mga3
file-5.16-1.5.mga4
libmagic1-5.16-1.5.mga4
libmagic-devel-5.16-1.5.mga4
libmagic-static-devel-5.16-1.5.mga4
python-magic-5.16-1.5.mga4

from SRPMS:
file-5.12-8.6.mga3.src.rpm
file-5.16-1.5.mga4.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 David Walser 2014-08-01 15:41:21 CEST 
Validating this.  See the discussion in the QA meeting:
http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30

Note that Mandriva has already released this update and the Bug 13701 fix has already been verified by the reporter.

The advisory still needs to be uploaded.

Please push this to core/updates for Mageia 3 and Mageia 4.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Rémi Verschelde 2014-08-01 23:39:30 CEST 
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO advisory

Comment 6 Rémi Verschelde 2014-08-04 22:38:29 CEST 
Installs fine on Mageia 4 32bit, the "file" command produces the expected output.

Whiteboard: MGA3TOO advisory => MGA3TOO MGA4-32-OK advisory

Comment 7 Rémi Verschelde 2014-08-05 19:49:45 CEST 
Basic testing completed on Mageia 3 32bit.

Whiteboard: MGA3TOO MGA4-32-OK advisory => MGA3TOO MGA3-32-OK MGA4-32-OK advisory

Comment 8 Colin Guthrie 2014-08-05 22:17:00 CEST 
Update pushed.

http://advisories.mageia.org/MGASA-2014-0307.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED