Bug 14411

Summary: file new security issue CVE-2014-3710
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/618453/
Whiteboard: MGA3TOO has_procedure advisory MGA3-32-OK mga3-64-ok MGA4-32-OK MGA4-64-OK
Source RPM: file-5.16-1.6.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-10-29 18:34:15 CET 
Fedora has issued an advisory on October 27:
https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141536.html

The RedHat bug has links to upstream commits in file and PHP to fix this:
https://bugzilla.redhat.com/show_bug.cgi?id=1155071

I'll file PHP in another bug report.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated file packages fix security vulnerability:

An out-of-bounds read flaw was found in file's donote() function in the way
the file utility determined the note headers of a elf file. This could
possibly lead to file executable crash (CVE-2014-3710).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710
https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141536.html
========================

Updated packages in core/updates_testing:
========================
file-5.12-8.8.mga3
libmagic1-5.12-8.8.mga3
libmagic-devel-5.12-8.8.mga3
libmagic-static-devel-5.12-8.8.mga3
python-magic-5.12-8.8.mga3
file-5.16-1.7.mga4
libmagic1-5.16-1.7.mga4
libmagic-devel-5.16-1.7.mga4
libmagic-static-devel-5.16-1.7.mga4
python-magic-5.16-1.7.mga4

from SRPMS:
file-5.12-8.8.mga3.src.rpm
file-5.16-1.7.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-10-29 18:34:21 CET

Whiteboard: (none) => MGA3TOO

David Walser 2014-10-29 18:35:50 CET

Blocks: (none) => 14412

David Walser 2014-10-29 18:36:52 CET

Blocks: 14412 => (none)

Comment 1 David Walser 2014-10-29 22:24:23 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13460#c4

Besides running the file command on ~/* (i.e., the files in your home directory), you should also run it on some ELF files, as that's what's impacted by this update.  Perhaps "file /usr/bin/*" and there will also be a ton of output and it shouldn't crash :o)

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 David Walser 2014-10-29 22:32:15 CET 
Testing complete Mageia 3 i586 and Mageia 4 i586.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 3 Lewis Smith 2014-10-30 08:27:26 CET 
Testing MGA4 x64

Updated from Updates Testing to:
 python-magic-5.16-1.7.mga4
 lib64magic1-5.16-1.7.mga4
 file-5.16-1.7.mga4
$ file *           showed all non-hidden files etc OK, sorted.
$ file .*          showed all hidden files etc OK, sorted.
$ file /usr/bin/*  showed screenfuls of files etc, sorted, mostly type ELF.
No crash.
Using the script referenced in Comment 1 (thanks David & Claire) - but watch the indentation ! ...
$ python tmp/test.py      showed all visible *and* hidden files OK, unsorted.
Test deemed good, complete for Mageia 4 x64.

CC: (none) => lewyssmith
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK

Comment 4 claire robinson 2014-10-30 10:30:54 CET 
Testing complete mga3 64

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK mga3-64-ok MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2014-10-31 16:54:14 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0439.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2014-10-31 17:57:21 CET 
String subject that went out on the e-mail for this advisory:
"MGASA-2014-0439 - Updated [package] package fix CVE-2014-3710"