Bug 18102

Summary: file new memory corruption security issue (CVE-2015-8865)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, davidwhodgins, dpremy, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/682759/
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Source RPM: file-5.19-10.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-31 17:08:37 CEST 
The PHP 5.6.20 update (Bug 18101) fixes an issue in the PHP fileinfo module, which came from a bug in file itself, which was fixed here:
https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36

I've added that patch to our Mageia 5 file package.

Advisory:
========================

Updated file packages fix security vulnerability:

The file command was vulnerable to a buffer over-write in with a malformed
magic file.

References:
http://git.php.net/?p=php-src.git;a=commit;h=5272184a1ed0c5c6144e80bed6fb1951601ec3bc
========================

Updated packages in core/updates_testing:
========================
file-5.19-10.1.mga5
libmagic1-5.19-10.1.mga5
libmagic-devel-5.19-10.1.mga5
libmagic-static-devel-5.19-10.1.mga5
python-magic-5.19-10.1.mga5

from file-5.19-10.1.mga5.src.rpm
Dave Hodgins 2016-03-31 19:26:22 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 David Remy 2016-03-31 22:36:28 CEST 
Not too sure how to fully test the memory leak however basic usage of file is still working.

Tested on:
  Mageia release 5 (Official) for x86_64

Package(s) Under Test:
  file-5.19-10.mga5.x86_64

Package(s) Testing Pre Upgrade:
  %urpmi file
  Package file-5.19-10.mga5.x86_64 is already installed

  %file -s /dev/vda{1,2,3,4,5}
  /dev/vda1: Linux rev 1.0 ext4 filesystem data, UUID=c37071fe-a421-42eb-8f2a-6c3900e4405b (needs journal recovery) (extents) (large files) (huge files)
  /dev/vda2: DOS/MBR boot sector
  /dev/vda3: cannot open `/dev/vda3' (No such file or directory)
  /dev/vda4: cannot open `/dev/vda4' (No such file or directory)
  /dev/vda5: Linux/i386 swap file (new style), ver

  %file -s /usr/bin/urpm*
  /usr/bin/urpmf:                 Perl script, ASCII text executable
  /usr/bin/urpmi_rpm-find-leaves: symbolic link to `rpm-find-leaves'
  /usr/bin/urpmi.update:          POSIX shell script, ASCII text executable
  /usr/bin/urpmq:                 Perl script, ASCII text executable

Package(s) Testing Upgrade:
  %urpmi file
  Package file-5.19-10.1.mga5.x86_64 is already installed

  %file -s /dev/vda{1,2,3,4,5}
  /dev/vda1: Linux rev 1.0 ext4 filesystem data, UUID=c37071fe-a421-42eb-8f2a-6c3900e4405b (needs journal recovery) (extents) (large files) (huge files)
  /dev/vda2: DOS/MBR boot sector
  /dev/vda3: cannot open `/dev/vda3' (No such file or directory)
  /dev/vda4: cannot open `/dev/vda4' (No such file or directory)
  /dev/vda5: Linux/i386 swap file (new style), version 1 (4K pages), size 606641 pages, no label, UUID=97bef969-2973-4d11-9bed-b929bf60a3c4

  %file -s /usr/bin/urpm*
  /usr/bin/urpmf:                 Perl script, ASCII text executable
  /usr/bin/urpmi_rpm-find-leaves: symbolic link to `rpm-find-leaves'
  /usr/bin/urpmi.update:          POSIX shell script, ASCII text executable
  /usr/bin/urpmq:                 Perl script, ASCII text executable

Kernal Version:
  4.1.15-desktop-2.mga5 x86_64

Hardware Information:
  product: Standard PC (i440FX + PIIX, 1996)
  vendor: QEMU

CC: (none) => dpremy
Whiteboard: advisory => MGA5-64-OK advisory

Comment 2 Brian Rockwell 2016-04-02 23:00:32 CEST 
Linux localhost 4.1.15-desktop-2.mga5 #1 SMP Wed Jan 20 17:05:51 UTC 2016 x86_64 x86_64 x86_64 GNU/Linu

[root@localhost brian]# urpmi file
Package file-5.19-10.1.mga5.x86_64 is already installed

[brian@localhost ~]$ file journ_20160318_afternoon.txt
journ_20160318_afternoon.txt: ASCII text, with very long lines

Ran it file * as well.  No issues I can identify.

MGA5-64-OK

CC: (none) => brtians1
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-64-OK

Brian Rockwell 2016-04-02 23:01:01 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Brian Rockwell 2016-04-02 23:01:51 CEST

Keywords: validated_update => (none)

Comment 3 Brian Rockwell 2016-04-02 23:16:15 CEST 
[brian@localhost ~]$ uname -a
Linux localhost 4.1.15-desktop-2.mga5 #1 SMP Wed Jan 20 17:37:30 UTC 2016 i686 i686 i686 GNU/Linux

[root@localhost brian]# urpmi file
Package file-5.19-10.1.mga5.i586 is already installed
[root@localhost brian]# 

[brian@localhost php]$ file *
info.php: PHP script, UTF-8 Unicode (with BOM) text
[brian@localhost php]$ 


MGA5-32-ok

Whiteboard: MGA5-64-OK advisory MGA5-64-OK => MGA5-64-OK advisory MGA5-32-OK

Brian Rockwell 2016-04-02 23:16:46 CEST

Keywords: (none) => validated_update

Comment 4 Mageia Robot 2016-04-06 16:10:40 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0132.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-04-06 19:10:27 CEST

URL: (none) => http://lwn.net/Vulnerabilities/682759/

Comment 5 David Walser 2016-04-25 11:46:43 CEST 
CVE-2015-8865 has been assigned for this:
http://openwall.com/lists/oss-security/2016/04/24/1

Summary: file new memory corruption security issue => file new memory corruption security issue (CVE-2015-8865)