| Summary: | file new security issue CVE-2018-10360 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | jackal.j, marja11, nicolas.salguero, smelror, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-64-OK MGA6-64-OK | ||
| Source RPM: | file-5.33-1.mga7.src.rpm | CVE: | CVE-2018-10360 |
| Status comment: | Patch available from Ubuntu and upstream | ||
|
Description
David Walser
2018-06-14 23:24:31 CEST
David Walser
2018-06-14 23:25:53 CEST
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing the two last comitters. Assignee:
bugsquad =>
pkg-bugs Fedora has issued an advisory for this on June 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HUNQID6XXIM7VTAQ5COXNYLFMCFPMAG3/ Suggested advisory: ======================== The updated packages fix a security vulnerability: The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. (CVE-2018-10360) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10360 https://usn.ubuntu.com/3686-1/ ======================== Updated package in 5/core/updates_testing: ======================== file-5.19-10.2.mga5 lib(64)magic1-5.19-10.2.mga5 lib(64)magic-devel-5.19-10.2.mga5 lib(64)magic-static-devel-5.19-10.2.mga5 python-magic-5.19-10.2.mga5 from SRPMS: file-5.19-10.2.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== file-5.25-5.1.mga6 lib(64)magic1-5.25-5.1.mga6 lib(64)magic-devel-5.25-5.1.mga6 lib(64)magic-static-devel-5.25-5.1.mga6 python-magic-5.25-5.1.mga6 python3-magic-5.25-5.1.mga6 from SRPMS: file-5.25-5.1.mga6.src.rpm Assignee:
pkg-bugs =>
qa-bugs Mageia 6, x86_64 No reproducers available. Installed a couple of missing packages then updated them. Clean install. $ file b* bachtrumpet: ASCII text backup: directory backup1: directory bin: directory bin.tar: POSIX tar archive (GNU) blurb: ASCII text bugid: ASCII text bundle: directory bundle.tar: POSIX tar archive (GNU) $ file RAW.tar RAW.tar: POSIX tar archive (GNU) $ file /bin/glxpixmap /bin/glxpixmap: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=820e0d7a5fe0301d46e848d7ab3a6666be9c9ee6, stripped Shall look into the various options later but on the face of it file works fine. CC:
(none) =>
tarazed25 Mageia 5, x86_64 Packages updated cleanly. $ file s* safe: directory shortlist: ASCII text skins2: symbolic link to `.local/share/vlc/skins2' stella: directory symbols: UTF-8 Unicode text A somewhat contrived example of reading filenames from files. $ file -f python3 -f puppet qa/python3/audio-testcase.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit 44100 Hz qa/python3/button.py: Python script, ASCII text executable qa/python3/Destination Moon Irving Pichel, 1950-fsXVfddSF_A.mp4: ISO Media, MPEG v4 system, version 1 qa/python3/ᴴᴰ [Documentary] Destination - Titan-uE5POhMnN78.mkv: Matroska data qa/python3/fibonacci.py: Python script, ASCII text executable qa/python3/sieve.py: Python script, ASCII text executable qa/python3/tkinter: ASCII text qa/puppet/hello_world.pp: ASCII text qa/puppet/intro: UTF-8 Unicode text qa/puppet/links: UTF-8 Unicode text qa/puppet/look at me,: empty qa/puppet/mynode.pp: a /usr/bin/env puppet script, ASCII text executable qa/puppet/puppet.conf: ASCII text qa/puppet/puppet-mode-master/: directory qa/puppet/puppet-mode-master.zip: Zip archive data, at least v1.0 to extract qa/puppet/report.22589b: C++ source, UTF-8 Unicode text $ file fontdemo.gz fontdemo.gz: gzip compressed data, was "fontdemo", last modified: Mon Mar 9 22:58:34 2015, from Unix $ file -z fontdemo.gz fontdemo.gz: Ruby script, ASCII text executable (gzip compressed data, was "fontdemo", last modified: Mon Mar 9 22:58:34 2015, from Unix) Examining special files. $ sudo file -s /dev/usb /dev/usb: directory $ sudo file -s /dev/usb/hiddev0 hangs..... $ file -s /dev/stdout /dev/stdout: symbolic link to `/proc/self/fd/1' $ sudo file /dev/net/tun /dev/net/tun: character special (10/200) $ sudo file -s /dev/port /dev/port: data This all looks OK. Whiteboard:
MGA5TOO =>
MGA5TOO MGA5-64-OK Mageia 6, x86_64 Ran a few more tests like those in comment 5. The mga5 and mga6 systems have access to the same files. The tests returned similar results. OK for 64-bits. Whiteboard:
MGA5TOO MGA5-64-OK =>
MGA5TOO MGA5-64-OK MGA6-64-OK Validating. Advisoried. Keywords:
(none) =>
advisory, has_procedure, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0295.html Status:
ASSIGNED =>
RESOLVED |