Bug 25615

Thank you for the notification.

This SRPM has no registered maintainer, so assigning the bug globally.
CC'ing DavidW both for security, & previous committer (I think); also Thierry for the latter.

Assignee: bugsquad => pkg-bugs
Source RPM: file => file-5.37-1.1.mga7.src.rpm
CC: (none) => luigiwalser, thierry.vignaud

Did not notice:
> this problem has been fixed in version 5.35-4
We have 5.37-1 . So this bug may possibly be outdated.

(In reply to Lewis Smith from comment #2)
> Did not notice:
> > this problem has been fixed in version 5.35-4

Thats the version / release that debian added the fix in...

> We have 5.37-1 . So this bug may possibly be outdated.

Nope,

fix added in  file-5.37-1.2.mga7 currently building

CC: (none) => tmb

SRPM:
file-5.37-1.2.mga7.src.rpm


i586:
file-5.37-1.2.mga7.i586.rpm
libmagic1-5.37-1.2.mga7.i586.rpm
libmagic-devel-5.37-1.2.mga7.i586.rpm
libmagic-static-devel-5.37-1.2.mga7.i586.rpm
python2-magic-5.37-1.2.mga7.noarch.rpm
python3-magic-5.37-1.2.mga7.noarch.rpm


x86_64:
file-5.37-1.2.mga7.x86_64.rpm
lib64magic1-5.37-1.2.mga7.x86_64.rpm
lib64magic-devel-5.37-1.2.mga7.x86_64.rpm
lib64magic-static-devel-5.37-1.2.mga7.x86_64.rpm
python2-magic-5.37-1.2.mga7.noarch.rpm
python3-magic-5.37-1.2.mga7.noarch.rpm

Assignee: pkg-bugs => qa-bugs

Zombie, please provide a link to the advisory and don't copy and paste the text.

Lewis, I am the security group, so I already get the e-mails.  You don't need to CC me.

Advisory link from October 25:
https://www.debian.org/security/2019/dsa-4550

Upstream commit that fixed it:
https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84

No new upstream release with the fix yet.

Severity: normal => critical

Advisory:
========================

Updated file packages fix security vulnerability:

A buffer overflow was found in file which may result in denial of service or
potentially the execution of arbitrary code if a malformed CDF (Composite
Document File) file is processed (CVE-2019-18218).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218
https://www.debian.org/security/2019/dsa-4550

Summary: file security vulnerability (CVE-2019-18218) => file new security issue CVE-2019-18218

Mageia 7, x86_64

CVE-2019-18218
Heap buffer overflow test case is available for the clusterfuzz framework, not generally available to the public.

Updated file and the referenced packages.

$ file -C
generated a magic.mgc file.
$ file magic.mgc
magic.mgc: magic binary file for file(1) cmd (version 14) (little endian)

Exclude ASCII text files:
$ file -e ascii *
1mbg1sqo.default-release.tar: POSIX tar archive (GNU)
backup:                       directory
bin:                          directory
binbag:                       directory
binbag.tar:                   POSIX tar archive (GNU)
bin.tar:                      POSIX tar archive (GNU)
bugid:                        data
Calibre Library:              directory
[...]

$ cd text
$ file * | grep ASCII
amazon:                       ASCII text
areca:                        ASCII text, with very long lines
emails:                       ASCII text
faad.txt:                     ASCII text
[...]

$ file -e ascii * | grep ASCII
$ cd
$ file -d *
produces a lot of internal debugging information.

Show valid extensions for file types:
$ file --extension * | egrep "jpg|png"
apple.png:                                                   png
Bandos.jpg:                                                  jpeg/jpg/jpe/jfif
CastleCrag_Borrowdale.jpg:                                   jpeg/jpg/jpe/jfif
dot.jpg:                                                     jpeg/jpg/jpe/jfif
emblem-cool.png:                                             png
[...]

$ ls ruby > rubylist
$ cd ruby
$ file -f ../rubylist
widgetlist.rb:         Ruby script, ASCII text
wrap.rb:               Ruby script, ASCII text
xosd/:                 directory
yieldself:             Ruby script, UTF-8 Unicode text

This was unexpected:
$ file -e elf /usr/bin/file
/usr/bin/file: ELF 64-bit LSB executable, x86-64, version 1 (SYSV)

$ file --mime Downloads/* > mime
$ cat mime
Downloads/092019_67P2.jpg:                      image/jpeg; charset=binary
Downloads/astro:                                inode/symlink; charset=binary
Downloads/Astronomy_Now_Newsalert.vcf:          text/vcard; charset=us-ascii
Downloads/big.png:                              image/png; charset=binary
Downloads/blender_manual.zip:                   application/zip; charset=binary
Downloads/Buxtehude_NetherlandsBachSociety.mkv: video/x-matroska; charset=binary
Downloads/HelloLucene.java:                     text/x-c; charset=us-ascii
Downloads/load-unicode-data.tex:                text/x-tex; charset=us-ascii
Downloads/nearstars:                            text/html; charset=utf-8
Downloads/periodic.html:                        text/html; charset=us-ascii
Downloads/ThePlanets_1_1.ts:                    application/octet-stream; 

$ file -b ThePlanets_1_1.ts
data

$ file PJFB_HR_2m.mov
PJFB_HR_2m.mov: ISO Media, Apple QuickTime movie, Apple QuickTime (.MOV/QT)
$ file --apple PJFB_HR_2m.mov
PJFB_HR_2m.mov: UNKNUNKN

$ sudo file -s /dev/sda*
/dev/sda:   DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,1), end-CHS (0x3ff,254,63), startsector 1, 468862127 sectors, extended partition table (last)
/dev/sda1:  Linux rev 1.0 ext4 filesystem data, UUID=d78f09de-9c0e-40b5-96ec-bc1d3883c0b6 (needs journal recovery) (extents) (64bit) (large files) (huge files)
[...]

Just a sample of the options.  They work.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0308.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED