Bug 13603 - file new security issues CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, and CVE-2014-3487
: file new security issues CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, and CVE...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/603974/
: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-06-27 17:16 CEST by David Walser
Modified: 2014-07-04 20:54 CEST (History)
4 users (show)

See Also:
Source RPM: file-5.16-1.3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-06-27 17:16:03 CEST
PHP has released versions 5.4.30 and 5.5.14 on June 26:
http://www.php.net/archive/2014.php#id2014-06-26-1

The ChangeLogs list more CVEs fixed in file/libmagic:
http://www.php.net/ChangeLog-5.php#5.4.30
http://www.php.net/ChangeLog-5.php#5.5.14

First of all, all of these issues are fixed upstream in file 5.19 (already in Cauldron).

Secondly, as it turns out, we already fixed CVE-2014-0207 in our previous file update.  I posted a comment to our previous bug about that here:
https://bugs.mageia.org/show_bug.cgi?id=13460#c9

Third, I already knew about the other issues, but just didn't have the CVEs until they were included in PHP's ChangeLog.  I had posted about them on a bug about the gd library (as both libgd and libmagic are bundled in PHP) and had already checked the patches into SVN:
https://bugs.mageia.org/show_bug.cgi?id=13021#c7

These issues also affect PHP of course, and will be included in our next PHP update:
https://bugs.mageia.org/show_bug.cgi?id=13532

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-06-27 17:32:27 CEST
Patched packages uploaded for Mageia 3 and Mageia 4.

Note: could someone please update the advisory in Bug 13460 in SVN?  Thanks.

Advisory:
========================

Updated file packages fix security vulnerabilities:

A flaw was found in the way file parsed property information from Composite
Document Files (CDF) files, where the mconvert() function did not correctly
compute the truncated pascal string size (CVE-2014-3478).

Multiple flaws were found in the way file parsed property information from
Composite Document Files (CDF) files, due to insufficient boundary checks on
buffers (CVE-2014-3479, CVE-2014-3480, CVE-2014-3487).

Note: these issues were announced as part of the upstream PHP 5.4.30 release,
as PHP bundles file's libmagic library.  Their announcement also references
an issue in CDF file parsing, CVE-2014-0207, which was previously fixed in
the file package in MGASA-2014-0252, but was not announced at that time.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487
http://www.php.net/ChangeLog-5.php#5.4.30
========================

Updated packages in core/updates_testing:
========================
file-5.12-8.5.mga3
libmagic1-5.12-8.5.mga3
libmagic-devel-5.12-8.5.mga3
libmagic-static-devel-5.12-8.5.mga3
python-magic-5.12-8.5.mga3
file-5.16-1.4.mga4
libmagic1-5.16-1.4.mga4
libmagic-devel-5.16-1.4.mga4
libmagic-static-devel-5.16-1.4.mga4
python-magic-5.16-1.4.mga4

from SRPMS:
file-5.12-8.5.mga3.src.rpm
file-5.16-1.4.mga4.src.rpm
Comment 2 David GEIGER 2014-07-03 22:00:31 CEST
Tested mga4_32 & mga4_64,

Testing complete for new update file-5.16-1.4.mga4, Ok for me seems to work properly.

Same procedure as https://bugs.mageia.org/show_bug.cgi?id=13460#c4

$ file ~/*

Shows long list.

$ find . -maxdepth 1 -type f -exec file {} +

Shows long list.


Testing python-magic:

$ cat test_python-magic.py
import os
import magic
 
path = os.path.expanduser('~')
listing = os.listdir(path)
for infile in listing:
    ms = magic.open(magic.NONE)
    ms.load()
    tp = ms.file(os.path.join(path, infile))
    print (infile + " " + tp)


$ python test_python-magic.py

Shows a long list
Comment 3 David GEIGER 2014-07-03 22:03:03 CEST
Tested mga3_32 & mga3_64,

Testing complete for new update file-5.12-8.5.mga3, Ok for me seems to work properly.

Same procedure as https://bugs.mageia.org/show_bug.cgi?id=13460#c4

$ file ~/*

Shows long list.

$ find . -maxdepth 1 -type f -exec file {} +

Shows long list.


Testing python-magic:

$ cat test_python-magic.py
import os
import magic
 
path = os.path.expanduser('~')
listing = os.listdir(path)
for infile in listing:
    ms = magic.open(magic.NONE)
    ms.load()
    tp = ms.file(os.path.join(path, infile))
    print (infile + " " + tp)


$ python test_python-magic.py

Shows a long list
Comment 4 Rémi Verschelde 2014-07-03 22:24:59 CEST
Validated update, advisory uploaded.

Please push file to Mageia 3 & 4 core/updates.
Comment 5 Thomas Backlund 2014-07-04 20:54:58 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0282.html

Note You need to log in before you can comment on or make changes to this bug.