PHP has released versions 5.4.30 and 5.5.14 on June 26: http://www.php.net/archive/2014.php#id2014-06-26-1 The ChangeLogs list more CVEs fixed in file/libmagic: http://www.php.net/ChangeLog-5.php#5.4.30 http://www.php.net/ChangeLog-5.php#5.5.14 First of all, all of these issues are fixed upstream in file 5.19 (already in Cauldron). Secondly, as it turns out, we already fixed CVE-2014-0207 in our previous file update. I posted a comment to our previous bug about that here: https://bugs.mageia.org/show_bug.cgi?id=13460#c9 Third, I already knew about the other issues, but just didn't have the CVEs until they were included in PHP's ChangeLog. I had posted about them on a bug about the gd library (as both libgd and libmagic are bundled in PHP) and had already checked the patches into SVN: https://bugs.mageia.org/show_bug.cgi?id=13021#c7 These issues also affect PHP of course, and will be included in our next PHP update: https://bugs.mageia.org/show_bug.cgi?id=13532 Reproducible: Steps to Reproduce:
Patched packages uploaded for Mageia 3 and Mageia 4. Note: could someone please update the advisory in Bug 13460 in SVN? Thanks. Advisory: ======================== Updated file packages fix security vulnerabilities: A flaw was found in the way file parsed property information from Composite Document Files (CDF) files, where the mconvert() function did not correctly compute the truncated pascal string size (CVE-2014-3478). Multiple flaws were found in the way file parsed property information from Composite Document Files (CDF) files, due to insufficient boundary checks on buffers (CVE-2014-3479, CVE-2014-3480, CVE-2014-3487). Note: these issues were announced as part of the upstream PHP 5.4.30 release, as PHP bundles file's libmagic library. Their announcement also references an issue in CDF file parsing, CVE-2014-0207, which was previously fixed in the file package in MGASA-2014-0252, but was not announced at that time. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487 http://www.php.net/ChangeLog-5.php#5.4.30 ======================== Updated packages in core/updates_testing: ======================== file-5.12-8.5.mga3 libmagic1-5.12-8.5.mga3 libmagic-devel-5.12-8.5.mga3 libmagic-static-devel-5.12-8.5.mga3 python-magic-5.12-8.5.mga3 file-5.16-1.4.mga4 libmagic1-5.16-1.4.mga4 libmagic-devel-5.16-1.4.mga4 libmagic-static-devel-5.16-1.4.mga4 python-magic-5.16-1.4.mga4 from SRPMS: file-5.12-8.5.mga3.src.rpm file-5.16-1.4.mga4.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: (none) => MGA3TOO
URL: (none) => http://lwn.net/Vulnerabilities/603974/
Tested mga4_32 & mga4_64, Testing complete for new update file-5.16-1.4.mga4, Ok for me seems to work properly. Same procedure as https://bugs.mageia.org/show_bug.cgi?id=13460#c4 $ file ~/* Shows long list. $ find . -maxdepth 1 -type f -exec file {} + Shows long list. Testing python-magic: $ cat test_python-magic.py import os import magic path = os.path.expanduser('~') listing = os.listdir(path) for infile in listing: ms = magic.open(magic.NONE) ms.load() tp = ms.file(os.path.join(path, infile)) print (infile + " " + tp) $ python test_python-magic.py Shows a long list
CC: (none) => geiger.david68210Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK MGA4-64-OK
Tested mga3_32 & mga3_64, Testing complete for new update file-5.12-8.5.mga3, Ok for me seems to work properly. Same procedure as https://bugs.mageia.org/show_bug.cgi?id=13460#c4 $ file ~/* Shows long list. $ find . -maxdepth 1 -type f -exec file {} + Shows long list. Testing python-magic: $ cat test_python-magic.py import os import magic path = os.path.expanduser('~') listing = os.listdir(path) for infile in listing: ms = magic.open(magic.NONE) ms.load() tp = ms.file(os.path.join(path, infile)) print (infile + " " + tp) $ python test_python-magic.py Shows a long list
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK
Validated update, advisory uploaded. Please push file to Mageia 3 & 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisoryCC: (none) => remi, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0282.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED