Another issue fixed in file 5.19 has been assigned a CVE: https://bugzilla.redhat.com/show_bug.cgi?id=1098222 The file package is already up to date in Cauldron. Mageia 3 is affected. The fix appears to be more involved than some other recent fixes, so I'll see what other distros do for backporting a fix. I'm not sure the current status of this in PHP, but it is affected as well. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Fedora has issued an advisory for this on July 1: https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135082.html
URL: (none) => http://lwn.net/Vulnerabilities/604601/
Blocks: (none) => 13701
Fixed with file-5.12-8.6.mga3 and file-5.16-1.5.mga4.
CC: (none) => oe
Thanks Oden! Advisory: ======================== Updated file packages fix security vulnerability: file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule, due to an incomplete fix for CVE-2013-7345 (CVE-2014-3538). The Mageia 3 update also fixes a possible crash in softmagic.c due to an improperly rediffed patch for a memory leak in a previous update (mga#13701). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538 http://www.ubuntu.com/usn/usn-2278-1/ https://bugs.mageia.org/show_bug.cgi?id=13701 https://bugs.mageia.org/show_bug.cgi?id=13667 ======================== Updated packages in core/updates_testing: ======================== file-5.12-8.6.mga3 libmagic1-5.12-8.6.mga3 libmagic-devel-5.12-8.6.mga3 libmagic-static-devel-5.12-8.6.mga3 python-magic-5.12-8.6.mga3 file-5.16-1.5.mga4 libmagic1-5.16-1.5.mga4 libmagic-devel-5.16-1.5.mga4 libmagic-static-devel-5.16-1.5.mga4 python-magic-5.16-1.5.mga4 from SRPMS: file-5.12-8.6.mga3.src.rpm file-5.16-1.5.mga4.src.rpm
Assignee: bugsquad => qa-bugs
Validating this. See the discussion in the QA meeting: http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30 Note that Mandriva has already released this update and the Bug 13701 fix has already been verified by the reporter. The advisory still needs to be uploaded. Please push this to core/updates for Mageia 3 and Mageia 4.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO advisory
Installs fine on Mageia 4 32bit, the "file" command produces the expected output.
Whiteboard: MGA3TOO advisory => MGA3TOO MGA4-32-OK advisory
Basic testing completed on Mageia 3 32bit.
Whiteboard: MGA3TOO MGA4-32-OK advisory => MGA3TOO MGA3-32-OK MGA4-32-OK advisory
Update pushed. http://advisories.mageia.org/MGASA-2014-0307.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED