Fedora has issued an advisory on August 23: https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136989.html Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Note that this issue also affects PHP (see Bug 13964). Advisory: ======================== Updated file packages fix security vulnerability: A flaw was found in the way file uses cdf_read_property_info function when checks stream offsets for certain Composite Document Format (CDF). An insufficient input validation flaw for p and q minimal and maximal value, leads to a pointer overflow. This issue only affects 32bit systems (CVE-2014-3587). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587 https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136989.html ======================== Updated packages in core/updates_testing: ======================== file-5.12-8.7.mga3 libmagic1-5.12-8.7.mga3 libmagic-devel-5.12-8.7.mga3 libmagic-static-devel-5.12-8.7.mga3 python-magic-5.12-8.7.mga3 file-5.16-1.6.mga4 libmagic1-5.16-1.6.mga4 libmagic-devel-5.16-1.6.mga4 libmagic-static-devel-5.16-1.6.mga4 python-magic-5.16-1.6.mga4 from SRPMS: file-5.12-8.7.mga3.src.rpm file-5.16-1.6.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Testing complete mga4 64 Procedure: https://bugs.mageia.org/show_bug.cgi?id=13460#c4 A before, this relates to cdf files which are difficult to source and there is no public PoC.
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0354.html
Status: NEW => RESOLVEDResolution: (none) => FIXED