Fedora has issued an advisory on October 27: https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141536.html The RedHat bug has links to upstream commits in file and PHP to fix this: https://bugzilla.redhat.com/show_bug.cgi?id=1155071 I'll file PHP in another bug report. Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated file packages fix security vulnerability: An out-of-bounds read flaw was found in file's donote() function in the way the file utility determined the note headers of a elf file. This could possibly lead to file executable crash (CVE-2014-3710). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710 https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141536.html ======================== Updated packages in core/updates_testing: ======================== file-5.12-8.8.mga3 libmagic1-5.12-8.8.mga3 libmagic-devel-5.12-8.8.mga3 libmagic-static-devel-5.12-8.8.mga3 python-magic-5.12-8.8.mga3 file-5.16-1.7.mga4 libmagic1-5.16-1.7.mga4 libmagic-devel-5.16-1.7.mga4 libmagic-static-devel-5.16-1.7.mga4 python-magic-5.16-1.7.mga4 from SRPMS: file-5.12-8.8.mga3.src.rpm file-5.16-1.7.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Blocks: (none) => 14412
Blocks: 14412 => (none)
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13460#c4 Besides running the file command on ~/* (i.e., the files in your home directory), you should also run it on some ELF files, as that's what's impacted by this update. Perhaps "file /usr/bin/*" and there will also be a ton of output and it shouldn't crash :o)
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing complete Mageia 3 i586 and Mageia 4 i586.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK
Testing MGA4 x64 Updated from Updates Testing to: python-magic-5.16-1.7.mga4 lib64magic1-5.16-1.7.mga4 file-5.16-1.7.mga4 $ file * showed all non-hidden files etc OK, sorted. $ file .* showed all hidden files etc OK, sorted. $ file /usr/bin/* showed screenfuls of files etc, sorted, mostly type ELF. No crash. Using the script referenced in Comment 1 (thanks David & Claire) - but watch the indentation ! ... $ python tmp/test.py showed all visible *and* hidden files OK, unsorted. Test deemed good, complete for Mageia 4 x64.
CC: (none) => lewyssmithWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK
Testing complete mga3 64 Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK mga3-64-ok MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0439.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
String subject that went out on the e-mail for this advisory: "MGASA-2014-0439 - Updated [package] package fix CVE-2014-3710"