Ubuntu has issued an advisory today (June 14): https://usn.ubuntu.com/3686-1/ Ubuntu has backported patches and the upstream commit is linked from here: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10360.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOOStatus comment: (none) => Patch available from Ubuntu and upstream
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing the two last comitters.
Assignee: bugsquad => pkg-bugsCC: (none) => jackal.j, marja11, smelror
Fedora has issued an advisory for this on June 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HUNQID6XXIM7VTAQ5COXNYLFMCFPMAG3/
Suggested advisory: ======================== The updated packages fix a security vulnerability: The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. (CVE-2018-10360) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10360 https://usn.ubuntu.com/3686-1/ ======================== Updated package in 5/core/updates_testing: ======================== file-5.19-10.2.mga5 lib(64)magic1-5.19-10.2.mga5 lib(64)magic-devel-5.19-10.2.mga5 lib(64)magic-static-devel-5.19-10.2.mga5 python-magic-5.19-10.2.mga5 from SRPMS: file-5.19-10.2.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== file-5.25-5.1.mga6 lib(64)magic1-5.25-5.1.mga6 lib(64)magic-devel-5.25-5.1.mga6 lib(64)magic-static-devel-5.25-5.1.mga6 python-magic-5.25-5.1.mga6 python3-magic-5.25-5.1.mga6 from SRPMS: file-5.25-5.1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 6CC: (none) => nicolas.salgueroCVE: (none) => CVE-2018-10360Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOStatus: NEW => ASSIGNED
Mageia 6, x86_64 No reproducers available. Installed a couple of missing packages then updated them. Clean install. $ file b* bachtrumpet: ASCII text backup: directory backup1: directory bin: directory bin.tar: POSIX tar archive (GNU) blurb: ASCII text bugid: ASCII text bundle: directory bundle.tar: POSIX tar archive (GNU) $ file RAW.tar RAW.tar: POSIX tar archive (GNU) $ file /bin/glxpixmap /bin/glxpixmap: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=820e0d7a5fe0301d46e848d7ab3a6666be9c9ee6, stripped Shall look into the various options later but on the face of it file works fine.
CC: (none) => tarazed25
Mageia 5, x86_64 Packages updated cleanly. $ file s* safe: directory shortlist: ASCII text skins2: symbolic link to `.local/share/vlc/skins2' stella: directory symbols: UTF-8 Unicode text A somewhat contrived example of reading filenames from files. $ file -f python3 -f puppet qa/python3/audio-testcase.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit 44100 Hz qa/python3/button.py: Python script, ASCII text executable qa/python3/Destination Moon Irving Pichel, 1950-fsXVfddSF_A.mp4: ISO Media, MPEG v4 system, version 1 qa/python3/ᴴᴰ [Documentary] Destination - Titan-uE5POhMnN78.mkv: Matroska data qa/python3/fibonacci.py: Python script, ASCII text executable qa/python3/sieve.py: Python script, ASCII text executable qa/python3/tkinter: ASCII text qa/puppet/hello_world.pp: ASCII text qa/puppet/intro: UTF-8 Unicode text qa/puppet/links: UTF-8 Unicode text qa/puppet/look at me,: empty qa/puppet/mynode.pp: a /usr/bin/env puppet script, ASCII text executable qa/puppet/puppet.conf: ASCII text qa/puppet/puppet-mode-master/: directory qa/puppet/puppet-mode-master.zip: Zip archive data, at least v1.0 to extract qa/puppet/report.22589b: C++ source, UTF-8 Unicode text $ file fontdemo.gz fontdemo.gz: gzip compressed data, was "fontdemo", last modified: Mon Mar 9 22:58:34 2015, from Unix $ file -z fontdemo.gz fontdemo.gz: Ruby script, ASCII text executable (gzip compressed data, was "fontdemo", last modified: Mon Mar 9 22:58:34 2015, from Unix) Examining special files. $ sudo file -s /dev/usb /dev/usb: directory $ sudo file -s /dev/usb/hiddev0 hangs..... $ file -s /dev/stdout /dev/stdout: symbolic link to `/proc/self/fd/1' $ sudo file /dev/net/tun /dev/net/tun: character special (10/200) $ sudo file -s /dev/port /dev/port: data This all looks OK.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Mageia 6, x86_64 Ran a few more tests like those in comment 5. The mga5 and mga6 systems have access to the same files. The tests returned similar results. OK for 64-bits.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
Validating. Advisoried.
Keywords: (none) => advisory, has_procedure, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0295.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED