Bug 23183 - file new security issue CVE-2018-10360
Summary: file new security issue CVE-2018-10360
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-14 23:24 CEST by David Walser
Modified: 2018-06-25 00:03 CEST (History)
6 users (show)

See Also:
Source RPM: file-5.33-1.mga7.src.rpm
CVE: CVE-2018-10360
Status comment: Patch available from Ubuntu and upstream


Attachments

Description David Walser 2018-06-14 23:24:31 CEST
Ubuntu has issued an advisory today (June 14):
https://usn.ubuntu.com/3686-1/

Ubuntu has backported patches and the upstream commit is linked from here:
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10360.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-14 23:25:53 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO
Status comment: (none) => Patch available from Ubuntu and upstream

Comment 1 Marja Van Waes 2018-06-16 12:13:05 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing the two last comitters.

Assignee: bugsquad => pkg-bugs
CC: (none) => jackal.j, marja11, smelror

Comment 2 David Walser 2018-06-17 19:56:37 CEST
Fedora has issued an advisory for this on June 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HUNQID6XXIM7VTAQ5COXNYLFMCFPMAG3/
Comment 3 Nicolas Salguero 2018-06-19 11:37:49 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. (CVE-2018-10360)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10360
https://usn.ubuntu.com/3686-1/
========================

Updated package in 5/core/updates_testing:
========================
file-5.19-10.2.mga5
lib(64)magic1-5.19-10.2.mga5
lib(64)magic-devel-5.19-10.2.mga5
lib(64)magic-static-devel-5.19-10.2.mga5
python-magic-5.19-10.2.mga5

from SRPMS:
file-5.19-10.2.mga5.src.rpm

Updated package in 6/core/updates_testing:
========================
file-5.25-5.1.mga6
lib(64)magic1-5.25-5.1.mga6
lib(64)magic-devel-5.25-5.1.mga6
lib(64)magic-static-devel-5.25-5.1.mga6
python-magic-5.25-5.1.mga6
python3-magic-5.25-5.1.mga6

from SRPMS:
file-5.25-5.1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2018-10360
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Status: NEW => ASSIGNED

Comment 4 Len Lawrence 2018-06-19 12:37:11 CEST
Mageia 6, x86_64

No reproducers available.  Installed a couple of missing packages then updated them.  Clean install.

$ file b*
bachtrumpet: ASCII text
backup:      directory
backup1:     directory
bin:         directory
bin.tar:     POSIX tar archive (GNU)
blurb:       ASCII text
bugid:       ASCII text
bundle:      directory
bundle.tar:  POSIX tar archive (GNU)
$ file RAW.tar
RAW.tar: POSIX tar archive (GNU)
$ file /bin/glxpixmap
/bin/glxpixmap: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=820e0d7a5fe0301d46e848d7ab3a6666be9c9ee6, stripped

Shall look into the various options later but on the face of it file works fine.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2018-06-19 18:35:01 CEST
Mageia 5, x86_64

Packages updated cleanly.

$ file s*
safe:      directory
shortlist: ASCII text
skins2:    symbolic link to `.local/share/vlc/skins2'
stella:    directory
symbols:   UTF-8 Unicode text

A somewhat contrived example of reading filenames from files.

$ file -f python3 -f puppet
qa/python3/audio-testcase.wav:                                   RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit 44100 Hz
qa/python3/button.py:                                            Python script, ASCII text executable
qa/python3/Destination Moon Irving Pichel, 1950-fsXVfddSF_A.mp4: ISO Media, MPEG v4 system, version 1
qa/python3/ᴴᴰ [Documentary] Destination - Titan-uE5POhMnN78.mkv: Matroska data
qa/python3/fibonacci.py:                                         Python script, ASCII text executable
qa/python3/sieve.py:                                             Python script, ASCII text executable
qa/python3/tkinter:                                              ASCII text
qa/puppet/hello_world.pp:         ASCII text
qa/puppet/intro:                  UTF-8 Unicode text
qa/puppet/links:                  UTF-8 Unicode text
qa/puppet/look at me,:            empty
qa/puppet/mynode.pp:              a /usr/bin/env puppet script, ASCII text executable
qa/puppet/puppet.conf:            ASCII text
qa/puppet/puppet-mode-master/:    directory
qa/puppet/puppet-mode-master.zip: Zip archive data, at least v1.0 to extract
qa/puppet/report.22589b:          C++ source, UTF-8 Unicode text

$ file fontdemo.gz
fontdemo.gz: gzip compressed data, was "fontdemo", last modified: Mon Mar  9 22:58:34 2015, from Unix
$ file -z fontdemo.gz
fontdemo.gz: Ruby script, ASCII text executable (gzip compressed data, was "fontdemo", last modified: Mon Mar  9 22:58:34 2015, from Unix)

Examining special files.

$ sudo file -s /dev/usb
/dev/usb: directory
$ sudo file -s /dev/usb/hiddev0
hangs.....
$ file -s /dev/stdout
/dev/stdout: symbolic link to `/proc/self/fd/1'
$ sudo file /dev/net/tun
/dev/net/tun: character special (10/200)
$ sudo file -s /dev/port
/dev/port: data

This all looks OK.

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 6 Len Lawrence 2018-06-20 10:35:25 CEST
Mageia 6, x86_64

Ran a few more tests like those in comment 5.  The mga5 and mga6  systems have access to the same files.  The tests returned similar results.

OK for 64-bits.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 7 claire robinson 2018-06-24 21:52:35 CEST
Validating. Advisoried.

Keywords: (none) => advisory, has_procedure, validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2018-06-25 00:03:36 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0295.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.