Fedora has issued an advisory on March 1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4JG7FM7W3R4C4P5R4PFNBYEGTQHASG2O/ Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Fedora advisory for this from March 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5DKJLTXLQCKG4GQNC5JUDGVGAJAJJ2K3/ So it looks like CVE-2019-8904 may not apply to older versions.
SUSE has issued an advisory on March 7: http://lists.suse.com/pipermail/sle-security-updates/2019-March/005176.html It also fixed CVE-2018-10360.
Summary: file new security issues CVE-2019-890[4-7] => file new security issues CVE-2018-10360 and CVE-2019-890[4-7]
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
CC: (none) => geiger.david68210, joequant, marja11, nicolas.salguero, smelrorAssignee: bugsquad => pkg-bugs
Ubuntu has issued an advisory for this on March 18: https://usn.ubuntu.com/3911-1/
(In reply to David Walser from comment #2) > SUSE has issued an advisory on March 7: > http://lists.suse.com/pipermail/sle-security-updates/2019-March/005176.html > > It also fixed CVE-2018-10360. openSUSE has issued an advisory for this today (March 18): https://lists.opensuse.org/opensuse-updates/2019-03/msg00076.html
Hi, CVE-2018-10360 was fixed in bug 23183. Best regards, Nico.
Summary: file new security issues CVE-2018-10360 and CVE-2019-890[4-7] => file new security issues CVE-2019-890[4-7]
File 5.36 fixes CVE-2019-890[4-7] so only Mageia 6 is affected. According to https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8904.html and https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8906.html, file 5.25 is only affected by CVE-2019-8905 and CVE-2019-8907.
Source RPM: file-5.36-1.mga7.src.rpm => file-5.25-5.1.mga6.src.rpmSummary: file new security issues CVE-2019-890[4-7] => file new security issues CVE-2019-890[57]CVE: (none) => CVE-2019-8905 and CVE-2019-8907Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Suggested advisory: ======================== The updated packages fix security vulnerabilities: do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360. (CVE-2019-8905) do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact. (CVE-2019-8907) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8905 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8907 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4JG7FM7W3R4C4P5R4PFNBYEGTQHASG2O/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5DKJLTXLQCKG4GQNC5JUDGVGAJAJJ2K3/ http://lists.suse.com/pipermail/sle-security-updates/2019-March/005176.html https://usn.ubuntu.com/3911-1/ https://lists.opensuse.org/opensuse-updates/2019-03/msg00076.html ======================== Updated package in core/updates_testing: ======================== file-5.25-5.2.mga6 lib(64)magic1-5.25-5.2.mga6 lib(64)magic-devel-5.25-5.2.mga6 lib(64)magic-static-devel-5.25-5.2.mga6 python-magic-5.25-5.2.mga6 python3-magic-5.25-5.2.mga6 from SRPMS: file-5.25-5.2.mga6.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
mga6, x86_64 *Before update* Some confusion about which CVEs are involved: CVE-2018-10360 or CVE-2019-8905 https://bugzilla.suse.com/show_bug.cgi?id=1126118&_ga=2.17769275.384073384.1553193400-55335118.1500933662 $ file sbo2 sbo2: ERROR: ELF 32-bit LSB shared object, Intel 80386, version 1, invalid note alignment 0xeb000000, NetBSD-style, from '\354\354\354\354\354\354\354\35' (signal 0), statically linked error reading (Invalid argument) No abort but the output looks like that reported upstream. CVE-2019-8906 https://bugzilla.suse.com/show_bug.cgi?id=1126119&_ga=2.252562059.384073384.1553193400-55335118.1500933662 $ file sbo3 sbo3: ERROR: ELF 32-bit LSB core file Intel 80386, version 1, NetBSD-style, from '[\0203\012\263' (signal 45834) error reading (Invalid argument) valgrind reports the same thing. No buffer overflow detected. CVE-2019-8907 https://bugzilla.suse.com/show_bug.cgi?id=1126117&_ga=2.244247303.384073384.1553193400-55335118.1500933662 $ file stack_corruption1 stack_corruption1: ERROR: ELF 32-bit LSB core file Intel 80386, version 1, NetBSD-style, from '[\0203\012\263' (signal 45834) error reading (Invalid argument) This agrees, more or less, with the upstream report with valgrind. *After the update* No changes noted in the error messages when file is run against the three POC files which suggests that the fixes were already in place. file works as expected for several local files. Ran it against all the files in the Downloads directory, without incident. Sending this on its way.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
Thanks, Len. Looks like as much testing as we can do. Validating. Suggested advisory in Comment 8.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Fixing bug title as the other issues were addressed in Cauldron. CVEs in Comment 8 are correct for the Mageia 6 update.
Summary: file new security issues CVE-2019-890[57] => file new security issues CVE-2019-890[4-7]
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0118.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED