- ------------------------------------------------------------------------- Debian Security Advisory DSA-4550-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 25, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : file CVE ID : CVE-2019-18218 A buffer overflow was found in file, a file type classification tool, which may result in denial of service or potentially the execution of arbitrary code if a malformed CDF (Composite Document File) file is processed. For the oldstable distribution (stretch), this problem has been fixed in version 1:5.30-1+deb9u3. For the stable distribution (buster), this problem has been fixed in version 1:5.35-4+deb10u1. We recommend that you upgrade your file packages. For the detailed security status of file please refer to its security tracker page at: https://security-tracker.debian.org/tracker/file Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org
Component: RPM Packages => SecurityQA Contact: (none) => security
Thank you for the notification. This SRPM has no registered maintainer, so assigning the bug globally. CC'ing DavidW both for security, & previous committer (I think); also Thierry for the latter.
Assignee: bugsquad => pkg-bugsSource RPM: file => file-5.37-1.1.mga7.src.rpmCC: (none) => luigiwalser, thierry.vignaud
Did not notice: > this problem has been fixed in version 5.35-4 We have 5.37-1 . So this bug may possibly be outdated.
(In reply to Lewis Smith from comment #2) > Did not notice: > > this problem has been fixed in version 5.35-4 Thats the version / release that debian added the fix in... > We have 5.37-1 . So this bug may possibly be outdated. Nope, fix added in file-5.37-1.2.mga7 currently building
CC: (none) => tmb
SRPM: file-5.37-1.2.mga7.src.rpm i586: file-5.37-1.2.mga7.i586.rpm libmagic1-5.37-1.2.mga7.i586.rpm libmagic-devel-5.37-1.2.mga7.i586.rpm libmagic-static-devel-5.37-1.2.mga7.i586.rpm python2-magic-5.37-1.2.mga7.noarch.rpm python3-magic-5.37-1.2.mga7.noarch.rpm x86_64: file-5.37-1.2.mga7.x86_64.rpm lib64magic1-5.37-1.2.mga7.x86_64.rpm lib64magic-devel-5.37-1.2.mga7.x86_64.rpm lib64magic-static-devel-5.37-1.2.mga7.x86_64.rpm python2-magic-5.37-1.2.mga7.noarch.rpm python3-magic-5.37-1.2.mga7.noarch.rpm
Assignee: pkg-bugs => qa-bugs
Zombie, please provide a link to the advisory and don't copy and paste the text. Lewis, I am the security group, so I already get the e-mails. You don't need to CC me.
Advisory link from October 25: https://www.debian.org/security/2019/dsa-4550 Upstream commit that fixed it: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84 No new upstream release with the fix yet.
Severity: normal => critical
Advisory: ======================== Updated file packages fix security vulnerability: A buffer overflow was found in file which may result in denial of service or potentially the execution of arbitrary code if a malformed CDF (Composite Document File) file is processed (CVE-2019-18218). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218 https://www.debian.org/security/2019/dsa-4550
Summary: file security vulnerability (CVE-2019-18218) => file new security issue CVE-2019-18218
Mageia 7, x86_64 CVE-2019-18218 Heap buffer overflow test case is available for the clusterfuzz framework, not generally available to the public. Updated file and the referenced packages. $ file -C generated a magic.mgc file. $ file magic.mgc magic.mgc: magic binary file for file(1) cmd (version 14) (little endian) Exclude ASCII text files: $ file -e ascii * 1mbg1sqo.default-release.tar: POSIX tar archive (GNU) backup: directory bin: directory binbag: directory binbag.tar: POSIX tar archive (GNU) bin.tar: POSIX tar archive (GNU) bugid: data Calibre Library: directory [...] $ cd text $ file * | grep ASCII amazon: ASCII text areca: ASCII text, with very long lines emails: ASCII text faad.txt: ASCII text [...] $ file -e ascii * | grep ASCII $ cd $ file -d * produces a lot of internal debugging information. Show valid extensions for file types: $ file --extension * | egrep "jpg|png" apple.png: png Bandos.jpg: jpeg/jpg/jpe/jfif CastleCrag_Borrowdale.jpg: jpeg/jpg/jpe/jfif dot.jpg: jpeg/jpg/jpe/jfif emblem-cool.png: png [...] $ ls ruby > rubylist $ cd ruby $ file -f ../rubylist widgetlist.rb: Ruby script, ASCII text wrap.rb: Ruby script, ASCII text xosd/: directory yieldself: Ruby script, UTF-8 Unicode text This was unexpected: $ file -e elf /usr/bin/file /usr/bin/file: ELF 64-bit LSB executable, x86-64, version 1 (SYSV) $ file --mime Downloads/* > mime $ cat mime Downloads/092019_67P2.jpg: image/jpeg; charset=binary Downloads/astro: inode/symlink; charset=binary Downloads/Astronomy_Now_Newsalert.vcf: text/vcard; charset=us-ascii Downloads/big.png: image/png; charset=binary Downloads/blender_manual.zip: application/zip; charset=binary Downloads/Buxtehude_NetherlandsBachSociety.mkv: video/x-matroska; charset=binary Downloads/HelloLucene.java: text/x-c; charset=us-ascii Downloads/load-unicode-data.tex: text/x-tex; charset=us-ascii Downloads/nearstars: text/html; charset=utf-8 Downloads/periodic.html: text/html; charset=us-ascii Downloads/ThePlanets_1_1.ts: application/octet-stream; $ file -b ThePlanets_1_1.ts data $ file PJFB_HR_2m.mov PJFB_HR_2m.mov: ISO Media, Apple QuickTime movie, Apple QuickTime (.MOV/QT) $ file --apple PJFB_HR_2m.mov PJFB_HR_2m.mov: UNKNUNKN $ sudo file -s /dev/sda* /dev/sda: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,1), end-CHS (0x3ff,254,63), startsector 1, 468862127 sectors, extended partition table (last) /dev/sda1: Linux rev 1.0 ext4 filesystem data, UUID=d78f09de-9c0e-40b5-96ec-bc1d3883c0b6 (needs journal recovery) (extents) (64bit) (large files) (huge files) [...] Just a sample of the options. They work.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0308.html
Status: NEW => RESOLVEDResolution: (none) => FIXED