Bug 25615 - file new security issue CVE-2019-18218
Summary: file new security issue CVE-2019-18218
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://linuxsecurity.com/advisories/...
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2019-10-26 00:10 CEST by Zombie Ryushu
Modified: 2019-10-29 15:55 CET (History)
5 users (show)

See Also:
Source RPM: file-5.37-1.1.mga7.src.rpm
Status comment:


Description Zombie Ryushu 2019-10-26 00:10:41 CEST
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4550-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 25, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : file
CVE ID         : CVE-2019-18218

A buffer overflow was found in file, a file type classification tool,
which may result in denial of service or potentially the execution of
arbitrary code if a malformed CDF (Composite Document File) file is

For the oldstable distribution (stretch), this problem has been fixed
in version 1:5.30-1+deb9u3.

For the stable distribution (buster), this problem has been fixed in
version 1:5.35-4+deb10u1.

We recommend that you upgrade your file packages.

For the detailed security status of file please refer to
its security tracker page at:

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
Jani Välimaa 2019-10-26 15:04:04 CEST

Component: RPM Packages => Security
QA Contact: (none) => security

Comment 1 Lewis Smith 2019-10-26 20:23:19 CEST
Thank you for the notification.

This SRPM has no registered maintainer, so assigning the bug globally.
CC'ing DavidW both for security, & previous committer (I think); also Thierry for the latter.

Assignee: bugsquad => pkg-bugs
Source RPM: file => file-5.37-1.1.mga7.src.rpm
CC: (none) => luigiwalser, thierry.vignaud

Comment 2 Lewis Smith 2019-10-26 20:36:42 CEST
Did not notice:
> this problem has been fixed in version 5.35-4
We have 5.37-1 . So this bug may possibly be outdated.
Comment 3 Thomas Backlund 2019-10-26 20:53:25 CEST
(In reply to Lewis Smith from comment #2)
> Did not notice:
> > this problem has been fixed in version 5.35-4

Thats the version / release that debian added the fix in...

> We have 5.37-1 . So this bug may possibly be outdated.


fix added in  file-5.37-1.2.mga7 currently building

CC: (none) => tmb

Comment 4 Thomas Backlund 2019-10-26 22:23:05 CEST



Assignee: pkg-bugs => qa-bugs

Comment 5 David Walser 2019-10-27 17:03:27 CET
Zombie, please provide a link to the advisory and don't copy and paste the text.

Lewis, I am the security group, so I already get the e-mails.  You don't need to CC me.
Comment 6 David Walser 2019-10-27 17:17:39 CET
Advisory link from October 25:

Upstream commit that fixed it:

No new upstream release with the fix yet.

Severity: normal => critical

Comment 7 David Walser 2019-10-27 17:19:05 CET

Updated file packages fix security vulnerability:

A buffer overflow was found in file which may result in denial of service or
potentially the execution of arbitrary code if a malformed CDF (Composite
Document File) file is processed (CVE-2019-18218).


Summary: file security vulnerability (CVE-2019-18218) => file new security issue CVE-2019-18218

Comment 8 Len Lawrence 2019-10-28 13:04:05 CET
Mageia 7, x86_64

Heap buffer overflow test case is available for the clusterfuzz framework, not generally available to the public.

Updated file and the referenced packages.

$ file -C
generated a magic.mgc file.
$ file magic.mgc
magic.mgc: magic binary file for file(1) cmd (version 14) (little endian)

Exclude ASCII text files:
$ file -e ascii *
1mbg1sqo.default-release.tar: POSIX tar archive (GNU)
backup:                       directory
bin:                          directory
binbag:                       directory
binbag.tar:                   POSIX tar archive (GNU)
bin.tar:                      POSIX tar archive (GNU)
bugid:                        data
Calibre Library:              directory

$ cd text
$ file * | grep ASCII
amazon:                       ASCII text
areca:                        ASCII text, with very long lines
emails:                       ASCII text
faad.txt:                     ASCII text

$ file -e ascii * | grep ASCII
$ cd
$ file -d *
produces a lot of internal debugging information.

Show valid extensions for file types:
$ file --extension * | egrep "jpg|png"
apple.png:                                                   png
Bandos.jpg:                                                  jpeg/jpg/jpe/jfif
CastleCrag_Borrowdale.jpg:                                   jpeg/jpg/jpe/jfif
dot.jpg:                                                     jpeg/jpg/jpe/jfif
emblem-cool.png:                                             png

$ ls ruby > rubylist
$ cd ruby
$ file -f ../rubylist
widgetlist.rb:         Ruby script, ASCII text
wrap.rb:               Ruby script, ASCII text
xosd/:                 directory
yieldself:             Ruby script, UTF-8 Unicode text

This was unexpected:
$ file -e elf /usr/bin/file
/usr/bin/file: ELF 64-bit LSB executable, x86-64, version 1 (SYSV)

$ file --mime Downloads/* > mime
$ cat mime
Downloads/092019_67P2.jpg:                      image/jpeg; charset=binary
Downloads/astro:                                inode/symlink; charset=binary
Downloads/Astronomy_Now_Newsalert.vcf:          text/vcard; charset=us-ascii
Downloads/big.png:                              image/png; charset=binary
Downloads/blender_manual.zip:                   application/zip; charset=binary
Downloads/Buxtehude_NetherlandsBachSociety.mkv: video/x-matroska; charset=binary
Downloads/HelloLucene.java:                     text/x-c; charset=us-ascii
Downloads/load-unicode-data.tex:                text/x-tex; charset=us-ascii
Downloads/nearstars:                            text/html; charset=utf-8
Downloads/periodic.html:                        text/html; charset=us-ascii
Downloads/ThePlanets_1_1.ts:                    application/octet-stream; 

$ file -b ThePlanets_1_1.ts

$ file PJFB_HR_2m.mov
PJFB_HR_2m.mov: ISO Media, Apple QuickTime movie, Apple QuickTime (.MOV/QT)
$ file --apple PJFB_HR_2m.mov

$ sudo file -s /dev/sda*
/dev/sda:   DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,1), end-CHS (0x3ff,254,63), startsector 1, 468862127 sectors, extended partition table (last)
/dev/sda1:  Linux rev 1.0 ext4 filesystem data, UUID=d78f09de-9c0e-40b5-96ec-bc1d3883c0b6 (needs journal recovery) (extents) (64bit) (large files) (huge files)

Just a sample of the options.  They work.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Thomas Backlund 2019-10-29 15:07:16 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2019-10-29 15:55:47 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.