Bug 32282 - file new security issue CVE-2022-48554
Summary: file new security issue CVE-2022-48554
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2023-09-13 14:08 CEST by Nicolas Salguero
Modified: 2023-09-25 00:18 CEST (History)
6 users (show)

See Also:
Source RPM: file-5.39-4.mga8.src.rpm
Status comment:


Description Nicolas Salguero 2023-09-13 14:08:27 CEST
Ubuntu has issued an advisory on September 12:
Nicolas Salguero 2023-09-13 14:08:51 CEST

CC: (none) => nicolas.salguero
Source RPM: (none) => file-5.39-4.mga8.src.rpm

Comment 1 Lewis Smith 2023-09-13 19:47:37 CEST
Another for M8. We have had 5.41 since Oct 19 2021. How come the SRPM version here cites only 5.39?

Stig seems to be the main new version committer.

Assignee: bugsquad => smelror
Status comment: (none) => Fixed 5.41

Comment 2 Nicolas Salguero 2023-09-14 15:16:54 CEST
Suggested advisory:

The updated packages fix a security vulnerability:

File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. (CVE-2022-48554)


Updated packages in core/updates_testing:

from SRPM:

Assignee: smelror => nicolas.salguero
Status comment: Fixed 5.41 => (none)

Nicolas Salguero 2023-09-18 09:23:44 CEST

Assignee: nicolas.salguero => qa-bugs

PC LX 2023-09-20 17:53:21 CEST

CC: (none) => mageia

Comment 3 Herman Viaene 2023-09-21 12:14:48 CEST
MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Ref bug 25615 Comment 8 for testing - tx Len
$ file -C
generated a magic.mgc file.
$ file magic.mgc
magic.mgc:         magic binary file for file(1) cmd (version 16) (little endian)

Exclude ASCII text files:
$ file -e ascii *
$ file -e ascii *
Desktop:           directory
Documents:         directory
Downloads:         directory
magic.mgc:         magic binary file for file(1) cmd (version 16) (little endian)
MC-Projects:       directory
mime:              data
Music:             directory
node_modules:      directory
package.json:      JSON data
package-lock.json: JSON data
Pictures:          directory
qa-testing:        directory
Templates:         directory
thinclient_drives: sticky, directory
tmp:               directory
traces:            directory
Videos:            directory

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2023-09-21 13:57:02 CEST
$ cd Documents/
$ file -e ascii *
handleidingVM.pdf:                         PDF document, version 1.6
Helloworldnojfx.class:                     compiled Java class data, version 55.0
Helloworldnojfx.java:                      data
HLN_MSAS07_18LACM.pdf:                     PDF document, version 1.6 (password protected)
indent.c:                                  data
iphone-7-leaked-2017-ringtone-852 (1).mp4: ISO Media, MP4 Base Media v1 [IS0 14496-12:2003]
Kelly.pcl:                                 HP Printer Job Language data
main.js:                                   data
sample-3.rar:                              RAR archive data, v4, os: Unix
sample.pcl:                                data
test_0.bin:                                data
test_1.bin:                                data
test_2.bin:                                data
test_3.bin:                                data
test_4.bin:                                data
test_5.bin:                                data
test_6.bin:                                data
test_7.bin:                                data
test_8.bin:                                data
test_9.bin:                                data
testcindentform.c:                         data
test.pdf:                                  PDF document, version 1.3
testpoppler-1_1.jpg:                       JPEG image data, JFIF standard 1.01, resolution (DPI), density 95x96, segment length 16, progressive, precision 8, 860x48, components 3
testpoppler-3_1.jpg:                       JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 705x570, components 3
testpoppler-5_1.jpg:                       JPEG image data, JFIF standard 1.01, resolution (DPI), density 92x91, segment length 16, progressive, precision 8, 1600x900, components 3
testpoppler-6_1.jpg:                       JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 1269x377, components 3
testpoppler-6_2.jpg:                       JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 735x568, components 3
testpoppler-7_1.jpg:                       JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 1285x621, components 3
testpoppler.html:                          data
testpoppler_ind.html:                      data
testpopplers.html:                         data
test.rar:                                  RAR archive data, v5
test.sha256:                               data
VM.txt:                                    data
volkstuintjes:                             directory
[tester8@mach7 Documents]$ file -e ascii * | grep ASCII
no feedback, which is correct
$ file -d *
produces too much info 
$ cd Pictures/1981\ Shelton/
$ file --extension * | egrep "jpg|png"
shelt0001.jpeg:        jpeg/jpg/jpe/jfif
shelt0002.jpeg:        jpeg/jpg/jpe/jfif
shelt0003.jpeg:        jpeg/jpg/jpe/jfif
shelt0004.jpeg:        jpeg/jpg/jpe/jfif
shelt0005.jpeg:        jpeg/jpg/jpe/jfif
shelt0006.jpeg:        jpeg/jpg/jpe/jfif
shelt0007.jpeg:        jpeg/jpg/jpe/jfif
shelt0008.jpeg:        jpeg/jpg/jpe/jfif
shelt0009.jpeg:        jpeg/jpg/jpe/jfif
$ cd
[tester8@mach7 ~]$ file -e elf /usr/bin/file
/usr/bin/file: ELF 64-bit LSB executable, x86-64, version 1 (SYSV)

$ file /mnt/video2/12de\ man/12demandeel1.avi 
/mnt/video2/12de man/12demandeel1.avi: RIFF (little-endian) data, AVI, 720 x 576, 25.00 fps, video:, audio: uncompressed PCM (stereo, 48000 Hz)

# file -s /dev/sda*
/dev/sda:  DOS/MBR boot sector; GRand Unified Bootloader, stage1 version 0x3, stage2 address 0x2000, stage2 segment 0x200
/dev/sda1: Linux rev 1.0 ext4 filesystem data, UUID=3c3d9634-3ab2-48b7-84ec-60a198745601 (needs journal recovery) (extents) (64bit) (large files) (huge files)
/dev/sda2: DOS/MBR boot sector; partition 1 : ID=0x82, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 26, 8174980 sectors; partition 2 : ID=0x5, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 8175642, 380836254 sectors, extended partition table
/dev/sda5: Linux swap file, 4k page size, little endian, version 1, size 1021871 pages, 0 bad pages, no label, UUID=db67c0c2-e821-47a6-b514-8064b4c7e456
/dev/sda6: Linux rev 1.0 ext4 filesystem data, UUID=0631c6c5-1e0e-4daf-81a1-3f63f136a092 (needs journal recovery) (extents) (64bit) (large files) (huge files)
/dev/sda7: Linux rev 1.0 ext4 filesystem data, UUID=1222dd2c-79db-496a-9fa4-eb0cab365ff3, volume name "m7mach8" (needs journal recovery) (extents) (64bit) (large files) (huge files)

All seems correct, good to go.

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2023-09-21 14:04:21 CEST
Validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-09-22 02:32:33 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2023-09-25 00:18:43 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.