From https://bugzilla.redhat.com/show_bug.cgi?id=1679188: do_bid_note in readelf.c in libmagic in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf. Upstream patch: https://github.com/file/file/commit/94b7501f48e134e77716e7ebefc73d6bbe72ba55 References: https://bugs.astron.com/view.php?id=62 From https://bugzilla.redhat.com/show_bug.cgi?id=1679181: do_core_note in readelf.c in libmagic in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360. Upstream patch: https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b References: https://bugs.astron.com/view.php?id=63 From https://bugzilla.redhat.com/show_bug.cgi?id=1679175: do_core_note in readelf.c in libmagic in file 5.35 has an out-of-bounds read because memcpy is misused. Upstream commit: https://github.com/file/file/commit/2858eaf99f6cc5aae129bcbf1e24ad160240185f @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Some notes: - is not clear to me if the affected version is just 5.35 or not - the file packages deserves a severity A but the bugs were discovered without seccomp, so it is B for me
And another bug: https://bugzilla.redhat.com/show_bug.cgi?id=1679138 do_core_note in readelf.c in libmagic in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact. References: https://bugs.astron.com/view.php?id=65
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb56fe9da4a344be16f3256cd13e96af1c73eb3a commit fb56fe9da4a344be16f3256cd13e96af1c73eb3a Author: Patrick McLean <patrick.mclean@sony.com> AuthorDate: 2019-02-21 19:04:00 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2019-02-21 19:04:00 +0000 sys-apps/file: Security version bump to 5.36 (bug #678476) Bug: https://bugs.gentoo.org/678476 Copyright: Sony Interactive Entertainment Inc. Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> sys-apps/file/Manifest | 1 + sys-apps/file/file-5.36.ebuild | 126 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 127 insertions(+)
5.36 should be fine to go stable, CCing arches.
(In reply to Patrick McLean from comment #4) > 5.36 should be fine to go stable, CCing arches. Hi Patrick, without a properly fill of "Package List" our getatoms tool does not catch the bug..
amd64 stable
arm64 stable
sparc stable
Looking good on ppc. # cat file-678476.report USE tests started on Sa 23. Feb 15:19:03 CET 2019 FEATURES=' test' USE='' succeeded for =sys-apps/file-5.36 USE='-python -static-libs -zlib' succeeded for =sys-apps/file-5.36 USE='-python static-libs -zlib' succeeded for =sys-apps/file-5.36 USE='-python -static-libs zlib' succeeded for =sys-apps/file-5.36 USE='-python static-libs zlib' succeeded for =sys-apps/file-5.36 revdep tests started on Sa 23. Feb 15:36:31 CET 2019 FEATURES=' test' USE='magic' succeeded for net-p2p/mldonkey FEATURES=' test' USE='' succeeded for dev-vcs/subversion FEATURES=' test' USE='magic' succeeded for app-misc/worker FEATURES=' test' USE='' succeeded for media-video/mkvtoolnix FEATURES=' test' USE='' succeeded for app-admin/eselect FEATURES=' test' USE='magic' succeeded for media-libs/libextractor FEATURES=' test' USE='-static magic' succeeded for app-editors/nano FEATURES=' test' USE='magic' succeeded for app-misc/vifm FEATURES=' test' USE='magic' succeeded for media-sound/moc FEATURES=' test' USE='' succeeded for sys-block/tapecat
ia64 stable
hppa stable
ppc64 stable
ppc stable
alpha stable
arm stable
m68k s390 sh stable
x86 stable
GLSA vote: no.
