Bug 678476

Summary:	<sys-apps/file-5.36: multiple vulnerabilities (CVE-2019-{8904,8905,8906,8907})
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	base-system, slyfox
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa]
Package list:	=sys-apps/file-5.36	Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2019-02-21 08:50:12 UTC

From https://bugzilla.redhat.com/show_bug.cgi?id=1679188:

do_bid_note in readelf.c in libmagic in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf.

Upstream patch:
https://github.com/file/file/commit/94b7501f48e134e77716e7ebefc73d6bbe72ba55

References:
https://bugs.astron.com/view.php?id=62



From https://bugzilla.redhat.com/show_bug.cgi?id=1679181:

do_core_note in readelf.c in libmagic in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability 
than CVE-2018-10360.

Upstream patch:
https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b

References:
https://bugs.astron.com/view.php?id=63



From https://bugzilla.redhat.com/show_bug.cgi?id=1679175:

do_core_note in readelf.c in libmagic in file 5.35 has an out-of-bounds read because memcpy is misused.

Upstream commit:
https://github.com/file/file/commit/2858eaf99f6cc5aae129bcbf1e24ad160240185f


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Agostino Sarubbo gentoo-dev

2019-02-21 08:55:06 UTC

Some notes:
- is not clear to me if the affected version is just 5.35 or not
- the file packages deserves a severity A but the bugs were discovered without seccomp, so it is B for me

Comment 2 Agostino Sarubbo gentoo-dev

2019-02-21 08:58:25 UTC

And another bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1679138

do_core_note in readelf.c in libmagic in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact.

References:
https://bugs.astron.com/view.php?id=65

Comment 3 Larry the Git Cow gentoo-dev

2019-02-21 19:04:19 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb56fe9da4a344be16f3256cd13e96af1c73eb3a

commit fb56fe9da4a344be16f3256cd13e96af1c73eb3a
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2019-02-21 19:04:00 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2019-02-21 19:04:00 +0000

    sys-apps/file: Security version bump to 5.36 (bug #678476)
    
    Bug: https://bugs.gentoo.org/678476
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 sys-apps/file/Manifest         |   1 +
 sys-apps/file/file-5.36.ebuild | 126 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 127 insertions(+)

Comment 4 Patrick McLean gentoo-dev

2019-02-21 19:06:25 UTC

5.36 should be fine to go stable, CCing arches.

Comment 5 Agostino Sarubbo gentoo-dev

2019-02-22 07:47:26 UTC

(In reply to Patrick McLean from comment #4)
> 5.36 should be fine to go stable, CCing arches.

Hi Patrick, without a properly fill of "Package List" our getatoms tool does not catch the bug..

Comment 6 Agostino Sarubbo gentoo-dev

2019-02-22 07:56:24 UTC

amd64 stable

Comment 7 Mart Raudsepp gentoo-dev

2019-02-22 18:23:40 UTC

arm64 stable

Comment 8 Rolf Eike Beer archtester

2019-02-22 20:24:03 UTC

sparc stable

Comment 9 ernsteiswuerfel archtester

2019-02-23 16:16:46 UTC

Looking good on ppc.

# cat file-678476.report 
USE tests started on Sa 23. Feb 15:19:03 CET 2019

FEATURES=' test' USE='' succeeded for =sys-apps/file-5.36
USE='-python -static-libs -zlib' succeeded for =sys-apps/file-5.36
USE='-python static-libs -zlib' succeeded for =sys-apps/file-5.36
USE='-python -static-libs zlib' succeeded for =sys-apps/file-5.36
USE='-python static-libs zlib' succeeded for =sys-apps/file-5.36

revdep tests started on Sa 23. Feb 15:36:31 CET 2019

FEATURES=' test' USE='magic' succeeded for net-p2p/mldonkey
FEATURES=' test' USE='' succeeded for dev-vcs/subversion
FEATURES=' test' USE='magic' succeeded for app-misc/worker
FEATURES=' test' USE='' succeeded for media-video/mkvtoolnix
FEATURES=' test' USE='' succeeded for app-admin/eselect
FEATURES=' test' USE='magic' succeeded for media-libs/libextractor
FEATURES=' test' USE='-static magic' succeeded for app-editors/nano
FEATURES=' test' USE='magic' succeeded for app-misc/vifm
FEATURES=' test' USE='magic' succeeded for media-sound/moc
FEATURES=' test' USE='' succeeded for sys-block/tapecat

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2019-02-23 20:49:38 UTC

ia64 stable

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2019-02-23 20:51:49 UTC

hppa stable

Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev

2019-02-23 21:00:41 UTC

ppc64 stable

Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev

2019-02-23 21:03:01 UTC

ppc stable

Comment 14 Mikle Kolyada (RETIRED) archtester

2019-02-24 08:15:04 UTC

alpha stable

Comment 15 Mikle Kolyada (RETIRED) archtester

2019-02-24 08:18:13 UTC

arm stable

Comment 16 Mikle Kolyada (RETIRED) archtester

2019-02-24 08:19:52 UTC

m68k s390 sh stable

Comment 17 Mikle Kolyada (RETIRED) archtester

2019-02-24 08:22:45 UTC

x86 stable

Comment 18 Mikle Kolyada (RETIRED) archtester

2019-02-24 08:25:38 UTC

GLSA vote: no.