ArchLinux: 201903-5: file: multiple issues

    Date04 Mar 2019
    CategoryArchLinux
    502
    Posted ByLinuxSecurity Advisories
    The package file before version 5.36-1 is vulnerable to multiple issues including information disclosure and denial of service.
    Arch Linux Security Advisory ASA-201903-5
    =========================================
    
    Severity: High
    Date    : 2019-03-03
    CVE-ID  : CVE-2019-8904 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907
    Package : file
    Type    : multiple issues
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-907
    
    Summary
    =======
    
    The package file before version 5.36-1 is vulnerable to multiple issues
    including information disclosure and denial of service.
    
    Resolution
    ==========
    
    Upgrade to 5.36-1.
    
    # pacman -Syu "file>=5.36-1"
    
    The problems have been fixed upstream in version 5.36.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2019-8904 (information disclosure)
    
    do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based
    buffer over-read, related to file_printf and file_vprintf.
    
    - CVE-2019-8905 (information disclosure)
    
    do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based
    buffer over-read, related to file_printable, a different vulnerability
    than CVE-2018-10360.
    
    - CVE-2019-8906 (information disclosure)
    
    do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-
    bounds read because memcpy is misused.
    
    - CVE-2019-8907 (denial of service)
    
    do_core_note in readelf.c in libmagic.a in file 5.35 allows remote
    attackers to cause a denial of service (stack corruption and
    application crash) or possibly have unspecified other impact.
    
    Impact
    ======
    
    A remote attack is able to display sensitive information within the
    file process or cause a crash via a crafted ELF file.
    
    References
    ==========
    
    https://bugs.astron.com/view.php?id=62
    https://bugs.astron.com/view.php?id=63
    https://github.com/file/file/commit/2858eaf99f6cc5aae129bcbf1e24ad160240185f
    https://bugs.astron.com/view.php?id=64
    https://bugs.astron.com/view.php?id=65
    https://security.archlinux.org/CVE-2019-8904
    https://security.archlinux.org/CVE-2019-8905
    https://security.archlinux.org/CVE-2019-8906
    https://security.archlinux.org/CVE-2019-8907
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    In your opinion, what is the biggest advantage associated with choosing open-source software/products?

    Message!

    Poll results are hidden from public viewing.

    You are not authorized to vote on this poll.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /component/communitypolls/?task=poll.vote
    8
    radio
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.