Bug 1126119 (CVE-2019-8906)

Summary: VUL-0: CVE-2019-8906: file: out-of-bounds read do_core_note in readelf.c
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: junguo.wang, rfrohl, smash_bz, werner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/224988/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: QA Reproducer

Description Robert Frohl 2019-02-20 15:13:19 UTC
CVE-2019-8906

do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read
because memcpy is misused.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8906
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8906.html
https://bugs.astron.com/view.php?id=64
https://github.com/file/file/commit/2858eaf99f6cc5aae129bcbf1e24ad160240185f
Comment 1 Robert Frohl 2019-02-20 15:17:49 UTC
the libmagic library embedded in php is not affected, because the version is to old
Comment 2 Dr. Werner Fink 2019-02-21 08:58:29 UTC
SR#185053 for SLE-15 and SLE-15-PS1
Comment 3 Swamp Workflow Management 2019-02-21 09:10:13 UTC
This is an autogenerated message for OBS integration:
This bug (1126119) was mentioned in
https://build.opensuse.org/request/show/677928 Factory / file
Comment 5 Dr. Werner Fink 2019-02-21 10:11:52 UTC
SR#185059 for SLE-12 for all SP
Comment 6 Dr. Werner Fink 2019-02-21 10:32:14 UTC
SlE-11 and up seem not to be affected ... a test case would be helpful
Comment 8 Robert Frohl 2019-02-22 10:18:23 UTC
Created attachment 797588 [details]
QA Reproducer

$ valgrind file sbo3

[..]
**540** *** memcpy_chk: buffer overflow detected ***: program terminated
==540==    at 0x483A75C: ??? (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==540==    by 0x483FA3A: __memcpy_chk (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==540==    by 0x4859C43: memcpy (string_fortified.h:34)
==540==    by 0x4859C43: do_core_note (readelf.c:755)
==540==    by 0x485AC89: donote (readelf.c:1196)
==540==    by 0x485BAA9: dophn_core.part.5 (readelf.c:398)
==540==    by 0x485D6E5: dophn_core (readelf.c:355)
==540==    by 0x485D6E5: file_tryelf (elfclass.h:43)
==540==    by 0x485F7D7: file_buffer (funcs.c:305)
==540==    by 0x484DB5F: file_or_fd (magic.c:508)
==540==    by 0x10B456: process (file.c:554)
==540==    by 0x10A850: main (file.c:424)
[..]
Comment 9 Dr. Werner Fink 2019-02-22 10:48:14 UTC
abuild@noether:/usr/src/packages/BUILD/file-4.24> valgrind   ./src/.libs/file /tmp/sbo3
==24377== Memcheck, a memory error detector.
==24377== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==24377== Using LibVEX rev 1854, a library for dynamic binary translation.
==24377== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==24377== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==24377== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==24377== For more details, rerun with: -v
==24377== 
/tmp/sbo3: ELF 32-bit LSB core file Intel 80386, version 1
==24377== 
==24377== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 3 from 1)
==24377== malloc/free: in use at exit: 0 bytes in 0 blocks.
==24377== malloc/free: 58 allocs, 58 frees, 204,573 bytes allocated.
==24377== For counts of detected errors, rerun with: -v
==24377== All heap blocks were freed -- no leaks are possible.
Comment 10 Dr. Werner Fink 2019-02-22 10:49:47 UTC
Does look like SLE-11 file-4.24 is safe here
Comment 11 Dr. Werner Fink 2019-02-22 11:00:18 UTC
seems to be fixed with submit request for SLE-12 and SLE-15
Comment 13 Swamp Workflow Management 2019-03-07 23:10:24 UTC
SUSE-SU-2019:0571-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1096974,1096984,1126117,1126118,1126119
CVE References: CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    python-magic-5.32-7.5.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    file-5.32-7.5.1, python-magic-5.32-7.5.1
Comment 17 Swamp Workflow Management 2019-04-02 16:20:29 UTC
SUSE-SU-2019:0839-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1096974,1096984,1126117,1126118,1126119
CVE References: CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    file-5.22-10.12.2, python-magic-5.22-10.12.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    file-5.22-10.12.2, python-magic-5.22-10.12.2
SUSE Linux Enterprise Server 12-SP4 (src):    file-5.22-10.12.2
SUSE Linux Enterprise Server 12-SP3 (src):    file-5.22-10.12.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    file-5.22-10.12.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    file-5.22-10.12.2
SUSE CaaS Platform ALL (src):    file-5.22-10.12.2
SUSE CaaS Platform 3.0 (src):    file-5.22-10.12.2
OpenStack Cloud Magnum Orchestration 7 (src):    file-5.22-10.12.2

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 18 Marcus Meissner 2020-01-28 07:40:57 UTC
done