Bugzilla – Bug 1126117
VUL-0: CVE-2019-8907: file: do_core_note in readelf.c in libmagic.a allows to cause a denial of service
Last modified: 2020-01-28 07:40:30 UTC
rh#1679138 do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact. References: https://bugzilla.redhat.com/show_bug.cgi?id=1679138 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8907 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8907.html https://bugs.astron.com/view.php?id=65
Upstream info is a bit confusing, the issue should fixed by the CVE-2019-8905 changes (bsc#1126118) according to the upstream bugtracker.
I believe only SUSE:SLE-15:Update is affected.
the libmagic library embedded in php is not affected, because the version is to old
SR#185053 for SLE-15 and SLE-15-PS1
This is an autogenerated message for OBS integration: This bug (1126117) was mentioned in https://build.opensuse.org/request/show/677928 Factory / file
SR#185059 for SLE-12 for all SP
SlE-11 and up seem not to be affected ... a test case would be helpful
Created attachment 797590 [details] QA Reproducer $ valgrind file stack_corruption1 [..] **543** *** memcpy_chk: buffer overflow detected ***: program terminated ==543== at 0x483A75C: ??? (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==543== by 0x483FA3A: __memcpy_chk (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==543== by 0x4859C43: memcpy (string_fortified.h:34) ==543== by 0x4859C43: do_core_note (readelf.c:755) ==543== by 0x485AC89: donote (readelf.c:1196) ==543== by 0x485BAA9: dophn_core.part.5 (readelf.c:398) ==543== by 0x485D6E5: dophn_core (readelf.c:355) ==543== by 0x485D6E5: file_tryelf (elfclass.h:43) ==543== by 0x485F7D7: file_buffer (funcs.c:305) ==543== by 0x484DB5F: file_or_fd (magic.c:508) ==543== by 0x10B456: process (file.c:554) ==543== by 0x10A850: main (file.c:424) [..] sorry, I forgot the reproducers. Was planning to look into the issues more, but currently don't find the time.
abuild@noether:/usr/src/packages/BUILD/file-4.24> valgrind ./src/.libs/file /tmp/stack_corruption1 ==24378== Memcheck, a memory error detector. ==24378== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==24378== Using LibVEX rev 1854, a library for dynamic binary translation. ==24378== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==24378== Using valgrind-3.3.1, a dynamic binary instrumentation framework. ==24378== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==24378== For more details, rerun with: -v ==24378== /tmp/stack_corruption1: ELF 32-bit LSB core file Intel 80386, version 1, NetBSD-style, from '[\020\012' (signal 45834) ==24378== ==24378== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 3 from 1) ==24378== malloc/free: in use at exit: 0 bytes in 0 blocks. ==24378== malloc/free: 70 allocs, 70 frees, 205,620 bytes allocated. ==24378== For counts of detected errors, rerun with: -v ==24378== All heap blocks were freed -- no leaks are possible.
Does look like SLE-11 file-4.24 is safe here
seems to be fixed with submit request for SLE-12 and SLE-15
SUSE-SU-2019:0571-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1096974,1096984,1126117,1126118,1126119 CVE References: CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): python-magic-5.32-7.5.1 SUSE Linux Enterprise Module for Basesystem 15 (src): file-5.32-7.5.1, python-magic-5.32-7.5.1
SUSE-SU-2019:0839-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1096974,1096984,1126117,1126118,1126119 CVE References: CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): file-5.22-10.12.2, python-magic-5.22-10.12.2 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): file-5.22-10.12.2, python-magic-5.22-10.12.2 SUSE Linux Enterprise Server 12-SP4 (src): file-5.22-10.12.2 SUSE Linux Enterprise Server 12-SP3 (src): file-5.22-10.12.2 SUSE Linux Enterprise Desktop 12-SP4 (src): file-5.22-10.12.2 SUSE Linux Enterprise Desktop 12-SP3 (src): file-5.22-10.12.2 SUSE CaaS Platform ALL (src): file-5.22-10.12.2 SUSE CaaS Platform 3.0 (src): file-5.22-10.12.2 OpenStack Cloud Magnum Orchestration 7 (src): file-5.22-10.12.2 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
done