Bugzilla – Bug 1126118
VUL-0: CVE-2019-8905: file: stack-based buffer over-read in do_core_note in readelf.c
Last modified: 2020-01-28 07:40:23 UTC
CVE-2019-8905 do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8905 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8905.html https://bugs.astron.com/view.php?id=63
the libmagic library embedded in php is not affected, because the version is to old
SR#185053 for SLE-15 and SLE-15-PS1
This is an autogenerated message for OBS integration: This bug (1126118) was mentioned in https://build.opensuse.org/request/show/677928 Factory / file
SR#185059 for SLE-12 for all SP
SlE-11 and up seem not to be affected ... a test case would be helpful
Created attachment 797592 [details] QA Reproducer $ valgrind file sbo2 (reproducer does not work for me, did not verify if ASAN build would help)
as the reproducer does not work, is there anything else I can help with?
looks like i might have been to quick to dismiss the QA reproducer: $ valgrind --leak-check=full file sbo2 [..] ==20601== 48 bytes in 1 blocks are definitely lost in loss record 2 of 2 ==20601== at 0x4C2C1E0: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==20601== by 0x4E3FCC7: apprentice_load (apprentice.c:1286) ==20601== by 0x4E4071D: apprentice_1 (apprentice.c:456) ==20601== by 0x4E4071D: file_apprentice (apprentice.c:684) ==20601== by 0x10A862: load (file.c:432) ==20601== by 0x10A520: main (file.c:355) [..]
but still no stack-buffer-overflow as reported by upstream
For SLE-11 file-4.24 I see abuild@noether:/usr/src/packages/BUILD/file-4.24> export LD_LIBRARY_PATH=$PWD/src/.libs abuild@noether:/usr/src/packages/BUILD/file-4.24> valgrind --leak-check=full ./src/.libs/file /tmp/sbo2 ==24371== Memcheck, a memory error detector. ==24371== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==24371== Using LibVEX rev 1854, a library for dynamic binary translation. ==24371== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==24371== Using valgrind-3.3.1, a dynamic binary instrumentation framework. ==24371== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==24371== For more details, rerun with: -v ==24371== /tmp/sbo2: ELF 32-bit LSB shared object, Intel 80386, version 1, invalid note alignment 0xeb000000, NetBSD-style, from '\354\354\354\354\354\354\354\354\354\354\354\354\354\354\354\354 (signal 0), statically linked, stripped ==24371== ==24371== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 3 from 1) ==24371== malloc/free: in use at exit: 0 bytes in 0 blocks. ==24371== malloc/free: 87 allocs, 87 frees, 208,813 bytes allocated. ==24371== For counts of detected errors, rerun with: -v ==24371== All heap blocks were freed -- no leaks are possible.
Does look like SLE-11 file-4.24 is safe here
seems to be fixed with submit request for SLE-12 and SLE-15
SUSE-SU-2019:0571-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1096974,1096984,1126117,1126118,1126119 CVE References: CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): python-magic-5.32-7.5.1 SUSE Linux Enterprise Module for Basesystem 15 (src): file-5.32-7.5.1, python-magic-5.32-7.5.1
SUSE-SU-2019:0839-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1096974,1096984,1126117,1126118,1126119 CVE References: CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): file-5.22-10.12.2, python-magic-5.22-10.12.2 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): file-5.22-10.12.2, python-magic-5.22-10.12.2 SUSE Linux Enterprise Server 12-SP4 (src): file-5.22-10.12.2 SUSE Linux Enterprise Server 12-SP3 (src): file-5.22-10.12.2 SUSE Linux Enterprise Desktop 12-SP4 (src): file-5.22-10.12.2 SUSE Linux Enterprise Desktop 12-SP3 (src): file-5.22-10.12.2 SUSE CaaS Platform ALL (src): file-5.22-10.12.2 SUSE CaaS Platform 3.0 (src): file-5.22-10.12.2 OpenStack Cloud Magnum Orchestration 7 (src): file-5.22-10.12.2 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
done