the libmagic library embedded in php is not affected, because the version is to old

SR#185053 for SLE-15 and SLE-15-PS1

This is an autogenerated message for OBS integration:
This bug (1126119) was mentioned in
https://build.opensuse.org/request/show/677928 Factory / file

SR#185059 for SLE-12 for all SP

SlE-11 and up seem not to be affected ... a test case would be helpful

Created attachment 797588 [details]
QA Reproducer

$ valgrind file sbo3

[..]
**540** *** memcpy_chk: buffer overflow detected ***: program terminated
==540==    at 0x483A75C: ??? (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==540==    by 0x483FA3A: __memcpy_chk (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==540==    by 0x4859C43: memcpy (string_fortified.h:34)
==540==    by 0x4859C43: do_core_note (readelf.c:755)
==540==    by 0x485AC89: donote (readelf.c:1196)
==540==    by 0x485BAA9: dophn_core.part.5 (readelf.c:398)
==540==    by 0x485D6E5: dophn_core (readelf.c:355)
==540==    by 0x485D6E5: file_tryelf (elfclass.h:43)
==540==    by 0x485F7D7: file_buffer (funcs.c:305)
==540==    by 0x484DB5F: file_or_fd (magic.c:508)
==540==    by 0x10B456: process (file.c:554)
==540==    by 0x10A850: main (file.c:424)
[..]

abuild@noether:/usr/src/packages/BUILD/file-4.24> valgrind   ./src/.libs/file /tmp/sbo3
==24377== Memcheck, a memory error detector.
==24377== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==24377== Using LibVEX rev 1854, a library for dynamic binary translation.
==24377== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==24377== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==24377== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==24377== For more details, rerun with: -v
==24377== 
/tmp/sbo3: ELF 32-bit LSB core file Intel 80386, version 1
==24377== 
==24377== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 3 from 1)
==24377== malloc/free: in use at exit: 0 bytes in 0 blocks.
==24377== malloc/free: 58 allocs, 58 frees, 204,573 bytes allocated.
==24377== For counts of detected errors, rerun with: -v
==24377== All heap blocks were freed -- no leaks are possible.

Does look like SLE-11 file-4.24 is safe here

seems to be fixed with submit request for SLE-12 and SLE-15

SUSE-SU-2019:0571-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1096974,1096984,1126117,1126118,1126119
CVE References: CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    python-magic-5.32-7.5.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    file-5.32-7.5.1, python-magic-5.32-7.5.1

SUSE-SU-2019:0839-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1096974,1096984,1126117,1126118,1126119
CVE References: CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    file-5.22-10.12.2, python-magic-5.22-10.12.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    file-5.22-10.12.2, python-magic-5.22-10.12.2
SUSE Linux Enterprise Server 12-SP4 (src):    file-5.22-10.12.2
SUSE Linux Enterprise Server 12-SP3 (src):    file-5.22-10.12.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    file-5.22-10.12.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    file-5.22-10.12.2
SUSE CaaS Platform ALL (src):    file-5.22-10.12.2
SUSE CaaS Platform 3.0 (src):    file-5.22-10.12.2
OpenStack Cloud Magnum Orchestration 7 (src):    file-5.22-10.12.2

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

done