Bug 1126119 - (CVE-2019-8906) VUL-0: CVE-2019-8906: file: out-of-bounds read do_core_note in readelf.c
(CVE-2019-8906)
VUL-0: CVE-2019-8906: file: out-of-bounds read do_core_note in readelf.c
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/224988/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-20 15:13 UTC by Robert Frohl
Modified: 2020-01-28 07:40 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
QA Reproducer (9.13 KB, application/x-core)
2019-02-22 10:18 UTC, Robert Frohl
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-02-20 15:13:19 UTC
CVE-2019-8906

do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read
because memcpy is misused.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8906
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8906.html
https://bugs.astron.com/view.php?id=64
https://github.com/file/file/commit/2858eaf99f6cc5aae129bcbf1e24ad160240185f
Comment 1 Robert Frohl 2019-02-20 15:17:49 UTC
the libmagic library embedded in php is not affected, because the version is to old
Comment 2 Dr. Werner Fink 2019-02-21 08:58:29 UTC
SR#185053 for SLE-15 and SLE-15-PS1
Comment 3 Swamp Workflow Management 2019-02-21 09:10:13 UTC
This is an autogenerated message for OBS integration:
This bug (1126119) was mentioned in
https://build.opensuse.org/request/show/677928 Factory / file
Comment 5 Dr. Werner Fink 2019-02-21 10:11:52 UTC
SR#185059 for SLE-12 for all SP
Comment 6 Dr. Werner Fink 2019-02-21 10:32:14 UTC
SlE-11 and up seem not to be affected ... a test case would be helpful
Comment 8 Robert Frohl 2019-02-22 10:18:23 UTC
Created attachment 797588 [details]
QA Reproducer

$ valgrind file sbo3

[..]
**540** *** memcpy_chk: buffer overflow detected ***: program terminated
==540==    at 0x483A75C: ??? (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==540==    by 0x483FA3A: __memcpy_chk (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==540==    by 0x4859C43: memcpy (string_fortified.h:34)
==540==    by 0x4859C43: do_core_note (readelf.c:755)
==540==    by 0x485AC89: donote (readelf.c:1196)
==540==    by 0x485BAA9: dophn_core.part.5 (readelf.c:398)
==540==    by 0x485D6E5: dophn_core (readelf.c:355)
==540==    by 0x485D6E5: file_tryelf (elfclass.h:43)
==540==    by 0x485F7D7: file_buffer (funcs.c:305)
==540==    by 0x484DB5F: file_or_fd (magic.c:508)
==540==    by 0x10B456: process (file.c:554)
==540==    by 0x10A850: main (file.c:424)
[..]
Comment 9 Dr. Werner Fink 2019-02-22 10:48:14 UTC
abuild@noether:/usr/src/packages/BUILD/file-4.24> valgrind   ./src/.libs/file /tmp/sbo3
==24377== Memcheck, a memory error detector.
==24377== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==24377== Using LibVEX rev 1854, a library for dynamic binary translation.
==24377== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==24377== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==24377== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==24377== For more details, rerun with: -v
==24377== 
/tmp/sbo3: ELF 32-bit LSB core file Intel 80386, version 1
==24377== 
==24377== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 3 from 1)
==24377== malloc/free: in use at exit: 0 bytes in 0 blocks.
==24377== malloc/free: 58 allocs, 58 frees, 204,573 bytes allocated.
==24377== For counts of detected errors, rerun with: -v
==24377== All heap blocks were freed -- no leaks are possible.
Comment 10 Dr. Werner Fink 2019-02-22 10:49:47 UTC
Does look like SLE-11 file-4.24 is safe here
Comment 11 Dr. Werner Fink 2019-02-22 11:00:18 UTC
seems to be fixed with submit request for SLE-12 and SLE-15
Comment 13 Swamp Workflow Management 2019-03-07 23:10:24 UTC
SUSE-SU-2019:0571-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1096974,1096984,1126117,1126118,1126119
CVE References: CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    python-magic-5.32-7.5.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    file-5.32-7.5.1, python-magic-5.32-7.5.1
Comment 17 Swamp Workflow Management 2019-04-02 16:20:29 UTC
SUSE-SU-2019:0839-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1096974,1096984,1126117,1126118,1126119
CVE References: CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    file-5.22-10.12.2, python-magic-5.22-10.12.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    file-5.22-10.12.2, python-magic-5.22-10.12.2
SUSE Linux Enterprise Server 12-SP4 (src):    file-5.22-10.12.2
SUSE Linux Enterprise Server 12-SP3 (src):    file-5.22-10.12.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    file-5.22-10.12.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    file-5.22-10.12.2
SUSE CaaS Platform ALL (src):    file-5.22-10.12.2
SUSE CaaS Platform 3.0 (src):    file-5.22-10.12.2
OpenStack Cloud Magnum Orchestration 7 (src):    file-5.22-10.12.2

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 18 Marcus Meissner 2020-01-28 07:40:57 UTC
done