Security update for file SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0345-1 Final 1 1 2019-03-23T11:15:50Z current 2019-03-23T11:15:50Z 2019-03-23T11:15:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for file This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-345 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UQQSJOBQTS7ZNXZRM4RJ7J2R4FX7TI6L/#UQQSJOBQTS7ZNXZRM4RJ7J2R4FX7TI6L E-Mail link for openSUSE-SU-2019:0345-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1096974 SUSE Bug 1096974 https://bugzilla.suse.com/1096984 SUSE Bug 1096984 https://bugzilla.suse.com/1126117 SUSE Bug 1126117 https://bugzilla.suse.com/1126118 SUSE Bug 1126118 https://bugzilla.suse.com/1126119 SUSE Bug 1126119 https://www.suse.com/security/cve/CVE-2018-10360/ SUSE CVE CVE-2018-10360 page https://www.suse.com/security/cve/CVE-2019-8905/ SUSE CVE CVE-2019-8905 page https://www.suse.com/security/cve/CVE-2019-8906/ SUSE CVE CVE-2019-8906 page https://www.suse.com/security/cve/CVE-2019-8907/ SUSE CVE CVE-2019-8907 page openSUSE Leap 15.0 file-5.32-lp150.6.3.1 file-devel-5.32-lp150.6.3.1 file-devel-32bit-5.32-lp150.6.3.1 file-magic-5.32-lp150.6.3.1 libmagic1-5.32-lp150.6.3.1 libmagic1-32bit-5.32-lp150.6.3.1 python2-magic-5.32-lp150.6.3.1 python3-magic-5.32-lp150.6.3.1 file-5.32-lp150.6.3.1 as a component of openSUSE Leap 15.0 file-devel-5.32-lp150.6.3.1 as a component of openSUSE Leap 15.0 file-devel-32bit-5.32-lp150.6.3.1 as a component of openSUSE Leap 15.0 file-magic-5.32-lp150.6.3.1 as a component of openSUSE Leap 15.0 libmagic1-5.32-lp150.6.3.1 as a component of openSUSE Leap 15.0 libmagic1-32bit-5.32-lp150.6.3.1 as a component of openSUSE Leap 15.0 python2-magic-5.32-lp150.6.3.1 as a component of openSUSE Leap 15.0 python3-magic-5.32-lp150.6.3.1 as a component of openSUSE Leap 15.0 The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. CVE-2018-10360 openSUSE Leap 15.0:file-5.32-lp150.6.3.1 openSUSE Leap 15.0:file-devel-32bit-5.32-lp150.6.3.1 openSUSE Leap 15.0:file-devel-5.32-lp150.6.3.1 openSUSE Leap 15.0:file-magic-5.32-lp150.6.3.1 openSUSE Leap 15.0:libmagic1-32bit-5.32-lp150.6.3.1 openSUSE Leap 15.0:libmagic1-5.32-lp150.6.3.1 openSUSE Leap 15.0:python2-magic-5.32-lp150.6.3.1 openSUSE Leap 15.0:python3-magic-5.32-lp150.6.3.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UQQSJOBQTS7ZNXZRM4RJ7J2R4FX7TI6L/#UQQSJOBQTS7ZNXZRM4RJ7J2R4FX7TI6L https://www.suse.com/security/cve/CVE-2018-10360.html CVE-2018-10360 https://bugzilla.suse.com/1096974 SUSE Bug 1096974 https://bugzilla.suse.com/1096984 SUSE Bug 1096984 https://bugzilla.suse.com/1126118 SUSE Bug 1126118 do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360. CVE-2019-8905 openSUSE Leap 15.0:file-5.32-lp150.6.3.1 openSUSE Leap 15.0:file-devel-32bit-5.32-lp150.6.3.1 openSUSE Leap 15.0:file-devel-5.32-lp150.6.3.1 openSUSE Leap 15.0:file-magic-5.32-lp150.6.3.1 openSUSE Leap 15.0:libmagic1-32bit-5.32-lp150.6.3.1 openSUSE Leap 15.0:libmagic1-5.32-lp150.6.3.1 openSUSE Leap 15.0:python2-magic-5.32-lp150.6.3.1 openSUSE Leap 15.0:python3-magic-5.32-lp150.6.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UQQSJOBQTS7ZNXZRM4RJ7J2R4FX7TI6L/#UQQSJOBQTS7ZNXZRM4RJ7J2R4FX7TI6L https://www.suse.com/security/cve/CVE-2019-8905.html CVE-2019-8905 https://bugzilla.suse.com/1126117 SUSE Bug 1126117 https://bugzilla.suse.com/1126118 SUSE Bug 1126118 do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused. CVE-2019-8906 openSUSE Leap 15.0:file-5.32-lp150.6.3.1 openSUSE Leap 15.0:file-devel-32bit-5.32-lp150.6.3.1 openSUSE Leap 15.0:file-devel-5.32-lp150.6.3.1 openSUSE Leap 15.0:file-magic-5.32-lp150.6.3.1 openSUSE Leap 15.0:libmagic1-32bit-5.32-lp150.6.3.1 openSUSE Leap 15.0:libmagic1-5.32-lp150.6.3.1 openSUSE Leap 15.0:python2-magic-5.32-lp150.6.3.1 openSUSE Leap 15.0:python3-magic-5.32-lp150.6.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UQQSJOBQTS7ZNXZRM4RJ7J2R4FX7TI6L/#UQQSJOBQTS7ZNXZRM4RJ7J2R4FX7TI6L https://www.suse.com/security/cve/CVE-2019-8906.html CVE-2019-8906 https://bugzilla.suse.com/1126119 SUSE Bug 1126119 do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact. CVE-2019-8907 openSUSE Leap 15.0:file-5.32-lp150.6.3.1 openSUSE Leap 15.0:file-devel-32bit-5.32-lp150.6.3.1 openSUSE Leap 15.0:file-devel-5.32-lp150.6.3.1 openSUSE Leap 15.0:file-magic-5.32-lp150.6.3.1 openSUSE Leap 15.0:libmagic1-32bit-5.32-lp150.6.3.1 openSUSE Leap 15.0:libmagic1-5.32-lp150.6.3.1 openSUSE Leap 15.0:python2-magic-5.32-lp150.6.3.1 openSUSE Leap 15.0:python3-magic-5.32-lp150.6.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UQQSJOBQTS7ZNXZRM4RJ7J2R4FX7TI6L/#UQQSJOBQTS7ZNXZRM4RJ7J2R4FX7TI6L https://www.suse.com/security/cve/CVE-2019-8907.html CVE-2019-8907 https://bugzilla.suse.com/1126117 SUSE Bug 1126117