Arch Linux Security Advisory ASA-201903-5 ========================================= Severity: High Date : 2019-03-03 CVE-ID : CVE-2019-8904 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 Package : file Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-907 Summary ======= The package file before version 5.36-1 is vulnerable to multiple issues including information disclosure and denial of service. Resolution ========== Upgrade to 5.36-1. # pacman -Syu "file>=5.36-1" The problems have been fixed upstream in version 5.36. Workaround ========== None. Description =========== - CVE-2019-8904 (information disclosure) do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf. - CVE-2019-8905 (information disclosure) do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360. - CVE-2019-8906 (information disclosure) do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of- bounds read because memcpy is misused. - CVE-2019-8907 (denial of service) do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact. Impact ====== A remote attack is able to display sensitive information within the file process or cause a crash via a crafted ELF file. References ========== https://bugs.astron.com/view.php?id=62 https://bugs.astron.com/view.php?id=63 https://github.com/file/file/commit/2858eaf99f6cc5aae129bcbf1e24ad160240185f https://bugs.astron.com/view.php?id=64 https://bugs.astron.com/view.php?id=65 https://security.archlinux.org/CVE-2019-8904 https://security.archlinux.org/CVE-2019-8905 https://security.archlinux.org/CVE-2019-8906 https://security.archlinux.org/CVE-2019-8907