file-5.40-1.14 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10755-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z file-5.40-1.14 on GA media These are all security issues fixed in the file-5.40-1.14 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10755 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2007-1536/ SUSE CVE CVE-2007-1536 page https://www.suse.com/security/cve/CVE-2007-2799/ SUSE CVE CVE-2007-2799 page https://www.suse.com/security/cve/CVE-2017-1000249/ SUSE CVE CVE-2017-1000249 page https://www.suse.com/security/cve/CVE-2018-10360/ SUSE CVE CVE-2018-10360 page https://www.suse.com/security/cve/CVE-2019-18218/ SUSE CVE CVE-2019-18218 page https://www.suse.com/security/cve/CVE-2019-8904/ SUSE CVE CVE-2019-8904 page https://www.suse.com/security/cve/CVE-2019-8907/ SUSE CVE CVE-2019-8907 page openSUSE Tumbleweed file-5.40-1.14 file-devel-5.40-1.14 file-devel-32bit-5.40-1.14 file-magic-5.40-1.14 libmagic1-5.40-1.14 libmagic1-32bit-5.40-1.14 file-5.40-1.14 as a component of openSUSE Tumbleweed file-devel-5.40-1.14 as a component of openSUSE Tumbleweed file-devel-32bit-5.40-1.14 as a component of openSUSE Tumbleweed file-magic-5.40-1.14 as a component of openSUSE Tumbleweed libmagic1-5.40-1.14 as a component of openSUSE Tumbleweed libmagic1-32bit-5.40-1.14 as a component of openSUSE Tumbleweed Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow. CVE-2007-1536 openSUSE Tumbleweed:file-5.40-1.14 openSUSE Tumbleweed:file-devel-32bit-5.40-1.14 openSUSE Tumbleweed:file-devel-5.40-1.14 openSUSE Tumbleweed:file-magic-5.40-1.14 openSUSE Tumbleweed:libmagic1-32bit-5.40-1.14 openSUSE Tumbleweed:libmagic1-5.40-1.14 moderate 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-1536.html CVE-2007-1536 https://bugzilla.suse.com/256290 SUSE Bug 256290 Integer overflow in the "file" program 4.20, when running on 32-bit systems, as used in products including The Sleuth Kit, might allow user-assisted attackers to execute arbitrary code via a large file that triggers an overflow that bypasses an assert() statement. NOTE: this issue is due to an incorrect patch for CVE-2007-1536. CVE-2007-2799 openSUSE Tumbleweed:file-5.40-1.14 openSUSE Tumbleweed:file-devel-32bit-5.40-1.14 openSUSE Tumbleweed:file-devel-5.40-1.14 openSUSE Tumbleweed:file-magic-5.40-1.14 openSUSE Tumbleweed:libmagic1-32bit-5.40-1.14 openSUSE Tumbleweed:libmagic1-5.40-1.14 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-2799.html CVE-2007-2799 https://bugzilla.suse.com/256290 SUSE Bug 256290 An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary. This was fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017). CVE-2017-1000249 openSUSE Tumbleweed:file-5.40-1.14 openSUSE Tumbleweed:file-devel-32bit-5.40-1.14 openSUSE Tumbleweed:file-devel-5.40-1.14 openSUSE Tumbleweed:file-magic-5.40-1.14 openSUSE Tumbleweed:libmagic1-32bit-5.40-1.14 openSUSE Tumbleweed:libmagic1-5.40-1.14 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-1000249.html CVE-2017-1000249 https://bugzilla.suse.com/1056838 SUSE Bug 1056838 The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. CVE-2018-10360 openSUSE Tumbleweed:file-5.40-1.14 openSUSE Tumbleweed:file-devel-32bit-5.40-1.14 openSUSE Tumbleweed:file-devel-5.40-1.14 openSUSE Tumbleweed:file-magic-5.40-1.14 openSUSE Tumbleweed:libmagic1-32bit-5.40-1.14 openSUSE Tumbleweed:libmagic1-5.40-1.14 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-10360.html CVE-2018-10360 https://bugzilla.suse.com/1096974 SUSE Bug 1096974 https://bugzilla.suse.com/1096984 SUSE Bug 1096984 https://bugzilla.suse.com/1126118 SUSE Bug 1126118 cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write). CVE-2019-18218 openSUSE Tumbleweed:file-5.40-1.14 openSUSE Tumbleweed:file-devel-32bit-5.40-1.14 openSUSE Tumbleweed:file-devel-5.40-1.14 openSUSE Tumbleweed:file-magic-5.40-1.14 openSUSE Tumbleweed:libmagic1-32bit-5.40-1.14 openSUSE Tumbleweed:libmagic1-5.40-1.14 critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-18218.html CVE-2019-18218 https://bugzilla.suse.com/1154661 SUSE Bug 1154661 https://bugzilla.suse.com/1190368 SUSE Bug 1190368 https://bugzilla.suse.com/1191838 SUSE Bug 1191838 do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf. CVE-2019-8904 openSUSE Tumbleweed:file-5.40-1.14 openSUSE Tumbleweed:file-devel-32bit-5.40-1.14 openSUSE Tumbleweed:file-devel-5.40-1.14 openSUSE Tumbleweed:file-magic-5.40-1.14 openSUSE Tumbleweed:libmagic1-32bit-5.40-1.14 openSUSE Tumbleweed:libmagic1-5.40-1.14 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-8904.html CVE-2019-8904 https://bugzilla.suse.com/1126121 SUSE Bug 1126121 do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact. CVE-2019-8907 openSUSE Tumbleweed:file-5.40-1.14 openSUSE Tumbleweed:file-devel-32bit-5.40-1.14 openSUSE Tumbleweed:file-devel-5.40-1.14 openSUSE Tumbleweed:file-magic-5.40-1.14 openSUSE Tumbleweed:libmagic1-32bit-5.40-1.14 openSUSE Tumbleweed:libmagic1-5.40-1.14 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-8907.html CVE-2019-8907 https://bugzilla.suse.com/1126117 SUSE Bug 1126117