CLD-442 Details
Other IDs this deficiency may be known by:
Basic Information:
| Affected Package(s) |
file |
| Deficiency Type |
SECURITY |
| Date Created |
2018-06-26 14:51:22 |
| Date Last Modified |
2018-06-27 12:03:21 |
Version Specific Information:
| Cucumber 1.0 i686 | fixed in file-5.25-i686-2 |
| Cucumber 1.0 x86_64 | fixed in file-5.25-x86_64-2 and file-lib_i686-5.25-lib_i686-2 |
| Cucumber 1.1 i686 |
fixed in file-5.25-i686-2 |
| Cucumber 1.1 x86_64 |
fixed in file-5.25-x86_64-2 and file-lib_i686-5.25-lib_i686-2 |
Details:
=================================== Overview ===================================
The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote
attackers to cause a denial of service (out-of-bounds read and application
crash) via a crafted ELF file.
================================= Our Analysis =================================
----- Affected Products -----
Versions of file up to and including 5.33 that have not had the patch from
https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22
applied are vulnerable. As of this writing (Wed Jun 27 11:46:09 EDT 2018), 5.33
is the latest version of file; it is unknown whether future versions will be
affected.
----- Scope and Impact of this Vulnerability -----
Allows for a local user to cause a denial of service (application crash) by
running file on a specially crafted ELF file.
----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22.
================================= Our Solution =================================
We have applied the aforementioned patch and rebuilt. We have to modify it
slightly to get to apply to file 5.25. Our modified patch can be found at