Debian Bug report logs -
#922967
file: CVE-2019-8904
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Bug#922967; Package src:file.
(Fri, 22 Feb 2019 12:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Christoph Biedl <debian.axhn@manchmal.in-ulm.de>.
(Fri, 22 Feb 2019 12:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: file
Version: 1:5.35-2
Severity: important
Tags: security upstream
Forwarded: https://bugs.astron.com/view.php?id=62
Hi,
The following vulnerability was published for file.
CVE-2019-8904[0]:
| do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based
| buffer over-read, related to file_printf and file_vprintf.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-8904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8904
[1] https://bugs.astron.com/view.php?id=62
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
You have taken responsibility.
(Fri, 01 Mar 2019 09:09:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 01 Mar 2019 09:09:09 GMT) (full text, mbox, link).
Message #10 received at 922967-close@bugs.debian.org (full text, mbox, reply):
Source: file
Source-Version: 1:5.35-3
We believe that the bug you reported is fixed in the latest version of
file, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 922967@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Biedl <debian.axhn@manchmal.in-ulm.de> (supplier of updated file package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 01 Mar 2019 09:27:11 +0100
Source: file
Architecture: source
Version: 1:5.35-3
Distribution: unstable
Urgency: medium
Maintainer: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Changed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Closes: 922967 922968 922969
Changes:
file (1:5.35-3) unstable; urgency=medium
.
* Cherry-pick many commits since 5.35 release that seem wise to
include in buster.
* Closes: #922967 [CVE-2019-8904]
* Closes: #922968 [CVE-2019-8905 CVE-2019-8907]
* Closes: #922969 [CVE-2019-8906]
* Cherry-pick two documentation fix commits
Checksums-Sha1:
76a59377ffb2115d1c31dbb8f11373b968b2e58a 1952 file_5.35-3.dsc
7df5a92b759aba4d8b72cad4dcab387df4a5e1e3 55244 file_5.35-3.debian.tar.xz
0f32cd7194e11704bf32d544a11db7d617fe5308 6407 file_5.35-3_powerpc.buildinfo
Checksums-Sha256:
1024aabf9c2e4d55cca323bd7596d5a2428ef31e46353cb155cf8a808bcaa9b7 1952 file_5.35-3.dsc
1de25d65bcf3d782b049a4c60f83bb58971a98c938207c20c2c9e1d4659440d5 55244 file_5.35-3.debian.tar.xz
6bc76d9ce6357c6eaaeacbe5272c80f1d183630cbb9929a161d2caf95009e529 6407 file_5.35-3_powerpc.buildinfo
Files:
31403e901adae0d4d96a471dbc1282cc 1952 utils standard file_5.35-3.dsc
38bd39ad34d470a05055be2510cfadd4 55244 utils standard file_5.35-3.debian.tar.xz
68d6734709344135fa504cc1b08f214b 6407 utils standard file_5.35-3_powerpc.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEWXMI+726A12MfJXdxCxY61kUkv0FAlx48VwACgkQxCxY61kU
kv2jQA/7BNq1+vBEAIX/ocqvvYsCtSb1bEKnD1yR6NPtMbRr2HCyB6jgExnjtdqC
Sc6W2lXO/iBekawFuEonPy/HkudfPH+ytCnNIQFcOaJvJ1RwDATLbOQ3OPrdxdxj
i5Bib4pw6Er4qOnCjFuZs7+HeV3d3kuDsNrIbZW4/Dt9rod/YS+MElu/gZm+tixR
cOjSTCYJmrdz3ktWlpjYWFhCCAYonmbjwAEz7oE7JE3496MpsO/OsVUd/ixVPdZ8
3cSDRM8z4o612tF2Yl30aRyXgfExueo4Gk3S55z6yupJW033Mzlvyhi+969Q9Snp
yN9+eXeuBOS5O6qKQEbRQ/rPjpaZAgFDEtstzbtlqiwBO0EMJJBB4dnaLPJ/2SBI
K1OZzr0gu6Q4looHzbfw2w3ljlBbFnOBQ6RIEEZ9bxKJa3kTokdC1s0AZEKGIW0e
Algp28sDcikhTLwhLMRceh6vjVf2ejI5Xn3DRHyhkQ02M8W6YGezqhAjwU0h5fLB
0WmozHykFFL2kX9RLMDE9haaZk6YA7yl0Uwuk3CAqEzcT9Bmj/Zv6+m+ky5Cg/lq
Sb+/YQE6Q6TZEwTo0azokGkSfFMFS+p8UyQ4PdFBIq/7G6bv1ZMr+g4cbV2wDQZu
xEcvxl6eKruGBJ/NxtPiH4D8pLoVbzuUZQFSvVmZ9wQVzHJuKn8=
=wvTW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 30 Mar 2019 07:29:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:44:23 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon