UbuntuUpdates.org

Package "libmagic1"

Name: libmagic1

Description:

File type determination library using "magic" numbers
Latest version: 1:5.14-2ubuntu3.4
Release: trusty (14.04)
Level: updates
Repository: main
Head package: file
Homepage: http://www.darwinsys.com/file/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libmagic1"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "libmagic1" in Trusty

Repository Area Version
base main 1:5.14-2ubuntu3
security main 1:5.14-2ubuntu3.4

Changelog

Version: 1:5.14-2ubuntu3.4 2018-06-14 16:06:50 UTC

  file (1:5.14-2ubuntu3.4) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via large number of notes or long
    string
    - debian/patches/CVE-2014-962x-pre*.patch: backport pre-requisite code
      changes.
    - debian/patches/CVE-2014-962x-1.patch: add a limit to the number of
      ELF notes processed in doc/file.man, doc/libmagic.man,
      src/apprentice.c, src/elfclass.h, src/file.c, src/file.h,
      src/file_opts.h, src/magic.c, src/magic.h.in, src/readelf.c.
    - debian/patches/CVE-2014-962x-2.patch: limit string printing to 100
      chars, and add flags in src/readelf.c.
    - CVE-2014-9620
    - CVE-2014-9621
  * SECURITY UPDATE: denial of service via crafted ELF file
    - debian/patches/CVE-2014-9653.patch: bail out on partial reads in
      src/readelf.c.
    - CVE-2014-9653
  * SECURITY UPDATE: memory corruption in file_check_mem.
    - debian/patches/CVE-2015-8865.patch: properly calculate length in
      src/funcs.c.
    - CVE-2015-8865
  * SECURITY UPDATE: out-of-bounds read via crafted ELF file
    - debian/patches/CVE-2018-10360.patch: add bounds check to
      src/readelf.c.
    - CVE-2018-10360

 -- Marc Deslauriers <email address hidden> Wed, 13 Jun 2018 14:45:30 -0400
Source diff to previous version
CVE-2014-9620 The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.
CVE-2014-9621 The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string.
CVE-2014-9653 readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider
CVE-2015-8865 The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x befo
CVE-2018-10360 The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and applic

Version: 1:5.14-2ubuntu3.3 2015-02-04 20:06:44 UTC

  file (1:5.14-2ubuntu3.3) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS via insufficient note headers
    - debian/patches/CVE-2014-3710.patch: handle running out of not headers
      in src/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: DoS in ELF parser
    - debian/patches/CVE-2014-8116.patch: limit number of headers and
      capabilities in src/elfclass.h, src/readelf.c.
    - CVE-2014-8116
  * SECURITY UPDATE: DoS via missing recursion limits
    - debian/patches/CVE-2014-8117.patch: lower recursion level and allow
      it to be set from the command line in src/apprentice.c, src/file.c,
      src/file.h, src/file_opts.h, src/funcs.c, src/magic.c,
      src/magic.h.in, src/softmagic.c, add new option to documentation in
      doc/file.man, doc/libmagic.man.
    - CVE-2014-8117
  * SECURITY UPDATE: DoS via long pascal strings
    - debian/patches/pr398-truncate-pascal-strings.patch: correctly
      calculate size in src/softmagic.c.
    - No CVE number
  * debian/libmagic1.symbols: added new symbols
 -- Marc Deslauriers <email address hidden> Tue, 27 Jan 2015 09:23:18 -0500
Source diff to previous version
CVE-2014-3710 out-of-bounds read in elf note headers
CVE-2014-8116 The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of
CVE-2014-8117 softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or cra

Version: 1:5.14-2ubuntu3.2 2014-10-03 02:06:36 UTC

  file (1:5.14-2ubuntu3.2) trusty-security; urgency=medium

  * SECURITY UPDATE: buffer underflow in CDF file identification
    - debian/patches/CVE-2014-3587.patch: modify src/cdf.c to detect and
      abort on buffer underflows.
    - CVE-2014-3587
 -- Seth Arnold <email address hidden> Wed, 27 Aug 2014 23:33:26 -0700
Source diff to previous version
CVE-2014-3587 Integer overflow in the cdf_read_property_info function in cdf.c in ...

Version: 1:5.14-2ubuntu3.1 2014-07-15 20:06:38 UTC

  file (1:5.14-2ubuntu3.1) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via awk rule backtracking
    - debian/patches/CVE-2013-7345.patch: limit to 100 repetitions in
      magic/Magdir/commands.
    - CVE-2013-7345
  * SECURITY UPDATE: denial of service in cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      src/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in mconvert
    - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
      string size in src/softmagic.c.
    - CVE-2014-3478
  * SECURITY UPDATE: denial of service in cdf_check_stream_offset
    - debian/patches/CVE-2014-3479.patch: properly calculate sizes in
      src/cdf.c.
    - CVE-2014-3479
  * SECURITY UPDATE: denial of service in cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      src/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service in cdf_read_property_info
    - debian/patches/CVE-2014-3487.patch: properly calculate sizes in
      src/cdf.c.
    - CVE-2014-3487
  * SECURITY UPDATE: denial of service via awk rule backtracking
    - debian/patches/CVE-2014-3538.patch: allow specifying lengths for
      regex in src/apprentice.c, src/file.h, src/softmagic.c, adjust
      existing expressions in magic/Magdir/commands, magic/Magdir/fortran,
      magic/Magdir/graphviz, magic/Magdir/marc21, magic/Magdir/scientific,
      magic/Magdir/troff, update manpage in doc/magic.man.
    - CVE-2014-3538
  * debian/patches/commands-strength.patch: reduce strength of awk rule so
    it doesn't get priority over perl scripts.
 -- Marc Deslauriers <email address hidden> Thu, 10 Jul 2014 09:40:56 -0400
CVE-2013-7345 The BEGIN regular expression in the awk script detector in ...
CVE-2014-0207 cdf_read_short_sector insufficient boundary check
CVE-2014-3478 mconvert incorrect handling of truncated pascal string size
CVE-2014-3479 cdf_check_stream_offset insufficient boundary check
CVE-2014-3480 cdf_count_chain insufficient boundary check
CVE-2014-3487 cdf_read_property_info insufficient boundary check
CVE-2014-3538 file before 5.19 does not properly restrict the amount of data read ...


About   -   Send Feedback to @ubuntu_updates