ESB-2018.1768.2 - UPDATE [Ubuntu] file: Multiple vulnerabilities 2018-06-29

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.1768.2
                           file vulnerabilities
                               29 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           file
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-10360 CVE-2015-8865 CVE-2014-9653
                   CVE-2014-9621 CVE-2014-9620 

Reference:         ESB-2017.3225.2
                   ESB-2017.2794
                   ESB-2017.2080
                   ESB-2015.2227
                   ESB-2015.1903
                   ESB-2015.0668

Original Bulletin: 
   http://www.ubuntu.com/usn/usn-3686-1

Comment: This bulletin contains two (2) Ubuntu security advisories.

Revision History:  June 29 2018: Update provided for Ubuntu 12.04 ESM.
                   June 15 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

==========================================================================
Ubuntu Security Notice USN-3686-1
June 14, 2018

file vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 18.04 LTS
- - Ubuntu 17.10
- - Ubuntu 16.04 LTS
- - Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in file.

Software Description:
- - file: Tool to determine file types

Details:

Alexander Cherepanov discovered that file incorrectly handled a large
number of notes. An attacker could use this issue to cause a denial of
service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-9620)

Alexander Cherepanov discovered that file incorrectly handled certain long
strings. An attacker could use this issue to cause a denial of service.
This issue only affected Ubuntu 14.04 LTS. (CVE-2014-9620)

Alexander Cherepanov discovered that file incorrectly handled certain
malformed ELF files. An attacker could use this issue to cause a denial of
service, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS. (CVE-2014-9653)

It was discovered that file incorrectly handled certain magic files. An
attacker could use this issue with a specially crafted magic file to cause
a denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 14.04 LTS. (CVE-2015-8865)

It was discovered that file incorrectly handled certain malformed ELF
files. An attacker could use this issue to cause a denial of service.
(CVE-2018-10360)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  file                            1:5.32-2ubuntu0.1
  libmagic1                       1:5.32-2ubuntu0.1

Ubuntu 17.10:
  file                            1:5.32-1ubuntu0.1
  libmagic1                       1:5.32-1ubuntu0.1

Ubuntu 16.04 LTS:
  file                            1:5.25-2ubuntu1.1
  libmagic1                       1:5.25-2ubuntu1.1

Ubuntu 14.04 LTS:
  file                            1:5.14-2ubuntu3.4
  libmagic1                       1:5.14-2ubuntu3.4

In general, a standard system update will make all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-3686-1
  CVE-2014-9620, CVE-2014-9621, CVE-2014-9653, CVE-2015-8865,
  CVE-2018-10360

Package Information:
  https://launchpad.net/ubuntu/+source/file/1:5.32-2ubuntu0.1
  https://launchpad.net/ubuntu/+source/file/1:5.32-1ubuntu0.1
  https://launchpad.net/ubuntu/+source/file/1:5.25-2ubuntu1.1
  https://launchpad.net/ubuntu/+source/file/1:5.14-2ubuntu3.4

- --------------------------------------------------------------------------------

==========================================================================
Ubuntu Security Notice USN-3686-2
June 28, 2018

file vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in file.

Software Description:
- - file: Tool to determine file types

Details:

USN-3686-1 fixed a vulnerability in file. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

  It was discovered that file incorrectly handled certain magic files.
  An attacker could use this issue with a specially crafted magic file
  to cause a denial of service, or possibly execute arbitrary code.
  (CVE-2015-8865)

  It was discovered that file incorrectly handled certain malformed ELF
  files. An attacker could use this issue to cause a denial of service.
  (CVE-2018-10360)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
   file                                                   5.09-2ubuntu0.7
   libmagic1                                              5.09-2ubuntu0.7

In general, a standard system update will make all the necessary
changes.

References:
   https://usn.ubuntu.com/usn/usn-3686-2
   https://usn.ubuntu.com/usn/usn-3686-1
   CVE-2015-8865, CVE-2018-10360

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWzWL1GaOgq3Tt24GAQgCGRAAgX6yLJcitO/ny1QqgRy53ZZkPmfPxeJH
tfXMo3clpqqpJCXxdPyh1/GJJcJB8C/uleFX2jg5WidqJ4KwZkeYWUPF02T7q1Cy
bHHJQiJzdfNuCKRhXrT3K7ZBAL4KGytwzCOJhtOBptqxn3lVuatPjg1ZM6MtGUaU
5WCgXjBkeiVEdBel0VH8GB4KM1uycvvWUniaaARhRkpPYLnSBi1KVwH6x2KIsyw7
1YbpSl8pMO1qwldkS6sxlf8jWwRui8jb5kpa+oXhQGuSCF06f8aZyNkXTLCHy2Le
SiPIjblc9sAm3Iy1UvDOV4IGJ/P9j0IBEoQgRsRnb18Q5qzU9ylxxRET0ayDW0UY
44VLogS0iO9IyJv2NLrd4LceFpEUMKDtzOjzDPTZlvdpqXqg/azkAK495eBOloy1
9je1U7o9Gs9oPI/FVFr9OTRnH1+ViGiBDQ8DXPagxGLx6M8YuprDHeaFWIsvAfEA
qEQ6r1aERQiFpm7lUzqlaw4WCrgH9ZbtbsQCYcDlY/iNkFUWUDdhnnaocWuT/vDL
QyivgOok4ZHLKjT2aLONlexf9BaJ2VDsdbueuFW4zoNt7Ts4UMorpIR1YlhFyQlV
ClwabjERvoyVlxc3Uksf7bHxCxPnzwGKYS/+aZFcjhtWrmopNZ35m/NrOBoLK/tJ
Mp/7pbBeMlU=
=zTf7
-----END PGP SIGNATURE-----

« Back to bulletins