This bug was fixed in the package file - 1:5.25-2ubuntu1.4 --------------- file (1:5.25-2ubuntu1.4) xenial-security; urgency=medium
* SECURITY REGRESSION: truncated interpreter name (LP: #1835596) - debian/patches/CVE-2019-8905_8907.patch: updated to use correct length in src/readelf.c. -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Tue, 12 May 2020 09:33:55 -0400 ** Changed in: file (Ubuntu Xenial) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-8905 -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1835596 Title: incorrect argument to file_printable in [PATCH] PR/62 Status in file package in Ubuntu: Fix Released Status in file source package in Xenial: Fix Released Status in file source package in Bionic: In Progress Status in file source package in Eoan: Fix Released Status in file source package in Focal: Fix Released Status in file source package in Groovy: Fix Released Bug description: In last patch below +From d65781527c8134a1202b2649695d48d5701ac60b Mon Sep 17 00:00:00 2001 +From: Christos Zoulas <chris...@zoulas.com> +Date: Mon, 18 Feb 2019 17:46:56 +0000 +Subject: [PATCH] PR/62: spinpx: limit size of file_printable. +=================================================================== +--- file-5.32.orig/src/readelf.c 2019-03-13 12:38:58.854781641 -0400 ++++ file-5.32/src/readelf.c 2019-03-13 12:39:43.450945506 -0400 +@@ -725,7 +725,7 @@ do_core_note(struct magic_set *ms, unsig + if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, " + "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)", + file_printable(sbuf, sizeof(sbuf), +- CAST(char *, pi.cpi_name)), ++ RCAST(char *, pi.cpi_name), sizeof(pi.cpi_name)), + elf_getu32(swap, pi.cpi_pid), + elf_getu32(swap, pi.cpi_euid), + elf_getu32(swap, pi.cpi_egid), +@@ -1564,7 +1564,8 @@ dophn_exec(struct magic_set *ms, int cla + return -1; + if (interp[0]) + if (file_printf(ms, ", interpreter %s", +- file_printable(ibuf, sizeof(ibuf), interp)) == -1) ++ file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp))) ++ == -1) + return -1; + return 0; + } sizeof(interp) is passed to file_printable as the `slen' parameter, since interp is of type `char *', sizeof(interp) will be 8 or 4 const value for different pointer types, this makes the `interpreter' extraction for elf file limited to 8 bytes under x64. A example for this, under ubuntu 18.04: $ file /bin/dash /bin/dash: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=a783260e3a5fe0afdae77417eea7f bf8d645219e, stripped notice that the interpreter portion is `/lib64/l', which is 8 bytes long and only a part of the actual interpreter path. the `slen' parameter here should be something like `sizeof(char) * length_of_buffer' instead of sizeof(char *). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/file/+bug/1835596/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp