{ "Definition": [ { "ID": "oval:org.altlinux.errata:def:20212505", "Version": "oval:org.altlinux.errata:def:20212505", "Class": "patch", "Metadata": { "Title": "ALT-PU-2021-2505: package `file` update to version 5.40-alt1", "AffectedList": [ { "Family": "unix", "Platforms": [ "ALT Linux branch p11" ], "Products": [ "ALT Container" ] } ], "References": [ { "RefID": "ALT-PU-2021-2505", "RefURL": "https://errata.altlinux.org/ALT-PU-2021-2505", "Source": "ALTPU" }, { "RefID": "BDU:2015-00377", "RefURL": "https://bdu.fstec.ru/vul/2015-00377", "Source": "BDU" }, { "RefID": "BDU:2015-00378", "RefURL": "https://bdu.fstec.ru/vul/2015-00378", "Source": "BDU" }, { "RefID": "BDU:2015-00379", "RefURL": "https://bdu.fstec.ru/vul/2015-00379", "Source": "BDU" }, { "RefID": "BDU:2015-01282", "RefURL": "https://bdu.fstec.ru/vul/2015-01282", "Source": "BDU" }, { "RefID": "BDU:2015-06092", "RefURL": "https://bdu.fstec.ru/vul/2015-06092", "Source": "BDU" }, { "RefID": "BDU:2015-06093", "RefURL": "https://bdu.fstec.ru/vul/2015-06093", "Source": "BDU" }, { "RefID": "BDU:2015-06094", "RefURL": "https://bdu.fstec.ru/vul/2015-06094", "Source": "BDU" }, { "RefID": "BDU:2015-06095", "RefURL": "https://bdu.fstec.ru/vul/2015-06095", "Source": "BDU" }, { "RefID": "BDU:2015-06096", "RefURL": "https://bdu.fstec.ru/vul/2015-06096", "Source": "BDU" }, { "RefID": "BDU:2015-09797", "RefURL": "https://bdu.fstec.ru/vul/2015-09797", "Source": "BDU" }, { "RefID": "BDU:2015-09882", "RefURL": "https://bdu.fstec.ru/vul/2015-09882", "Source": "BDU" }, { "RefID": "BDU:2015-10226", "RefURL": "https://bdu.fstec.ru/vul/2015-10226", "Source": "BDU" }, { "RefID": "BDU:2020-01768", "RefURL": "https://bdu.fstec.ru/vul/2020-01768", "Source": "BDU" }, { "RefID": "CVE-2014-2270", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2014-2270", "Source": "CVE" }, { "RefID": "CVE-2014-3479", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2014-3479", "Source": "CVE" }, { "RefID": "CVE-2014-3480", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2014-3480", "Source": "CVE" }, { "RefID": "CVE-2014-3487", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2014-3487", "Source": "CVE" }, { "RefID": "CVE-2014-8117", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2014-8117", "Source": "CVE" }, { "RefID": "CVE-2014-9652", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2014-9652", "Source": "CVE" }, { "RefID": "CVE-2014-9653", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2014-9653", "Source": "CVE" }, { "RefID": "CVE-2019-18218", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-18218", "Source": "CVE" } ], "Description": "This update upgrades file to version 5.40-alt1. \nSecurity Fix(es):\n\n * BDU:2015-00377: Уязвимость программного обеспечения PHP, позволяющая удаленному злоумышленнику нарушить доступность защищаемой информации\n\n * BDU:2015-00378: Уязвимость программного обеспечения PHP, позволяющая удаленному злоумышленнику нарушить доступность защищаемой информации\n\n * BDU:2015-00379: Уязвимость программного обеспечения PHP, позволяющая удаленному злоумышленнику нарушить доступность защищаемой информации\n\n * BDU:2015-01282: Уязвимости операционной системы Debian GNU/Linux, позволяющие удаленному злоумышленнику нарушить доступность защищаемой информации\n\n * BDU:2015-06092: Уязвимости операционной системы Red Hat Enterprise Linux, позволяющие удаленному злоумышленнику нарушить доступность защищаемой информации\n\n * BDU:2015-06093: Уязвимости операционной системы Red Hat Enterprise Linux, позволяющие удаленному злоумышленнику нарушить доступность защищаемой информации\n\n * BDU:2015-06094: Уязвимости операционной системы Red Hat Enterprise Linux, позволяющие удаленному злоумышленнику нарушить доступность защищаемой информации\n\n * BDU:2015-06095: Уязвимости операционной системы Red Hat Enterprise Linux, позволяющие удаленному злоумышленнику нарушить доступность защищаемой информации\n\n * BDU:2015-06096: Уязвимости операционной системы Red Hat Enterprise Linux, позволяющие удаленному злоумышленнику нарушить доступность защищаемой информации\n\n * BDU:2015-09797: Уязвимость операционной системы Gentoo Linux, позволяющая удаленному злоумышленнику нарушить доступность защищаемой информации\n\n * BDU:2015-09882: Уязвимость интерпретатора PHP, позволяющая удалённому злоумышленнику получить доступ к области памяти за пределами границ приложения или вызвать аварийное завершение приложения\n\n * BDU:2015-10226: Уязвимость интерпретатора PHP, позволяющая удалённому нарушителю вызвать отказ в обслуживании или оказать иное воздействие на систему\n\n * BDU:2020-01768: Уязвимость функции cdf_read_property_info инструмента для классификации типов файлов file, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * CVE-2014-2270: softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.\n\n * CVE-2014-3479: The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.\n\n * CVE-2014-3480: The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.\n\n * CVE-2014-3487: The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.\n\n * CVE-2014-8117: softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.\n\n * CVE-2014-9652: The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.\n\n * CVE-2014-9653: readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.\n\n * CVE-2019-18218: cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).", "Advisory": { "From": "errata.altlinux.org", "Severity": "Critical", "Rights": "Copyright 2024 BaseALT Ltd.", "Issued": { "Date": "2021-08-12" }, "Updated": { "Date": "2021-08-12" }, "BDUs": [ { "ID": "BDU:2015-00377", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CWE": "CWE-189", "Href": "https://bdu.fstec.ru/vul/2015-00377", "Impact": "Low", "Public": "20140609" }, { "ID": "BDU:2015-00378", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "Href": "https://bdu.fstec.ru/vul/2015-00378", "Impact": "Low", "Public": "20140608" }, { "ID": "BDU:2015-00379", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CWE": "CWE-20", "Href": "https://bdu.fstec.ru/vul/2015-00379", "Impact": "Low", "Public": "20140609" }, { "ID": "BDU:2015-01282", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CWE": "CWE-189", "Href": "https://bdu.fstec.ru/vul/2015-01282", "Impact": "Low", "Public": "20140601" }, { "ID": "BDU:2015-06092", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "Href": "https://bdu.fstec.ru/vul/2015-06092", "Impact": "Low", "Public": "20141014" }, { "ID": "BDU:2015-06093", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "Href": "https://bdu.fstec.ru/vul/2015-06093", "Impact": "Low", "Public": "20141014" }, { "ID": "BDU:2015-06094", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "Href": "https://bdu.fstec.ru/vul/2015-06094", "Impact": "Low", "Public": "20141014" }, { "ID": "BDU:2015-06095", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "Href": "https://bdu.fstec.ru/vul/2015-06095", "Impact": "Low", "Public": "20141014" }, { "ID": "BDU:2015-06096", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "Href": "https://bdu.fstec.ru/vul/2015-06096", "Impact": "Low", "Public": "20141014" }, { "ID": "BDU:2015-09797", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CWE": "CWE-399", "Href": "https://bdu.fstec.ru/vul/2015-09797", "Impact": "Low", "Public": "20141227" }, { "ID": "BDU:2015-09882", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CWE": "CWE-119", "Href": "https://bdu.fstec.ru/vul/2015-09882", "Impact": "Low", "Public": "20140122" }, { "ID": "BDU:2015-10226", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CWE": "CWE-20", "Href": "https://bdu.fstec.ru/vul/2015-10226", "Impact": "High", "Public": "20150330" }, { "ID": "BDU:2020-01768", "CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-787", "Href": "https://bdu.fstec.ru/vul/2020-01768", "Impact": "Critical", "Public": "20191021" } ], "CVEs": [ { "ID": "CVE-2014-2270", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CWE": "CWE-119", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2014-2270", "Impact": "Low", "Public": "20140314" }, { "ID": "CVE-2014-3479", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CWE": "NVD-CWE-noinfo", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2014-3479", "Impact": "Low", "Public": "20140709" }, { "ID": "CVE-2014-3480", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CWE": "NVD-CWE-noinfo", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2014-3480", "Impact": "Low", "Public": "20140709" }, { "ID": "CVE-2014-3487", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CWE": "CWE-20", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2014-3487", "Impact": "Low", "Public": "20140709" }, { "ID": "CVE-2014-8117", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CWE": "CWE-399", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2014-8117", "Impact": "Low", "Public": "20141217" }, { "ID": "CVE-2014-9652", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CWE": "CWE-119", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2014-9652", "Impact": "Low", "Public": "20150330" }, { "ID": "CVE-2014-9653", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CWE": "CWE-20", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2014-9653", "Impact": "High", "Public": "20150330" }, { "ID": "CVE-2019-18218", "CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "CVSS3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "CWE": "CWE-787", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-18218", "Impact": "High", "Public": "20191021" } ], "AffectedCPEs": { "CPEs": [ "cpe:/o:alt:container:11" ] } } }, "Criteria": { "Operator": "AND", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:3001", "Comment": "ALT Linux must be installed" } ], "Criterias": [ { "Operator": "OR", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:20212505001", "Comment": "file is earlier than 0:5.40-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20212505002", "Comment": "libmagic is earlier than 0:5.40-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20212505003", "Comment": "libmagic-devel is earlier than 0:5.40-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20212505004", "Comment": "libmagic-devel-static is earlier than 0:5.40-alt1" } ] } ] } } ] }