[3.7] file: Multiple vulnerabilities (CVE-2019-8905, CVE-2019-8906, CVE-2019-8907)
CVE-2019-8905: do_core_note in readelf.c in libmagic in file 5.35
has a stack-based buffer over-read,
related to file_printable, a different vulnerability than CVE-2018-10360.
CVE-2019-8906: do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused.
Fixed by: https://github.com/file/file/commit/2858eaf99f6cc5aae129bcbf1e24ad160240185f (FILE5_36)
CVE-2019-8907: do_core_note in readelf.c in libmagic.a in file
5.35 allows remote attackers to cause a denial of service
(stack corruption and application crash) or possibly have unspecified other impact.
(from redmine: issue id 10173, created on 2019-03-28)
- parent #10170