StarlingX

[Debian] High CVE: CVE-2022-48554 file: an stack-based buffer over-read

Bug #2034117 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Wentao Zhang

Bug Description

CVE-2022-48554: https://nvd.nist.gov/vuln/detail/CVE-2022-48554

File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: "File" is the name of an Open Source project.

Base Score: High

Reference:

['file_1:5.39-3_amd64.deb===>file_1:5.39-3+deb11u1_amd64.deb', 'libmagic1_1:5.39-3_amd64.deb===>libmagic1_1:5.39-3+deb11u1_amd64.deb', 'libmagic-mgc_1:5.39-3_amd64.deb===>libmagic-mgc_1:5.39-3+deb11u1_amd64.deb']
https://www.debian.org/security/2023/dsa-5489

CVE References

Yue Tao (wrytao)
summary: - [Debian] High CVE: CVE-2022-48554 file
+ [Debian] High CVE: CVE-2022-48554 file: an stack-based buffer over-read
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/895244

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/895244
Committed: https://opendev.org/starlingx/tools/commit/54c986fcea0dce5a57aba0254ea183fa898bf7be
Submitter: "Zuul (22348)"
Branch: master

commit 54c986fcea0dce5a57aba0254ea183fa898bf7be
Author: Wentao Zhang <email address hidden>
Date: Fri Sep 15 10:31:45 2023 +0800

    Debian: package : fix CVE-2022-48554

    Upgrade file to 1:5.39-3+deb11u1
    Upgrade libmagic1 to 1:5.39-3+deb11u1
    Upgrade libmagic-mgc to 1:5.39-3+deb11u1

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2022-48554

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

    Closes-bug: #2034117

    Change-Id: Ib042ddef6c5a0389224b8ddc6826b5177c0de1f4
    Signed-off-by: Wentao Zhang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Wentao Zhang (wzhang4)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.