ALAS2-2019-1370

Amazon Linux 2 Security Advisory: ALAS-2019-1370
Advisory Release Date: 2019-12-13 18:55 Pacific
Advisory Updated Date: 2019-12-18 01:04 Pacific
Severity: Medium
Issue Overview:

cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).(CVE-2019-18218)


Affected Packages:

file


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update file to update your system.

New Packages:
aarch64:
    file-5.11-35.amzn2.0.2.aarch64
    file-libs-5.11-35.amzn2.0.2.aarch64
    file-devel-5.11-35.amzn2.0.2.aarch64
    file-static-5.11-35.amzn2.0.2.aarch64
    file-debuginfo-5.11-35.amzn2.0.2.aarch64

i686:
    file-5.11-35.amzn2.0.2.i686
    file-libs-5.11-35.amzn2.0.2.i686
    file-devel-5.11-35.amzn2.0.2.i686
    file-static-5.11-35.amzn2.0.2.i686
    file-debuginfo-5.11-35.amzn2.0.2.i686

noarch:
    python-magic-5.11-35.amzn2.0.2.noarch

src:
    file-5.11-35.amzn2.0.2.src

x86_64:
    file-5.11-35.amzn2.0.2.x86_64
    file-libs-5.11-35.amzn2.0.2.x86_64
    file-devel-5.11-35.amzn2.0.2.x86_64
    file-static-5.11-35.amzn2.0.2.x86_64
    file-debuginfo-5.11-35.amzn2.0.2.x86_64

Additional References

Red Hat: CVE-2019-18218

Mitre: CVE-2019-18218