PublicDateAtUSN: 2019-10-21 05:15:00 UTC
Candidate: CVE-2019-18218
PublicDate: 2019-10-21 05:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218
 https://ubuntu.com/security/notices/USN-4172-1
 https://ubuntu.com/security/notices/USN-4172-2
Description:
 cdf_read_property_info in cdf.c in file through 5.37 does not restrict the
 number of CDF_VECTOR elements, which allows a heap-based buffer overflow
 (4-byte out-of-bounds write).
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_file:
 upstream: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
upstream_file: released (1:5.37-6)
precise/esm_file: released (5.09-2ubuntu0.8)
trusty_file: ignored (out of standard support)
trusty/esm_file: released (1:5.14-2ubuntu3.4+esm1)
xenial_file: released (1:5.25-2ubuntu1.3)
esm-infra/xenial_file: released (1:5.25-2ubuntu1.3)
bionic_file: released (1:5.32-2ubuntu0.3)
disco_file: released (1:5.35-4ubuntu0.1)
eoan_file: released (1:5.37-5ubuntu0.1)
devel_file: released (1:5.37-6)