diff options
| author | Leo Famulari <leo@famulari.name> | 2019-10-26 17:19:57 -0400 |
|---|---|---|
| committer | Leo Famulari <leo@famulari.name> | 2019-10-28 12:47:59 -0400 |
| commit | 1051facc8108110e582f2c0a9d8a5fd38b1486b6 (patch) | |
| tree | a5414ad5800744f823fba7846a8532a00c82ab57 | |
| parent | 7da3e81aa1b95ba2d72118e393c4531da44d5536 (diff) | |
gnu: file: Update to 5.37 [fixes CVE-2019-18218].
* gnu/packages/file.scm (file): Update to 5.37.
* gnu/packages/patches/file-CVE-2019-18218.patch: New file.
* gnu/packages/patches/file-CVE-2018-10360.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
| -rw-r--r-- | gnu/local.mk | 2 | ||||
| -rw-r--r-- | gnu/packages/file.scm | 6 | ||||
| -rw-r--r-- | gnu/packages/patches/file-CVE-2018-10360.patch | 27 | ||||
| -rw-r--r-- | gnu/packages/patches/file-CVE-2019-18218.patch | 55 |
4 files changed, 59 insertions, 31 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index e46d74be64..336be3cb8d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -822,7 +822,7 @@ dist_patch_DATA = \ %D%/packages/patches/fcgi-2.4.0-poll.patch \ %D%/packages/patches/fifo-map-fix-flags-for-gcc.patch \ %D%/packages/patches/fifo-map-remove-catch.hpp.patch \ - %D%/packages/patches/file-CVE-2018-10360.patch \ + %D%/packages/patches/file-CVE-2019-18218.patch \ %D%/packages/patches/findutils-gnulib-libio.patch \ %D%/packages/patches/findutils-localstatedir.patch \ %D%/packages/patches/findutils-makedev.patch \ diff --git a/gnu/packages/file.scm b/gnu/packages/file.scm index 9ba51d1b74..cf770297c4 100644 --- a/gnu/packages/file.scm +++ b/gnu/packages/file.scm @@ -30,15 +30,15 @@ (define-public file (package (name "file") - (version "5.33") + (version "5.37") (source (origin (method url-fetch) (uri (string-append "ftp://ftp.astron.com/pub/file/file-" version ".tar.gz")) - (patches (search-patches "file-CVE-2018-10360.patch")) + (patches (search-patches "file-CVE-2019-18218.patch")) (sha256 (base32 - "1iipnwjkag7q04zjkaqic41r9nlw0ml6mhqian6qkkbisb1whlhw")))) + "0zz0p9bqnswfx0c16j8k62ivjq1m16x10xqv4hy9lcyxyxkkkhg9")))) (build-system gnu-build-system) ;; When cross-compiling, this package depends upon a native install of diff --git a/gnu/packages/patches/file-CVE-2018-10360.patch b/gnu/packages/patches/file-CVE-2018-10360.patch deleted file mode 100644 index 9285611c04..0000000000 --- a/gnu/packages/patches/file-CVE-2018-10360.patch +++ /dev/null @@ -1,27 +0,0 @@ -https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22.patch -The leading part of the patch starting at line 27 was trimmed off. -This patch should be OK to drop with file@5.35. - -From a642587a9c9e2dd7feacdf513c3643ce26ad3c22 Mon Sep 17 00:00:00 2001 -From: Christos Zoulas <christos@zoulas.com> -Date: Sat, 9 Jun 2018 16:00:06 +0000 -Subject: [PATCH] Avoid reading past the end of buffer (Rui Reis) - ---- - src/readelf.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/readelf.c b/src/readelf.c -index 79c83f9f5..1f41b4611 100644 ---- a/src/readelf.c -+++ b/src/readelf.c -@@ -842,7 +842,8 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type, - - cname = (unsigned char *) - &nbuf[doff + prpsoffsets(i)]; -- for (cp = cname; *cp && isprint(*cp); cp++) -+ for (cp = cname; cp < nbuf + size && *cp -+ && isprint(*cp); cp++) - continue; - /* - * Linux apparently appends a space at the end diff --git a/gnu/packages/patches/file-CVE-2019-18218.patch b/gnu/packages/patches/file-CVE-2019-18218.patch new file mode 100644 index 0000000000..21069823b7 --- /dev/null +++ b/gnu/packages/patches/file-CVE-2019-18218.patch @@ -0,0 +1,55 @@ +Fix CVE-2019-18218: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218 + +Patch copied from upstream source repository: + +https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84 + +From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001 +From: Christos Zoulas <christos@zoulas.com> +Date: Mon, 26 Aug 2019 14:31:39 +0000 +Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz) + +--- + src/cdf.c | 9 ++++----- + src/cdf.h | 1 + + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/cdf.c b/src/cdf.c +index 9d6396742..bb81d6374 100644 +--- a/src/cdf.c ++++ b/src/cdf.c +@@ -1027,8 +1027,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + goto out; + } + nelements = CDF_GETUINT32(q, 1); +- if (nelements == 0) { +- DPRINTF(("CDF_VECTOR with nelements == 0\n")); ++ if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { ++ DPRINTF(("CDF_VECTOR with nelements == %" ++ SIZE_T_FORMAT "u\n", nelements)); + goto out; + } + slen = 2; +@@ -1070,8 +1071,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + goto out; + inp += nelem; + } +- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", +- nelements)); + for (j = 0; j < nelements && i < sh.sh_properties; + j++, i++) + { +diff --git a/src/cdf.h b/src/cdf.h +index 2f7e554b7..05056668f 100644 +--- a/src/cdf.h ++++ b/src/cdf.h +@@ -48,6 +48,7 @@ + typedef int32_t cdf_secid_t; + + #define CDF_LOOP_LIMIT 10000 ++#define CDF_ELEMENT_LIMIT 100000 + + #define CDF_SECID_NULL 0 + #define CDF_SECID_FREE -1 |