summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk2
-rw-r--r--gnu/packages/file.scm6
-rw-r--r--gnu/packages/patches/file-CVE-2018-10360.patch27
-rw-r--r--gnu/packages/patches/file-CVE-2019-18218.patch55
4 files changed, 59 insertions, 31 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index e46d74be64..336be3cb8d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -822,7 +822,7 @@ dist_patch_DATA = \
%D%/packages/patches/fcgi-2.4.0-poll.patch \
%D%/packages/patches/fifo-map-fix-flags-for-gcc.patch \
%D%/packages/patches/fifo-map-remove-catch.hpp.patch \
- %D%/packages/patches/file-CVE-2018-10360.patch \
+ %D%/packages/patches/file-CVE-2019-18218.patch \
%D%/packages/patches/findutils-gnulib-libio.patch \
%D%/packages/patches/findutils-localstatedir.patch \
%D%/packages/patches/findutils-makedev.patch \
diff --git a/gnu/packages/file.scm b/gnu/packages/file.scm
index 9ba51d1b74..cf770297c4 100644
--- a/gnu/packages/file.scm
+++ b/gnu/packages/file.scm
@@ -30,15 +30,15 @@
(define-public file
(package
(name "file")
- (version "5.33")
+ (version "5.37")
(source (origin
(method url-fetch)
(uri (string-append "ftp://ftp.astron.com/pub/file/file-"
version ".tar.gz"))
- (patches (search-patches "file-CVE-2018-10360.patch"))
+ (patches (search-patches "file-CVE-2019-18218.patch"))
(sha256
(base32
- "1iipnwjkag7q04zjkaqic41r9nlw0ml6mhqian6qkkbisb1whlhw"))))
+ "0zz0p9bqnswfx0c16j8k62ivjq1m16x10xqv4hy9lcyxyxkkkhg9"))))
(build-system gnu-build-system)
;; When cross-compiling, this package depends upon a native install of
diff --git a/gnu/packages/patches/file-CVE-2018-10360.patch b/gnu/packages/patches/file-CVE-2018-10360.patch
deleted file mode 100644
index 9285611c04..0000000000
--- a/gnu/packages/patches/file-CVE-2018-10360.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22.patch
-The leading part of the patch starting at line 27 was trimmed off.
-This patch should be OK to drop with file@5.35.
-
-From a642587a9c9e2dd7feacdf513c3643ce26ad3c22 Mon Sep 17 00:00:00 2001
-From: Christos Zoulas <christos@zoulas.com>
-Date: Sat, 9 Jun 2018 16:00:06 +0000
-Subject: [PATCH] Avoid reading past the end of buffer (Rui Reis)
-
----
- src/readelf.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/src/readelf.c b/src/readelf.c
-index 79c83f9f5..1f41b4611 100644
---- a/src/readelf.c
-+++ b/src/readelf.c
-@@ -842,7 +842,8 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
-
- cname = (unsigned char *)
- &nbuf[doff + prpsoffsets(i)];
-- for (cp = cname; *cp && isprint(*cp); cp++)
-+ for (cp = cname; cp < nbuf + size && *cp
-+ && isprint(*cp); cp++)
- continue;
- /*
- * Linux apparently appends a space at the end
diff --git a/gnu/packages/patches/file-CVE-2019-18218.patch b/gnu/packages/patches/file-CVE-2019-18218.patch
new file mode 100644
index 0000000000..21069823b7
--- /dev/null
+++ b/gnu/packages/patches/file-CVE-2019-18218.patch
@@ -0,0 +1,55 @@
+Fix CVE-2019-18218:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218
+
+Patch copied from upstream source repository:
+
+https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
+
+From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Mon, 26 Aug 2019 14:31:39 +0000
+Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz)
+
+---
+ src/cdf.c | 9 ++++-----
+ src/cdf.h | 1 +
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/cdf.c b/src/cdf.c
+index 9d6396742..bb81d6374 100644
+--- a/src/cdf.c
++++ b/src/cdf.c
+@@ -1027,8 +1027,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ goto out;
+ }
+ nelements = CDF_GETUINT32(q, 1);
+- if (nelements == 0) {
+- DPRINTF(("CDF_VECTOR with nelements == 0\n"));
++ if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
++ DPRINTF(("CDF_VECTOR with nelements == %"
++ SIZE_T_FORMAT "u\n", nelements));
+ goto out;
+ }
+ slen = 2;
+@@ -1070,8 +1071,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ goto out;
+ inp += nelem;
+ }
+- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
+- nelements));
+ for (j = 0; j < nelements && i < sh.sh_properties;
+ j++, i++)
+ {
+diff --git a/src/cdf.h b/src/cdf.h
+index 2f7e554b7..05056668f 100644
+--- a/src/cdf.h
++++ b/src/cdf.h
+@@ -48,6 +48,7 @@
+ typedef int32_t cdf_secid_t;
+
+ #define CDF_LOOP_LIMIT 10000
++#define CDF_ELEMENT_LIMIT 100000
+
+ #define CDF_SECID_NULL 0
+ #define CDF_SECID_FREE -1