pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/sysutils/file file: fix security issues, bump revision.



details:   https://anonhg.NetBSD.org/pkgsrc/rev/e0bd260c20d4
branches:  trunk
changeset: 393283:e0bd260c20d4
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Sat Mar 16 09:02:41 2019 +0000

description:
file: fix security issues, bump revision.

Fixes CVE-2019-8906, CVE-2019-8904 (not sure about CVE-2019-8905,
CVE-2019-8907).
Patch by Matthias Ferdinand via email to pkgsrc-users.

diffstat:

 sysutils/file/Makefile                      |    4 +-
 sysutils/file/distinfo                      |    8 +-
 sysutils/file/patches/patch-src_file.h      |   18 +++
 sysutils/file/patches/patch-src_funcs.c     |   26 +++++
 sysutils/file/patches/patch-src_readelf.c   |   36 ++++++-
 sysutils/file/patches/patch-src_softmagic.c |  144 +++++++++++++++++++++++++++-
 6 files changed, 229 insertions(+), 7 deletions(-)

diffs (299 lines):

diff -r 9f92d1dc86f4 -r e0bd260c20d4 sysutils/file/Makefile
--- a/sysutils/file/Makefile    Sat Mar 16 08:50:47 2019 +0000
+++ b/sysutils/file/Makefile    Sat Mar 16 09:02:41 2019 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.42 2018/06/30 09:27:02 bsiegert Exp $
+# $NetBSD: Makefile,v 1.43 2019/03/16 09:02:41 bsiegert Exp $
 
 DISTNAME=              file-5.32
-PKGREVISION=           2
+PKGREVISION=           3
 CATEGORIES=            sysutils
 MASTER_SITES=          ftp://ftp.astron.com/pub/file/
 
diff -r 9f92d1dc86f4 -r e0bd260c20d4 sysutils/file/distinfo
--- a/sysutils/file/distinfo    Sat Mar 16 08:50:47 2019 +0000
+++ b/sysutils/file/distinfo    Sat Mar 16 09:02:41 2019 +0000
@@ -1,10 +1,12 @@
-$NetBSD: distinfo,v 1.31 2018/06/30 09:27:02 bsiegert Exp $
+$NetBSD: distinfo,v 1.32 2019/03/16 09:02:41 bsiegert Exp $
 
 SHA1 (file-5.32.tar.gz) = c2858a8043387d1229d8768ad42762a803d017db
 RMD160 (file-5.32.tar.gz) = b7d41a4c6b2c28d9f202d740e353416e2036c1ef
 SHA512 (file-5.32.tar.gz) = 315343229fa196335389544ee8010e9e80995ef4721938492dedcfb0465dfc45e1feb96f26dfe53cab484fb5d9bac54d2d72917fbfd28a1d998c6ad8c8f9792f
 Size (file-5.32.tar.gz) = 797025 bytes
 SHA1 (patch-aa) = dc787ea0d77d7ba88bcb1e17d38b26b13153a1c5
+SHA1 (patch-src_file.h) = e4bd52e3b5674300a1b87f198ed4418a65997833
 SHA1 (patch-src_fsmagic.c) = ee770cf37dfdfbc5a7c123d2691312610b76e76e
-SHA1 (patch-src_readelf.c) = 2dca756d757509643f72937595c470378fb4f3d1
-SHA1 (patch-src_softmagic.c) = bd8871c9050ca521f02b62066d0023a5fbb2d168
+SHA1 (patch-src_funcs.c) = f86ed77c42d63290a602cb46625410cad8bb13b1
+SHA1 (patch-src_readelf.c) = 7f2f6c03050b6f49ef25d7991f368b8d3aab1e2b
+SHA1 (patch-src_softmagic.c) = 5a67d73bd4ecf7711f810ad4f4c0456248955c81
diff -r 9f92d1dc86f4 -r e0bd260c20d4 sysutils/file/patches/patch-src_file.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/file/patches/patch-src_file.h    Sat Mar 16 09:02:41 2019 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-src_file.h,v 1.3 2019/03/16 09:02:41 bsiegert Exp $
+
+fix PR/62: spinpx: limit size of file_printable.  (CVE-2019-8904)
+
+https://bugs.astron.com/view.php?id=62
+https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b
+
+--- src/file.h.orig    2017-08-28 13:39:18.000000000 +0000
++++ src/file.h
+@@ -491,7 +491,7 @@ protected int file_looks_utf8(const unsi
+     size_t *);
+ protected size_t file_pstring_length_size(const struct magic *);
+ protected size_t file_pstring_get_length(const struct magic *, const char *);
+-protected char * file_printable(char *, size_t, const char *);
++protected char * file_printable(char *, size_t, const char *, size_t);
+ #ifdef __EMX__
+ protected int file_os2_apptype(struct magic_set *, const char *, const void *,
+     size_t);
diff -r 9f92d1dc86f4 -r e0bd260c20d4 sysutils/file/patches/patch-src_funcs.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/file/patches/patch-src_funcs.c   Sat Mar 16 09:02:41 2019 +0000
@@ -0,0 +1,26 @@
+$NetBSD: patch-src_funcs.c,v 1.1 2019/03/16 09:02:41 bsiegert Exp $
+
+fix PR/62: spinpx: limit size of file_printable.  (CVE-2019-8904)
+
+https://bugs.astron.com/view.php?id=62
+https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b
+
+--- src/funcs.c.orig   2017-08-28 13:39:18.000000000 +0000
++++ src/funcs.c
+@@ -581,12 +581,13 @@ file_pop_buffer(struct magic_set *ms, fi
+  * convert string to ascii printable format.
+  */
+ protected char *
+-file_printable(char *buf, size_t bufsiz, const char *str)
++file_printable(char *buf, size_t bufsiz, const char *str, size_t slen)
+ {
+-      char *ptr, *eptr;
++      char *ptr, *eptr = buf + bufsiz - 1;
+       const unsigned char *s = (const unsigned char *)str;
++      const unsigned char *es = s + slen;
+ 
+-      for (ptr = buf, eptr = ptr + bufsiz - 1; ptr < eptr && *s; s++) {
++      for (ptr = buf;  ptr < eptr && s < es && *s; s++) {
+               if (isprint(*s)) {
+                       *ptr++ = *s;
+                       continue;
diff -r 9f92d1dc86f4 -r e0bd260c20d4 sysutils/file/patches/patch-src_readelf.c
--- a/sysutils/file/patches/patch-src_readelf.c Sat Mar 16 08:50:47 2019 +0000
+++ b/sysutils/file/patches/patch-src_readelf.c Sat Mar 16 09:02:41 2019 +0000
@@ -1,4 +1,4 @@
-$NetBSD: patch-src_readelf.c,v 1.1 2018/06/30 09:27:03 bsiegert Exp $
+$NetBSD: patch-src_readelf.c,v 1.2 2019/03/16 09:02:41 bsiegert Exp $
 
 apply https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22
 against https://nvd.nist.gov/vuln/detail/CVE-2018-10360
@@ -10,8 +10,32 @@
     file.
     ...
 
+Avoid OOB read (found by ASAN reported by F. Alonso) (CVE-2019-8906)
+
+https://github.com/file/file/commit/2858eaf99f6cc5aae129bcbf1e24ad160240185f
+
+fix PR/62: spinpx: limit size of file_printable.  (CVE-2019-8904)
+
+https://bugs.astron.com/view.php?id=62
+https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b
+
 --- src/readelf.c.orig 2017-08-27 07:55:02.000000000 +0000
 +++ src/readelf.c
+@@ -720,12 +720,12 @@ do_core_note(struct magic_set *ms, unsig
+                       char sbuf[512];
+                       struct NetBSD_elfcore_procinfo pi;
+                       memset(&pi, 0, sizeof(pi));
+-                      memcpy(&pi, nbuf + doff, descsz);
++                      memcpy(&pi, nbuf + doff, MIN(descsz, sizeof(pi)));
+ 
+                       if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
+                           "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
+                           file_printable(sbuf, sizeof(sbuf),
+-                          CAST(char *, pi.cpi_name)),
++                          RCAST(char *, pi.cpi_name), sizeof(pi.cpi_name)),
+                           elf_getu32(swap, pi.cpi_pid),
+                           elf_getu32(swap, pi.cpi_euid),
+                           elf_getu32(swap, pi.cpi_egid),
 @@ -824,7 +824,8 @@ do_core_note(struct magic_set *ms, unsig
  
                                cname = (unsigned char *)
@@ -22,3 +46,13 @@
                                        continue;
                                /*
                                 * Linux apparently appends a space at the end
+@@ -1564,7 +1565,8 @@ dophn_exec(struct magic_set *ms, int cla
+               return -1;
+       if (interp[0])
+               if (file_printf(ms, ", interpreter %s",
+-                  file_printable(ibuf, sizeof(ibuf), interp)) == -1)
++                  file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp)))
++                      == -1)
+                       return -1;
+       return 0;
+ }
diff -r 9f92d1dc86f4 -r e0bd260c20d4 sysutils/file/patches/patch-src_softmagic.c
--- a/sysutils/file/patches/patch-src_softmagic.c       Sat Mar 16 08:50:47 2019 +0000
+++ b/sysutils/file/patches/patch-src_softmagic.c       Sat Mar 16 09:02:41 2019 +0000
@@ -1,8 +1,13 @@
-$NetBSD: patch-src_softmagic.c,v 1.3 2017/12/12 03:11:51 ryoon Exp $
+$NetBSD: patch-src_softmagic.c,v 1.4 2019/03/16 09:02:41 bsiegert Exp $
 
 Fix functionality under NetBSD-current after format check change
 https://mail-index.netbsd.org/source-changes/2017/12/11/msg090400.html
 
+fix PR/62: spinpx: limit size of file_printable.  (CVE-2019-8904)
+
+https://bugs.astron.com/view.php?id=62
+https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b
+
 --- src/softmagic.c.orig       2017-07-21 10:29:00.000000000 +0000
 +++ src/softmagic.c
 @@ -121,6 +121,8 @@ private const char * __attribute__((__fo
@@ -14,3 +19,140 @@
        const char *ptr = fmtcheck(m->desc, def);
        if (ptr == def)
                file_magerror(ms,
+@@ -546,8 +548,8 @@ mprint(struct magic_set *ms, struct magi
+       case FILE_LESTRING16:
+               if (m->reln == '=' || m->reln == '!') {
+                       if (file_printf(ms, F(ms, m, "%s"), 
+-                          file_printable(sbuf, sizeof(sbuf), m->value.s))
+-                          == -1)
++                          file_printable(sbuf, sizeof(sbuf), m->value.s,
++                          sizeof(m->value.s))) == -1)
+                               return -1;
+                       t = ms->offset + m->vallen;
+               }
+@@ -574,7 +576,8 @@ mprint(struct magic_set *ms, struct magi
+                       }
+ 
+                       if (file_printf(ms, F(ms, m, "%s"),
+-                          file_printable(sbuf, sizeof(sbuf), str)) == -1)
++                          file_printable(sbuf, sizeof(sbuf), str,
++                              sizeof(p->s) - (str - p->s))) == -1)
+                               return -1;
+ 
+                       if (m->type == FILE_PSTRING)
+@@ -680,7 +683,7 @@ mprint(struct magic_set *ms, struct magi
+                       return -1;
+               }
+               rval = file_printf(ms, F(ms, m, "%s"),
+-                  file_printable(sbuf, sizeof(sbuf), cp));
++                  file_printable(sbuf, sizeof(sbuf), cp, ms->search.rm_len));
+               free(cp);
+ 
+               if (rval == -1)
+@@ -707,7 +710,8 @@ mprint(struct magic_set *ms, struct magi
+               break;
+       case FILE_DER:
+               if (file_printf(ms, F(ms, m, "%s"), 
+-                  file_printable(sbuf, sizeof(sbuf), ms->ms_value.s)) == -1)
++                  file_printable(sbuf, sizeof(sbuf), ms->ms_value.s,
++                      sizeof(ms->ms_value.s))) == -1)
+                       return -1;
+               t = ms->offset;
+               break;
+@@ -1383,38 +1387,64 @@ mget(struct magic_set *ms, const unsigne
+       if (m->flag & INDIR) {
+               intmax_t off = m->in_offset;
+               const int sgn = m->in_op & FILE_OPSIGNED;
+-              if (m->in_op & FILE_OPINDIRECT) {
+-                      const union VALUETYPE *q = CAST(const union VALUETYPE *,
+-                          ((const void *)(s + offset + off)));
+-                      if (OFFSET_OOB(nbytes, offset + off, sizeof(*q)))
+-                              return 0;
+-                      switch (cvt_flip(m->in_type, flip)) {
+-                      case FILE_BYTE:
+-                              off = SEXT(sgn,8,q->b);
+-                              break;
+-                      case FILE_SHORT:
+-                              off = SEXT(sgn,16,q->h);
+-                              break;
+-                      case FILE_BESHORT:
+-                              off = SEXT(sgn,16,BE16(q));
+-                              break;
+-                      case FILE_LESHORT:
+-                              off = SEXT(sgn,16,LE16(q));
+-                              break;
+-                      case FILE_LONG:
+-                              off = SEXT(sgn,32,q->l);
+-                              break;
+-                      case FILE_BELONG:
+-                      case FILE_BEID3:
+-                              off = SEXT(sgn,32,BE32(q));
+-                              break;
+-                      case FILE_LEID3:
+-                      case FILE_LELONG:
+-                              off = SEXT(sgn,32,LE32(q));
+-                              break;
+-                      case FILE_MELONG:
+-                              off = SEXT(sgn,32,ME32(q));
+-                              break;
++              if (m->in_op & FILE_OPINDIRECT) {
++                      const union VALUETYPE *q = CAST(const union VALUETYPE *,
++                          ((const void *)(s + offset + off)));
++                      switch (cvt_flip(m->in_type, flip)) {
++                      case FILE_BYTE:
++                              if (OFFSET_OOB(nbytes, offset + off, 1))
++                                      return 0;
++                              off = SEXT(sgn,8,q->b);
++                              break;
++                      case FILE_SHORT:
++                              if (OFFSET_OOB(nbytes, offset + off, 2))
++                                      return 0;
++                              off = SEXT(sgn,16,q->h);
++                              break;
++                      case FILE_BESHORT:
++                              if (OFFSET_OOB(nbytes, offset + off, 2))
++                                      return 0;
++                              off = SEXT(sgn,16,BE16(q));
++                              break;
++                      case FILE_LESHORT:
++                              if (OFFSET_OOB(nbytes, offset + off, 2))
++                                      return 0;
++                              off = SEXT(sgn,16,LE16(q));
++                              break;
++                      case FILE_LONG:
++                              if (OFFSET_OOB(nbytes, offset + off, 4))
++                                      return 0;
++                              off = SEXT(sgn,32,q->l);
++                              break;
++                      case FILE_BELONG:
++                      case FILE_BEID3:
++                              if (OFFSET_OOB(nbytes, offset + off, 4))
++                                      return 0;
++                              off = SEXT(sgn,32,BE32(q));
++                              break;
++                      case FILE_LEID3:
++                      case FILE_LELONG:
++                              if (OFFSET_OOB(nbytes, offset + off, 4))
++                                      return 0;
++                              off = SEXT(sgn,32,LE32(q));
++                              break;
++                      case FILE_MELONG:
++                              if (OFFSET_OOB(nbytes, offset + off, 4))
++                                      return 0;
++                              off = SEXT(sgn,32,ME32(q));
++                              break;
++                      case FILE_BEQUAD:
++                              if (OFFSET_OOB(nbytes, offset + off, 8))
++                                      return 0;
++                              off = SEXT(sgn,64,BE64(q));
++                              break;
++                      case FILE_LEQUAD:
++                              if (OFFSET_OOB(nbytes, offset + off, 8))
++                                      return 0;
++                              off = SEXT(sgn,64,LE64(q));
++                              break;
++                      default:
++                               abort();
+                       }
+                       if ((ms->flags & MAGIC_DEBUG) != 0)
+                               fprintf(stderr, "indirect offs=%jd\n", off);



Home | Main Index | Thread Index | Old Index