pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/sysutils/file file: fix security issues, bump revision.
details: https://anonhg.NetBSD.org/pkgsrc/rev/e0bd260c20d4
branches: trunk
changeset: 393283:e0bd260c20d4
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Sat Mar 16 09:02:41 2019 +0000
description:
file: fix security issues, bump revision.
Fixes CVE-2019-8906, CVE-2019-8904 (not sure about CVE-2019-8905,
CVE-2019-8907).
Patch by Matthias Ferdinand via email to pkgsrc-users.
diffstat:
sysutils/file/Makefile | 4 +-
sysutils/file/distinfo | 8 +-
sysutils/file/patches/patch-src_file.h | 18 +++
sysutils/file/patches/patch-src_funcs.c | 26 +++++
sysutils/file/patches/patch-src_readelf.c | 36 ++++++-
sysutils/file/patches/patch-src_softmagic.c | 144 +++++++++++++++++++++++++++-
6 files changed, 229 insertions(+), 7 deletions(-)
diffs (299 lines):
diff -r 9f92d1dc86f4 -r e0bd260c20d4 sysutils/file/Makefile
--- a/sysutils/file/Makefile Sat Mar 16 08:50:47 2019 +0000
+++ b/sysutils/file/Makefile Sat Mar 16 09:02:41 2019 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.42 2018/06/30 09:27:02 bsiegert Exp $
+# $NetBSD: Makefile,v 1.43 2019/03/16 09:02:41 bsiegert Exp $
DISTNAME= file-5.32
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= sysutils
MASTER_SITES= ftp://ftp.astron.com/pub/file/
diff -r 9f92d1dc86f4 -r e0bd260c20d4 sysutils/file/distinfo
--- a/sysutils/file/distinfo Sat Mar 16 08:50:47 2019 +0000
+++ b/sysutils/file/distinfo Sat Mar 16 09:02:41 2019 +0000
@@ -1,10 +1,12 @@
-$NetBSD: distinfo,v 1.31 2018/06/30 09:27:02 bsiegert Exp $
+$NetBSD: distinfo,v 1.32 2019/03/16 09:02:41 bsiegert Exp $
SHA1 (file-5.32.tar.gz) = c2858a8043387d1229d8768ad42762a803d017db
RMD160 (file-5.32.tar.gz) = b7d41a4c6b2c28d9f202d740e353416e2036c1ef
SHA512 (file-5.32.tar.gz) = 315343229fa196335389544ee8010e9e80995ef4721938492dedcfb0465dfc45e1feb96f26dfe53cab484fb5d9bac54d2d72917fbfd28a1d998c6ad8c8f9792f
Size (file-5.32.tar.gz) = 797025 bytes
SHA1 (patch-aa) = dc787ea0d77d7ba88bcb1e17d38b26b13153a1c5
+SHA1 (patch-src_file.h) = e4bd52e3b5674300a1b87f198ed4418a65997833
SHA1 (patch-src_fsmagic.c) = ee770cf37dfdfbc5a7c123d2691312610b76e76e
-SHA1 (patch-src_readelf.c) = 2dca756d757509643f72937595c470378fb4f3d1
-SHA1 (patch-src_softmagic.c) = bd8871c9050ca521f02b62066d0023a5fbb2d168
+SHA1 (patch-src_funcs.c) = f86ed77c42d63290a602cb46625410cad8bb13b1
+SHA1 (patch-src_readelf.c) = 7f2f6c03050b6f49ef25d7991f368b8d3aab1e2b
+SHA1 (patch-src_softmagic.c) = 5a67d73bd4ecf7711f810ad4f4c0456248955c81
diff -r 9f92d1dc86f4 -r e0bd260c20d4 sysutils/file/patches/patch-src_file.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/file/patches/patch-src_file.h Sat Mar 16 09:02:41 2019 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-src_file.h,v 1.3 2019/03/16 09:02:41 bsiegert Exp $
+
+fix PR/62: spinpx: limit size of file_printable. (CVE-2019-8904)
+
+https://bugs.astron.com/view.php?id=62
+https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b
+
+--- src/file.h.orig 2017-08-28 13:39:18.000000000 +0000
++++ src/file.h
+@@ -491,7 +491,7 @@ protected int file_looks_utf8(const unsi
+ size_t *);
+ protected size_t file_pstring_length_size(const struct magic *);
+ protected size_t file_pstring_get_length(const struct magic *, const char *);
+-protected char * file_printable(char *, size_t, const char *);
++protected char * file_printable(char *, size_t, const char *, size_t);
+ #ifdef __EMX__
+ protected int file_os2_apptype(struct magic_set *, const char *, const void *,
+ size_t);
diff -r 9f92d1dc86f4 -r e0bd260c20d4 sysutils/file/patches/patch-src_funcs.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/file/patches/patch-src_funcs.c Sat Mar 16 09:02:41 2019 +0000
@@ -0,0 +1,26 @@
+$NetBSD: patch-src_funcs.c,v 1.1 2019/03/16 09:02:41 bsiegert Exp $
+
+fix PR/62: spinpx: limit size of file_printable. (CVE-2019-8904)
+
+https://bugs.astron.com/view.php?id=62
+https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b
+
+--- src/funcs.c.orig 2017-08-28 13:39:18.000000000 +0000
++++ src/funcs.c
+@@ -581,12 +581,13 @@ file_pop_buffer(struct magic_set *ms, fi
+ * convert string to ascii printable format.
+ */
+ protected char *
+-file_printable(char *buf, size_t bufsiz, const char *str)
++file_printable(char *buf, size_t bufsiz, const char *str, size_t slen)
+ {
+- char *ptr, *eptr;
++ char *ptr, *eptr = buf + bufsiz - 1;
+ const unsigned char *s = (const unsigned char *)str;
++ const unsigned char *es = s + slen;
+
+- for (ptr = buf, eptr = ptr + bufsiz - 1; ptr < eptr && *s; s++) {
++ for (ptr = buf; ptr < eptr && s < es && *s; s++) {
+ if (isprint(*s)) {
+ *ptr++ = *s;
+ continue;
diff -r 9f92d1dc86f4 -r e0bd260c20d4 sysutils/file/patches/patch-src_readelf.c
--- a/sysutils/file/patches/patch-src_readelf.c Sat Mar 16 08:50:47 2019 +0000
+++ b/sysutils/file/patches/patch-src_readelf.c Sat Mar 16 09:02:41 2019 +0000
@@ -1,4 +1,4 @@
-$NetBSD: patch-src_readelf.c,v 1.1 2018/06/30 09:27:03 bsiegert Exp $
+$NetBSD: patch-src_readelf.c,v 1.2 2019/03/16 09:02:41 bsiegert Exp $
apply https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22
against https://nvd.nist.gov/vuln/detail/CVE-2018-10360
@@ -10,8 +10,32 @@
file.
...
+Avoid OOB read (found by ASAN reported by F. Alonso) (CVE-2019-8906)
+
+https://github.com/file/file/commit/2858eaf99f6cc5aae129bcbf1e24ad160240185f
+
+fix PR/62: spinpx: limit size of file_printable. (CVE-2019-8904)
+
+https://bugs.astron.com/view.php?id=62
+https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b
+
--- src/readelf.c.orig 2017-08-27 07:55:02.000000000 +0000
+++ src/readelf.c
+@@ -720,12 +720,12 @@ do_core_note(struct magic_set *ms, unsig
+ char sbuf[512];
+ struct NetBSD_elfcore_procinfo pi;
+ memset(&pi, 0, sizeof(pi));
+- memcpy(&pi, nbuf + doff, descsz);
++ memcpy(&pi, nbuf + doff, MIN(descsz, sizeof(pi)));
+
+ if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
+ "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
+ file_printable(sbuf, sizeof(sbuf),
+- CAST(char *, pi.cpi_name)),
++ RCAST(char *, pi.cpi_name), sizeof(pi.cpi_name)),
+ elf_getu32(swap, pi.cpi_pid),
+ elf_getu32(swap, pi.cpi_euid),
+ elf_getu32(swap, pi.cpi_egid),
@@ -824,7 +824,8 @@ do_core_note(struct magic_set *ms, unsig
cname = (unsigned char *)
@@ -22,3 +46,13 @@
continue;
/*
* Linux apparently appends a space at the end
+@@ -1564,7 +1565,8 @@ dophn_exec(struct magic_set *ms, int cla
+ return -1;
+ if (interp[0])
+ if (file_printf(ms, ", interpreter %s",
+- file_printable(ibuf, sizeof(ibuf), interp)) == -1)
++ file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp)))
++ == -1)
+ return -1;
+ return 0;
+ }
diff -r 9f92d1dc86f4 -r e0bd260c20d4 sysutils/file/patches/patch-src_softmagic.c
--- a/sysutils/file/patches/patch-src_softmagic.c Sat Mar 16 08:50:47 2019 +0000
+++ b/sysutils/file/patches/patch-src_softmagic.c Sat Mar 16 09:02:41 2019 +0000
@@ -1,8 +1,13 @@
-$NetBSD: patch-src_softmagic.c,v 1.3 2017/12/12 03:11:51 ryoon Exp $
+$NetBSD: patch-src_softmagic.c,v 1.4 2019/03/16 09:02:41 bsiegert Exp $
Fix functionality under NetBSD-current after format check change
https://mail-index.netbsd.org/source-changes/2017/12/11/msg090400.html
+fix PR/62: spinpx: limit size of file_printable. (CVE-2019-8904)
+
+https://bugs.astron.com/view.php?id=62
+https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b
+
--- src/softmagic.c.orig 2017-07-21 10:29:00.000000000 +0000
+++ src/softmagic.c
@@ -121,6 +121,8 @@ private const char * __attribute__((__fo
@@ -14,3 +19,140 @@
const char *ptr = fmtcheck(m->desc, def);
if (ptr == def)
file_magerror(ms,
+@@ -546,8 +548,8 @@ mprint(struct magic_set *ms, struct magi
+ case FILE_LESTRING16:
+ if (m->reln == '=' || m->reln == '!') {
+ if (file_printf(ms, F(ms, m, "%s"),
+- file_printable(sbuf, sizeof(sbuf), m->value.s))
+- == -1)
++ file_printable(sbuf, sizeof(sbuf), m->value.s,
++ sizeof(m->value.s))) == -1)
+ return -1;
+ t = ms->offset + m->vallen;
+ }
+@@ -574,7 +576,8 @@ mprint(struct magic_set *ms, struct magi
+ }
+
+ if (file_printf(ms, F(ms, m, "%s"),
+- file_printable(sbuf, sizeof(sbuf), str)) == -1)
++ file_printable(sbuf, sizeof(sbuf), str,
++ sizeof(p->s) - (str - p->s))) == -1)
+ return -1;
+
+ if (m->type == FILE_PSTRING)
+@@ -680,7 +683,7 @@ mprint(struct magic_set *ms, struct magi
+ return -1;
+ }
+ rval = file_printf(ms, F(ms, m, "%s"),
+- file_printable(sbuf, sizeof(sbuf), cp));
++ file_printable(sbuf, sizeof(sbuf), cp, ms->search.rm_len));
+ free(cp);
+
+ if (rval == -1)
+@@ -707,7 +710,8 @@ mprint(struct magic_set *ms, struct magi
+ break;
+ case FILE_DER:
+ if (file_printf(ms, F(ms, m, "%s"),
+- file_printable(sbuf, sizeof(sbuf), ms->ms_value.s)) == -1)
++ file_printable(sbuf, sizeof(sbuf), ms->ms_value.s,
++ sizeof(ms->ms_value.s))) == -1)
+ return -1;
+ t = ms->offset;
+ break;
+@@ -1383,38 +1387,64 @@ mget(struct magic_set *ms, const unsigne
+ if (m->flag & INDIR) {
+ intmax_t off = m->in_offset;
+ const int sgn = m->in_op & FILE_OPSIGNED;
+- if (m->in_op & FILE_OPINDIRECT) {
+- const union VALUETYPE *q = CAST(const union VALUETYPE *,
+- ((const void *)(s + offset + off)));
+- if (OFFSET_OOB(nbytes, offset + off, sizeof(*q)))
+- return 0;
+- switch (cvt_flip(m->in_type, flip)) {
+- case FILE_BYTE:
+- off = SEXT(sgn,8,q->b);
+- break;
+- case FILE_SHORT:
+- off = SEXT(sgn,16,q->h);
+- break;
+- case FILE_BESHORT:
+- off = SEXT(sgn,16,BE16(q));
+- break;
+- case FILE_LESHORT:
+- off = SEXT(sgn,16,LE16(q));
+- break;
+- case FILE_LONG:
+- off = SEXT(sgn,32,q->l);
+- break;
+- case FILE_BELONG:
+- case FILE_BEID3:
+- off = SEXT(sgn,32,BE32(q));
+- break;
+- case FILE_LEID3:
+- case FILE_LELONG:
+- off = SEXT(sgn,32,LE32(q));
+- break;
+- case FILE_MELONG:
+- off = SEXT(sgn,32,ME32(q));
+- break;
++ if (m->in_op & FILE_OPINDIRECT) {
++ const union VALUETYPE *q = CAST(const union VALUETYPE *,
++ ((const void *)(s + offset + off)));
++ switch (cvt_flip(m->in_type, flip)) {
++ case FILE_BYTE:
++ if (OFFSET_OOB(nbytes, offset + off, 1))
++ return 0;
++ off = SEXT(sgn,8,q->b);
++ break;
++ case FILE_SHORT:
++ if (OFFSET_OOB(nbytes, offset + off, 2))
++ return 0;
++ off = SEXT(sgn,16,q->h);
++ break;
++ case FILE_BESHORT:
++ if (OFFSET_OOB(nbytes, offset + off, 2))
++ return 0;
++ off = SEXT(sgn,16,BE16(q));
++ break;
++ case FILE_LESHORT:
++ if (OFFSET_OOB(nbytes, offset + off, 2))
++ return 0;
++ off = SEXT(sgn,16,LE16(q));
++ break;
++ case FILE_LONG:
++ if (OFFSET_OOB(nbytes, offset + off, 4))
++ return 0;
++ off = SEXT(sgn,32,q->l);
++ break;
++ case FILE_BELONG:
++ case FILE_BEID3:
++ if (OFFSET_OOB(nbytes, offset + off, 4))
++ return 0;
++ off = SEXT(sgn,32,BE32(q));
++ break;
++ case FILE_LEID3:
++ case FILE_LELONG:
++ if (OFFSET_OOB(nbytes, offset + off, 4))
++ return 0;
++ off = SEXT(sgn,32,LE32(q));
++ break;
++ case FILE_MELONG:
++ if (OFFSET_OOB(nbytes, offset + off, 4))
++ return 0;
++ off = SEXT(sgn,32,ME32(q));
++ break;
++ case FILE_BEQUAD:
++ if (OFFSET_OOB(nbytes, offset + off, 8))
++ return 0;
++ off = SEXT(sgn,64,BE64(q));
++ break;
++ case FILE_LEQUAD:
++ if (OFFSET_OOB(nbytes, offset + off, 8))
++ return 0;
++ off = SEXT(sgn,64,LE64(q));
++ break;
++ default:
++ abort();
+ }
+ if ((ms->flags & MAGIC_DEBUG) != 0)
+ fprintf(stderr, "indirect offs=%jd\n", off);
Home |
Main Index |
Thread Index |
Old Index