gnu: file: Fix CVE-2018-10360.

* gnu/packages/patches/file-CVE-2018-10360.patch: New file.
* gnu/packages/file.scm (file)[replacement]: New field.
(file/fixed): New variable.
* gnu/packages/commencement.scm (file-boot0): Use 'package/inherit' to
receive security fixes.
* gnu/local.mk (dist_patch_DATA): Register it.
This commit is contained in:
Efraim Flashner 2018-12-16 14:44:31 +02:00
parent 0865d8a8f6
commit e47c69f226
No known key found for this signature in database
GPG Key ID: 41AAE7DCCA3D8351
4 changed files with 38 additions and 2 deletions

View File

@ -691,6 +691,7 @@ dist_patch_DATA = \
%D%/packages/patches/fcgi-2.4.0-poll.patch \
%D%/packages/patches/fifo-map-fix-flags-for-gcc.patch \
%D%/packages/patches/fifo-map-remove-catch.hpp.patch \
%D%/packages/patches/file-CVE-2018-10360.patch \
%D%/packages/patches/findutils-gnulib-libio.patch \
%D%/packages/patches/findutils-localstatedir.patch \
%D%/packages/patches/findutils-makedev.patch \

View File

@ -126,8 +126,7 @@
(define file-boot0
(package-with-bootstrap-guile
(package-with-explicit-inputs (package
(inherit file)
(package-with-explicit-inputs (package/inherit file
(name "file-boot0"))
`(("make" ,gnu-make-boot0)
,@%bootstrap-inputs)

View File

@ -3,6 +3,7 @@
;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2018 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@ -30,6 +31,7 @@
(package
(name "file")
(version "5.33")
(replacement file/fixed)
(source (origin
(method url-fetch)
(uri (string-append "ftp://ftp.astron.com/pub/file/file-"
@ -51,3 +53,10 @@ extensions to tell you the type of a file, but looks at the actual contents
of the file. This package provides the libmagic library.")
(license bsd-2)
(home-page "https://www.darwinsys.com/file/")))
(define file/fixed
(package
(inherit file)
(source
(origin (inherit (package-source file))
(patches (search-patches "file-CVE-2018-10360.patch"))))))

View File

@ -0,0 +1,27 @@
https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22.patch
The leading part of the patch starting at line 27 was trimmed off.
This patch should be OK to drop with file@5.35.
From a642587a9c9e2dd7feacdf513c3643ce26ad3c22 Mon Sep 17 00:00:00 2001
From: Christos Zoulas <christos@zoulas.com>
Date: Sat, 9 Jun 2018 16:00:06 +0000
Subject: [PATCH] Avoid reading past the end of buffer (Rui Reis)
---
src/readelf.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/readelf.c b/src/readelf.c
index 79c83f9f5..1f41b4611 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -842,7 +842,8 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
cname = (unsigned char *)
&nbuf[doff + prpsoffsets(i)];
- for (cp = cname; *cp && isprint(*cp); cp++)
+ for (cp = cname; cp < nbuf + size && *cp
+ && isprint(*cp); cp++)
continue;
/*
* Linux apparently appends a space at the end