unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
blob 8d58218184e237319370583c2fdd238c617abd0c 723 bytes (raw)
name: patches/sharutils-CVE-2018-1000097.patch 	 # note: path name is non-authoritative(*)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

 
Fix CVE-2018-1000097:

https://security-tracker.debian.org/tracker/CVE-2018-1000097
https://nvd.nist.gov/vuln/detail/CVE-2018-1000097

Patch taken from upstream bug report:
https://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00005.html

diff --git a/src/unshar.c b/src/unshar.c
index 80bc3a9..0fc3773 100644
--- a/src/unshar.c
+++ b/src/unshar.c
@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start)
       off_t position = ftello (file);
 
       /* Read next line, fail if no more and no previous process.  */
-      if (!fgets (rw_buffer, BUFSIZ, file))
+      if (!fgets (rw_buffer, rw_base_size, file))
 	{
 	  if (!start)
 	    error (0, 0, _("Found no shell commands in %s"), name);

debug log:

solving 8d58218184e237319370583c2fdd238c617abd0c ...
found 8d58218184e237319370583c2fdd238c617abd0c in https://git.savannah.gnu.org/cgit/guix.git

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).