From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46267) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gYVp4-0005Cq-Dp for guix-patches@gnu.org; Sun, 16 Dec 2018 07:47:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gYVp0-0000Is-Ce for guix-patches@gnu.org; Sun, 16 Dec 2018 07:47:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:45691) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gYVp0-0000Id-6j for guix-patches@gnu.org; Sun, 16 Dec 2018 07:47:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gYVp0-0001jH-4s for guix-patches@gnu.org; Sun, 16 Dec 2018 07:47:02 -0500 Subject: [bug#33767] file-CVE-2018-10360 Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45971) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gYVnz-00056q-9D for guix-patches@gnu.org; Sun, 16 Dec 2018 07:46:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gYVnv-0007ug-65 for guix-patches@gnu.org; Sun, 16 Dec 2018 07:45:59 -0500 Received: from flashner.co.il ([178.62.234.194]:35108) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gYVnu-0007uA-QY for guix-patches@gnu.org; Sun, 16 Dec 2018 07:45:55 -0500 Received: from localhost (unknown [141.226.9.73]) by flashner.co.il (Postfix) with ESMTPSA id E27634009C for ; Sun, 16 Dec 2018 12:45:53 +0000 (UTC) Date: Sun, 16 Dec 2018 14:45:52 +0200 From: Efraim Flashner Message-ID: <20181216124552.GF3468@macbook41> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="JbKQpFqZXJ2T76Sg" Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 33767@debbugs.gnu.org --JbKQpFqZXJ2T76Sg Content-Type: multipart/mixed; boundary="JSkcQAAxhB1h8DcT" Content-Disposition: inline --JSkcQAAxhB1h8DcT Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I think I've done the patch correctly but I wanted feedback before pushing it. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --JSkcQAAxhB1h8DcT Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-gnu-file-Fix-CVE-2018-10360.patch" Content-Transfer-Encoding: quoted-printable =46rom 9045ab3a3be8dbcee8773649c129c73506c386ce Mon Sep 17 00:00:00 2001 =46rom: Efraim Flashner Date: Sun, 16 Dec 2018 14:44:31 +0200 Subject: [PATCH] gnu: file: Fix CVE-2018-10360. * gnu/packages/patches/file-CVE-2018-10360.patch: New file. * gnu/packages/file.scm (file)[replacement]: New field. (file/fixed): New variable. * gnu/packages/commencement.scm (file-boot0): Use 'package/inherit' to receive security fixes. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/commencement.scm | 3 +-- gnu/packages/file.scm | 9 +++++++ .../patches/file-CVE-2018-10360.patch | 27 +++++++++++++++++++ 4 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/file-CVE-2018-10360.patch diff --git a/gnu/local.mk b/gnu/local.mk index 0f34ec9a3..3ddebef2b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -693,6 +693,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/fcgi-2.4.0-poll.patch \ %D%/packages/patches/fifo-map-fix-flags-for-gcc.patch \ %D%/packages/patches/fifo-map-remove-catch.hpp.patch \ + %D%/packages/patches/file-CVE-2018-10360.patch \ %D%/packages/patches/findutils-gnulib-libio.patch \ %D%/packages/patches/findutils-localstatedir.patch \ %D%/packages/patches/findutils-makedev.patch \ diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm index 0aa65fe63..bd48eb7f8 100644 --- a/gnu/packages/commencement.scm +++ b/gnu/packages/commencement.scm @@ -126,8 +126,7 @@ =20 (define file-boot0 (package-with-bootstrap-guile - (package-with-explicit-inputs (package - (inherit file) + (package-with-explicit-inputs (package/inherit file (name "file-boot0")) `(("make" ,gnu-make-boot0) ,@%bootstrap-inputs) diff --git a/gnu/packages/file.scm b/gnu/packages/file.scm index 78f0360c2..4518c8d3d 100644 --- a/gnu/packages/file.scm +++ b/gnu/packages/file.scm @@ -3,6 +3,7 @@ ;;; Copyright =C2=A9 2014, 2015 Mark H Weaver ;;; Copyright =C2=A9 2016, 2017 Efraim Flashner ;;; Copyright =C2=A9 2018 Tobias Geerinckx-Rice +;;; Copyright =C2=A9 2018 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -30,6 +31,7 @@ (package (name "file") (version "5.33") + (replacement file/fixed) (source (origin (method url-fetch) (uri (string-append "ftp://ftp.astron.com/pub/file/file-" @@ -51,3 +53,10 @@ extensions to tell you the type of a file, but looks at = the actual contents of the file. This package provides the libmagic library.") (license bsd-2) (home-page "https://www.darwinsys.com/file/"))) + +(define file/fixed + (package + (inherit file) + (source + (origin (inherit (package-source file)) + (patches (search-patches "file-CVE-2018-10360.patch")))))) diff --git a/gnu/packages/patches/file-CVE-2018-10360.patch b/gnu/packages/= patches/file-CVE-2018-10360.patch new file mode 100644 index 000000000..9285611c0 --- /dev/null +++ b/gnu/packages/patches/file-CVE-2018-10360.patch @@ -0,0 +1,27 @@ +https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c= 22.patch +The leading part of the patch starting at line 27 was trimmed off. +This patch should be OK to drop with file@5.35. + +From a642587a9c9e2dd7feacdf513c3643ce26ad3c22 Mon Sep 17 00:00:00 2001 +From: Christos Zoulas +Date: Sat, 9 Jun 2018 16:00:06 +0000 +Subject: [PATCH] Avoid reading past the end of buffer (Rui Reis) + +--- + src/readelf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/readelf.c b/src/readelf.c +index 79c83f9f5..1f41b4611 100644 +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -842,7 +842,8 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf= , uint32_t type, +=20 + cname =3D (unsigned char *) + &nbuf[doff + prpsoffsets(i)]; +- for (cp =3D cname; *cp && isprint(*cp); cp++) ++ for (cp =3D cname; cp < nbuf + size && *cp ++ && isprint(*cp); cp++) + continue; + /* + * Linux apparently appends a space at the end --=20 2.20.0 --JSkcQAAxhB1h8DcT-- --JbKQpFqZXJ2T76Sg Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlwWSP0ACgkQQarn3Mo9 g1EIlA//YplcAppozm6dfQcrdCNyu6LL/uaTv+/r9czujvScLT45lmDUh/Qx9Zd+ 2a/z/k6K+eOIYqAEBBNAB/o7Rl6uva+q1uei0dXpeCZXqWG3hftR56zIIEdQI4nU tDvJIDYz6Wowz4vMxNU3bYgnTYHX2D3iNUa5dgSbjAahTKD8QJP0tkgdxqpmxc17 weu1SbFetyGrD+DWZ40rJzA2AgPDtDzgT7MzuxIc+0TNAH4N0UquOr4zzug0BCHI YWZU5SnrLf0eVdlRT/hgpK8rGYGm/0rE7PT5r/Y5FMpbuGlbl5ZvYvQbJR80D6EC f+tRzyx3JElHX6+poL3UmN/SIw6G7AQ2LGYnkWTAhP8fblubaWCPylObqRQqoJZU hCwWIkwH7JKTWDm70rteKgJPNpqfGNQQw2iMcT71PT8koIyIZ61Bgj1gSYwHK9Cc FvzxdfWwxjdP7rewU9zvAXnOzS56SckV1O0LoQnMSKJ0ug6eJvtGBxp1hZ9xPXaj mISCv5o3+foY6hrqudNsfbVYMDcpxFfGGDrYKRUdfvAbk7YwC7F8g08YJt+u1GUn 0oTYY1L7fu1ObZx2KOWYi90h+L24c7VSwuuXYQRXzAeyPKNN6pfrIoT0OQ3Fie+C mS8aPPApe8UXFXsCRSJuIZV5ewye70tbQwDnfvIh4XUL+IdD6c8= =tPK5 -----END PGP SIGNATURE----- --JbKQpFqZXJ2T76Sg--