From e47c69f22638dc92ee962942b8e24284c8dee832 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sun, 16 Dec 2018 14:44:31 +0200 Subject: gnu: file: Fix CVE-2018-10360. * gnu/packages/patches/file-CVE-2018-10360.patch: New file. * gnu/packages/file.scm (file)[replacement]: New field. (file/fixed): New variable. * gnu/packages/commencement.scm (file-boot0): Use 'package/inherit' to receive security fixes. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/commencement.scm | 3 +-- gnu/packages/file.scm | 9 +++++++++ gnu/packages/patches/file-CVE-2018-10360.patch | 27 ++++++++++++++++++++++++++ 4 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/file-CVE-2018-10360.patch diff --git a/gnu/local.mk b/gnu/local.mk index 0a945e419c..925d955a66 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -691,6 +691,7 @@ dist_patch_DATA = \ %D%/packages/patches/fcgi-2.4.0-poll.patch \ %D%/packages/patches/fifo-map-fix-flags-for-gcc.patch \ %D%/packages/patches/fifo-map-remove-catch.hpp.patch \ + %D%/packages/patches/file-CVE-2018-10360.patch \ %D%/packages/patches/findutils-gnulib-libio.patch \ %D%/packages/patches/findutils-localstatedir.patch \ %D%/packages/patches/findutils-makedev.patch \ diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm index 0aa65fe638..bd48eb7f80 100644 --- a/gnu/packages/commencement.scm +++ b/gnu/packages/commencement.scm @@ -126,8 +126,7 @@ (define file-boot0 (package-with-bootstrap-guile - (package-with-explicit-inputs (package - (inherit file) + (package-with-explicit-inputs (package/inherit file (name "file-boot0")) `(("make" ,gnu-make-boot0) ,@%bootstrap-inputs) diff --git a/gnu/packages/file.scm b/gnu/packages/file.scm index 78f0360c2e..4518c8d3dc 100644 --- a/gnu/packages/file.scm +++ b/gnu/packages/file.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2014, 2015 Mark H Weaver ;;; Copyright © 2016, 2017 Efraim Flashner ;;; Copyright © 2018 Tobias Geerinckx-Rice +;;; Copyright © 2018 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -30,6 +31,7 @@ (package (name "file") (version "5.33") + (replacement file/fixed) (source (origin (method url-fetch) (uri (string-append "ftp://ftp.astron.com/pub/file/file-" @@ -51,3 +53,10 @@ extensions to tell you the type of a file, but looks at the actual contents of the file. This package provides the libmagic library.") (license bsd-2) (home-page "https://www.darwinsys.com/file/"))) + +(define file/fixed + (package + (inherit file) + (source + (origin (inherit (package-source file)) + (patches (search-patches "file-CVE-2018-10360.patch")))))) diff --git a/gnu/packages/patches/file-CVE-2018-10360.patch b/gnu/packages/patches/file-CVE-2018-10360.patch new file mode 100644 index 0000000000..9285611c04 --- /dev/null +++ b/gnu/packages/patches/file-CVE-2018-10360.patch @@ -0,0 +1,27 @@ +https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22.patch +The leading part of the patch starting at line 27 was trimmed off. +This patch should be OK to drop with file@5.35. + +From a642587a9c9e2dd7feacdf513c3643ce26ad3c22 Mon Sep 17 00:00:00 2001 +From: Christos Zoulas +Date: Sat, 9 Jun 2018 16:00:06 +0000 +Subject: [PATCH] Avoid reading past the end of buffer (Rui Reis) + +--- + src/readelf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/readelf.c b/src/readelf.c +index 79c83f9f5..1f41b4611 100644 +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -842,7 +842,8 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type, + + cname = (unsigned char *) + &nbuf[doff + prpsoffsets(i)]; +- for (cp = cname; *cp && isprint(*cp); cp++) ++ for (cp = cname; cp < nbuf + size && *cp ++ && isprint(*cp); cp++) + continue; + /* + * Linux apparently appends a space at the end -- cgit 1.4.1