From 615b572ef6341859fe6be51d0809da4e783eb89e Mon Sep 17 00:00:00 2001 From: Leo Date: Mon, 28 Oct 2019 09:11:32 -0300 Subject: main/file: fix CVE-2019-18218 ref #10911 Closes !891 --- main/file/APKBUILD | 8 ++++++-- main/file/CVE-2019-18218.patch | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 main/file/CVE-2019-18218.patch diff --git a/main/file/APKBUILD b/main/file/APKBUILD index ad6680b832..cfa734f0fc 100644 --- a/main/file/APKBUILD +++ b/main/file/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa pkgname=file pkgver=5.32 -pkgrel=1 +pkgrel=2 pkgdesc="File type identification utility" url="http://www.darwinsys.com/file/" arch="all" @@ -11,10 +11,13 @@ subpackages="$pkgname-dev $pkgname-doc libmagic" source="ftp://ftp.astron.com/pub/$pkgname/$pkgname-$pkgver.tar.gz CVE-2019-8906.patch CVE-2019-8905-and-CVE-2019-8907.patch + CVE-2019-18218.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 5.32-r2: +# - CVE-2019-19218 # 5.32-r1: # - CVE-2019-8905 # - CVE-2019-8906 @@ -48,4 +51,5 @@ libmagic() { sha512sums="315343229fa196335389544ee8010e9e80995ef4721938492dedcfb0465dfc45e1feb96f26dfe53cab484fb5d9bac54d2d72917fbfd28a1d998c6ad8c8f9792f file-5.32.tar.gz f54a16dbca2b5a490405e323924fb2657cc67f73648ad5203b41c13da1dc98e5ca64fc6c94415386538d3c2124f487fc3bf86082ce1571a24d05f5a5e213da08 CVE-2019-8906.patch -5b8058fd39d9f9d91c7d8377708068dc0161abdbbb7fdb3d1bd9358b297133e425252758b45cccec937a7c51226d4f6dd67f5a13ff935a4353a44f140f011a7e CVE-2019-8905-and-CVE-2019-8907.patch" +5b8058fd39d9f9d91c7d8377708068dc0161abdbbb7fdb3d1bd9358b297133e425252758b45cccec937a7c51226d4f6dd67f5a13ff935a4353a44f140f011a7e CVE-2019-8905-and-CVE-2019-8907.patch +d70c5d298db7f70c45feaeebb077f076e6f1b5bcccb85926afeead64838436fd42681541d56f4fbe35b97dd76bfdbf3abf2665894c18999b37d2ca3fe2f2cf17 CVE-2019-18218.patch" diff --git a/main/file/CVE-2019-18218.patch b/main/file/CVE-2019-18218.patch new file mode 100644 index 0000000000..e7eba44922 --- /dev/null +++ b/main/file/CVE-2019-18218.patch @@ -0,0 +1,40 @@ +Source: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84 + +diff --git a/src/cdf.c b/src/cdf.c +index 556a3ff..8bb0a6d 100644 +--- a/src/cdf.c ++++ b/src/cdf.c +@@ -1013,8 +1013,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + goto out; + } + nelements = CDF_GETUINT32(q, 1); +- if (nelements == 0) { +- DPRINTF(("CDF_VECTOR with nelements == 0\n")); ++ if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { ++ DPRINTF(("CDF_VECTOR with nelements == %" ++ SIZE_T_FORMAT "u\n", nelements)); + goto out; + } + slen = 2; +@@ -1056,8 +1057,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + goto out; + inp += nelem; + } +- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", +- nelements)); + for (j = 0; j < nelements && i < sh.sh_properties; + j++, i++) + { +diff --git a/src/cdf.h b/src/cdf.h +index 2f7e554..0505666 100644 +--- a/src/cdf.h ++++ b/src/cdf.h +@@ -48,6 +48,7 @@ + typedef int32_t cdf_secid_t; + + #define CDF_LOOP_LIMIT 10000 ++#define CDF_ELEMENT_LIMIT 100000 + + #define CDF_SECID_NULL 0 + #define CDF_SECID_FREE -1 + -- cgit v1.2.3