diff options
| author |   Thomas Deutschmann <whissi@gentoo.org> | 2018-06-12 10:17:44 +0200 |
|---|---|---|
| committer | Thomas Deutschmann <whissi@gentoo.org> | 2018-06-12 10:18:03 +0200 |
| commit | 331976f64a3ac2e70aa62d6631db0e148f19d0fe (patch) | |
| tree | 08bce83a1f1a6e337a54fa4d71956e4b68555f9b | |
| parent | net-print/cups: Use official upstream fixes. (diff) | |
| download | gentoo-331976f64a3ac2e70aa62d6631db0e148f19d0fe.tar.gz gentoo-331976f64a3ac2e70aa62d6631db0e148f19d0fe.tar.bz2 gentoo-331976f64a3ac2e70aa62d6631db0e148f19d0fe.zip | |
sys-apps/file: Avoid reading past the end of buffer (CVE-2018-10360)
Bug: https://bugs.gentoo.org/657930
Package-Manager: Portage-2.3.40, Repoman-2.3.9
| -rw-r--r-- | sys-apps/file/file-5.33-r2.ebuild | 127 | ||||
| -rw-r--r-- | sys-apps/file/files/file-5.33-CVE-2018-10360.patch | 18 |
2 files changed, 145 insertions, 0 deletions
diff --git a/sys-apps/file/file-5.33-r2.ebuild b/sys-apps/file/file-5.33-r2.ebuild new file mode 100644 index 000000000000..4537ffb58aa8 --- /dev/null +++ b/sys-apps/file/file-5.33-r2.ebuild @@ -0,0 +1,127 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +PYTHON_COMPAT=( python2_7 python3_{4,5,6} pypy ) +DISTUTILS_OPTIONAL=1 + +inherit distutils-r1 libtool ltprune toolchain-funcs multilib-minimal + +if [[ ${PV} == "9999" ]] ; then + EGIT_REPO_URI="https://github.com/glensc/file.git" + inherit autotools git-r3 +else + SRC_URI="ftp://ftp.astron.com/pub/file/${P}.tar.gz" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +fi + +DESCRIPTION="identify a file's format by scanning binary data for patterns" +HOMEPAGE="https://www.darwinsys.com/file/" + +LICENSE="BSD-2" +SLOT="0" +IUSE="python static-libs zlib" +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" + +DEPEND=" + python? ( + ${PYTHON_DEPS} + dev-python/setuptools[${PYTHON_USEDEP}] + ) + zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )" +RDEPEND="${DEPEND} + python? ( !dev-python/python-magic )" + +PATCHES=( "${FILESDIR}"/${P}-CVE-2018-10360.patch ) + +src_prepare() { + default + + [[ ${PV} == "9999" ]] && eautoreconf + elibtoolize + + # don't let python README kill main README #60043 + mv python/README{,.python} || die +} + +multilib_src_configure() { + local myeconfargs=( + --disable-libseccomp + --enable-fsect-man5 + $(use_enable static-libs static) + $(use_enable zlib) + ) + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" +} + +src_configure() { + # when cross-compiling, we need to build up our own file + # because people often don't keep matching host/target + # file versions #362941 + if tc-is-cross-compiler && ! ROOT=/ has_version ~${CATEGORY}/${P} ; then + mkdir -p "${WORKDIR}"/build || die + cd "${WORKDIR}"/build || die + tc-export_build_env BUILD_C{C,XX} + ECONF_SOURCE=${S} \ + ac_cv_header_zlib_h=no \ + ac_cv_lib_z_gzopen=no \ + CHOST=${CBUILD} \ + CFLAGS=${BUILD_CFLAGS} \ + CXXFLAGS=${BUILD_CXXFLAGS} \ + CPPFLAGS=${BUILD_CPPFLAGS} \ + LDFLAGS="${BUILD_LDFLAGS} -static" \ + CC=${BUILD_CC} \ + CXX=${BUILD_CXX} \ + econf --disable-shared --disable-libseccomp + fi + + multilib-minimal_src_configure +} + +multilib_src_compile() { + if multilib_is_native_abi ; then + emake + else + cd src || die + emake magic.h #586444 + emake libmagic.la + fi +} + +src_compile() { + if tc-is-cross-compiler && ! ROOT=/ has_version "~${CATEGORY}/${P}" ; then + emake -C "${WORKDIR}"/build/src magic.h #586444 + emake -C "${WORKDIR}"/build/src file + PATH="${WORKDIR}/build/src:${PATH}" + fi + multilib-minimal_src_compile + + if use python ; then + cd python || die + distutils-r1_src_compile + fi +} + +multilib_src_install() { + if multilib_is_native_abi ; then + default + else + emake -C src install-{nodist_includeHEADERS,libLTLIBRARIES} DESTDIR="${D}" + fi +} + +multilib_src_install_all() { + dodoc ChangeLog MAINT README + + # Required for `file -C` + dodir /usr/share/misc/magic + insinto /usr/share/misc/magic + doins -r magic/Magdir/* + + if use python ; then + cd python || die + distutils-r1_src_install + fi + prune_libtool_files +} diff --git a/sys-apps/file/files/file-5.33-CVE-2018-10360.patch b/sys-apps/file/files/file-5.33-CVE-2018-10360.patch new file mode 100644 index 000000000000..a489846b10f8 --- /dev/null +++ b/sys-apps/file/files/file-5.33-CVE-2018-10360.patch @@ -0,0 +1,18 @@ +Avoid reading past the end of buffer + +CVE-2018-10360 + +https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22 + +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -842,7 +842,8 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type, + + cname = (unsigned char *) + &nbuf[doff + prpsoffsets(i)]; +- for (cp = cname; *cp && isprint(*cp); cp++) ++ for (cp = cname; cp < nbuf + size && *cp ++ && isprint(*cp); cp++) + continue; + /* + * Linux apparently appends a space at the end |