Received: from vps892.directvps.nl (ikke.info [178.21.113.177]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id E1369781B12 for ; Tue, 29 Oct 2019 05:34:46 +0000 (UTC) Received: by vps892.directvps.nl (Postfix, from userid 1008) id E0E214400DB; Tue, 29 Oct 2019 06:34:45 +0100 (CET) Date: Tue, 29 Oct 2019 06:34:45 +0100 From: Kevin Daudt To: Nathan Owens Cc: alpine-aports@lists.alpinelinux.org Subject: Re: [PATCH] main/file Message-ID: <20191029053445.GF242707@alpha> References: <20191022201140.1035-1-ndowens04@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191022201140.1035-1-ndowens04@gmail.com> User-Agent: Mutt/1.12.2 (2019-09-21) On Tue, Oct 22, 2019 at 08:11:40PM +0000, Nathan Owens wrote: > CVE:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218 > Patch:https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84?diff=unified > --- > main/file/APKBUILD | 10 ++++-- > main/file/CVE-2019-18218.patch | 59 ++++++++++++++++++++++++++++++++++ > 2 files changed, 67 insertions(+), 2 deletions(-) > create mode 100644 main/file/CVE-2019-18218.patch > > diff --git a/main/file/APKBUILD b/main/file/APKBUILD > index 433245e420..62d9e27554 100644 > --- a/main/file/APKBUILD > +++ b/main/file/APKBUILD > @@ -9,7 +9,8 @@ arch="all" > license="BSD-2-Clause" > makedepends="autoconf libtool automake" > subpackages="$pkgname-dev $pkgname-doc libmagic" > -source=$pkgname-$pkgver.tar.gz::https://github.com/file/file/archive/FILE${pkgver/./_}.tar.gz > +source="$pkgname-$pkgver.tar.gz::https://github.com/file/file/archive/FILE${pkgver/./_}.tar.gz > + CVE-2019-18218.patch" > builddir="$srcdir/$pkgname-FILE${pkgver/./_}" > > # secfixes: > @@ -20,6 +21,10 @@ builddir="$srcdir/$pkgname-FILE${pkgver/./_}" > # - CVE-2019-8906 > # - CVE-2019-8907 > > +prepare() { > + #secfix CVE-2019-18218 > + patch -p1 -i "$srcdir"/CVE-2019-18218.patch > +} > build() { > SH_LIBTOOL='/usr/share/build-1/libtool' autoreconf -f -i > ./configure \ > @@ -44,4 +49,5 @@ libmagic() { > mv "$pkgdir"/usr/lib "$pkgdir"/usr/share "$subpkgdir"/usr > } > > -sha512sums="9b6ae3dd910a03d2161c91ebc75ac91eb7dbd279563462b77daf902d9ae9f0a70de12c37a498b20c6357d6594059d01841bfd104592107b65c08d8343fca19d2 file-5.37.tar.gz" > +sha512sums="9b6ae3dd910a03d2161c91ebc75ac91eb7dbd279563462b77daf902d9ae9f0a70de12c37a498b20c6357d6594059d01841bfd104592107b65c08d8343fca19d2 file-5.37.tar.gz > +62f9b2fc8f3daeeaa82b5f1fada4ebf84c149ff127b96d610ab210a2b581c5a29385d3b9267fbacc4cadb22ddfafeb5550aab6a926eba099c36e041e11b4a0e5 CVE-2019-18218.patch" > diff --git a/main/file/CVE-2019-18218.patch b/main/file/CVE-2019-18218.patch > new file mode 100644 > index 0000000000..f86e2709ea > --- /dev/null > +++ b/main/file/CVE-2019-18218.patch > @@ -0,0 +1,59 @@ > +From b15ccbf355faa2203cccd4e29fa6206b1a1aa1b8 Mon Sep 17 00:00:00 2001 > +From: Christos Zoulas > +Date: Mon, 26 Aug 2019 14:31:39 +0000 > +Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz) > > [..] > Hey Nathan, Someone already provided a correct patch for this, including backports. It's easier to use those patches instead. I hope you don't mind. Thanks for your effort! Kevin