~alpine/aports

main/file v1 SUPERSEDED

Nathan Owens <ndowens04@gmail.com>
5 years ago 
Nathan Owens: 1
 main/file

 2 files changed, 67 insertions(+), 2 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git: 

curl -s https://lists.alpinelinux.org/~alpine/aports/patches/3103/mbox | git am -3
Learn more about email & git
Reply to thread View this thread in the archives

[PATCH] main/file Export this patch

Nathan Owens <ndowens04@gmail.com>
5 years ago 
CVE:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218
Patch:https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84?diff=unified
---
 main/file/APKBUILD             | 10 ++++--
 main/file/CVE-2019-18218.patch | 59 ++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+), 2 deletions(-)
 create mode 100644 main/file/CVE-2019-18218.patch

diff --git a/main/file/APKBUILD b/main/file/APKBUILD
index 433245e420..62d9e27554 100644
--- a/main/file/APKBUILD
+++ b/main/file/APKBUILD
@@ -9,7 +9,8 @@ arch="all"

license="BSD-2-Clause"
makedepends="autoconf libtool automake"
subpackages="$pkgname-dev $pkgname-doc libmagic"
source=$pkgname-$pkgver.tar.gz::https://github.com/file/file/archive/FILE${pkgver/./_}.tar.gz
source="$pkgname-$pkgver.tar.gz::https://github.com/file/file/archive/FILE${pkgver/./_}.tar.gz
	CVE-2019-18218.patch"
builddir="$srcdir/$pkgname-FILE${pkgver/./_}"

# secfixes:

@@ -20,6 +21,10 @@ builddir="$srcdir/$pkgname-FILE${pkgver/./_}"
#     - CVE-2019-8906
#     - CVE-2019-8907

prepare() {
	#secfix CVE-2019-18218
	patch -p1 -i "$srcdir"/CVE-2019-18218.patch
}

build() {
	SH_LIBTOOL='/usr/share/build-1/libtool' autoreconf -f -i
	./configure \
@@ -44,4 +49,5 @@ libmagic() {
	mv "$pkgdir"/usr/lib "$pkgdir"/usr/share "$subpkgdir"/usr
}

sha512sums="9b6ae3dd910a03d2161c91ebc75ac91eb7dbd279563462b77daf902d9ae9f0a70de12c37a498b20c6357d6594059d01841bfd104592107b65c08d8343fca19d2  file-5.37.tar.gz"
sha512sums="9b6ae3dd910a03d2161c91ebc75ac91eb7dbd279563462b77daf902d9ae9f0a70de12c37a498b20c6357d6594059d01841bfd104592107b65c08d8343fca19d2  file-5.37.tar.gz
62f9b2fc8f3daeeaa82b5f1fada4ebf84c149ff127b96d610ab210a2b581c5a29385d3b9267fbacc4cadb22ddfafeb5550aab6a926eba099c36e041e11b4a0e5  CVE-2019-18218.patch"
diff --git a/main/file/CVE-2019-18218.patch b/main/file/CVE-2019-18218.patch
new file mode 100644
index 0000000000..f86e2709ea
--- /dev/null
+++ b/main/file/CVE-2019-18218.patch
@@ -0,0 +1,59 @@
From b15ccbf355faa2203cccd4e29fa6206b1a1aa1b8 Mon Sep 17 00:00:00 2001
From: Christos Zoulas <christos@zoulas.com>
Date: Mon, 26 Aug 2019 14:31:39 +0000
Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz)

---
 src/cdf.c | 9 ++++-----
 src/cdf.h | 1 +
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/cdf.c b/src/cdf.c
index 556a3ff8..e4835fef 100644
--- a/src/cdf.c
+++ b/src/cdf.c
@@ -35,7 +35,7 @@
 #include "file.h"
 
 #ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.116 2019/08/26 14:31:39 christos Exp $")
 #endif
 
 #include <assert.h>
@@ -1013,8 +1013,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
 				goto out;
 			}
 			nelements = CDF_GETUINT32(q, 1);
-			if (nelements == 0) {
-				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+			if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
+				DPRINTF(("CDF_VECTOR with nelements == %"
+				    SIZE_T_FORMAT "u\n", nelements));
 				goto out;
 			}
 			slen = 2;
@@ -1056,8 +1057,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
 					goto out;
 				inp += nelem;
 			}
-			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
-			    nelements));
 			for (j = 0; j < nelements && i < sh.sh_properties;
 			    j++, i++)
 			{
diff --git a/src/cdf.h b/src/cdf.h
index 2f7e554b..05056668 100644
--- a/src/cdf.h
+++ b/src/cdf.h
@@ -48,6 +48,7 @@
 typedef int32_t cdf_secid_t;
 
 #define CDF_LOOP_LIMIT					10000
+#define CDF_ELEMENT_LIMIT				100000
 
 #define CDF_SECID_NULL					0
 #define CDF_SECID_FREE					-1
-- 
2.23.0

-- 
2.23.0
Kevin Daudt <kdaudt@alpinelinux.org>
5 years ago 
Hellow Nathan,

Thanks for your contribution.

There are a couple of issues with this patch, see inline feedback.

Kind regards, Kevin

On Tue, Oct 22, 2019 at 08:11:40PM +0000, Nathan Owens wrote:
Kevin Daudt <kdaudt@alpinelinux.org>
5 years ago 
> CVE:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218
> Patch:https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84?diff=unified
> ---
> main/file/APKBUILD             | 10 ++++--
> main/file/CVE-2019-18218.patch | 59 ++++++++++++++++++++++++++++++++++
> 2 files changed, 67 insertions(+), 2 deletions(-)
> create mode 100644 main/file/CVE-2019-18218.patch
> 
> diff --git a/main/file/APKBUILD b/main/file/APKBUILD
> index 433245e420..62d9e27554 100644
> --- a/main/file/APKBUILD
> +++ b/main/file/APKBUILD
> @@ -9,7 +9,8 @@ arch="all"
> license="BSD-2-Clause"
> makedepends="autoconf libtool automake"
> subpackages="$pkgname-dev $pkgname-doc libmagic"
> -source=$pkgname-$pkgver.tar.gz::https://github.com/file/file/archive/FILE${pkgver/./_}.tar.gz
> +source="$pkgname-$pkgver.tar.gz::https://github.com/file/file/archive/FILE${pkgver/./_}.tar.gz
> +	CVE-2019-18218.patch"
> builddir="$srcdir/$pkgname-FILE${pkgver/./_}"
> 
> # secfixes:
> @@ -20,6 +21,10 @@ builddir="$srcdir/$pkgname-FILE${pkgver/./_}"
> #     - CVE-2019-8906
> #     - CVE-2019-8907
> 
> +prepare() {
> +	#secfix CVE-2019-18218
> +	patch -p1 -i "$srcdir"/CVE-2019-18218.patch
> +}
> build() {
> SH_LIBTOOL='/usr/share/build-1/libtool' autoreconf -f -i
> ./configure \
> @@ -44,4 +49,5 @@ libmagic() {
> mv "$pkgdir"/usr/lib "$pkgdir"/usr/share "$subpkgdir"/usr
> }
> 
> -sha512sums="9b6ae3dd910a03d2161c91ebc75ac91eb7dbd279563462b77daf902d9ae9f0a70de12c37a498b20c6357d6594059d01841bfd104592107b65c08d8343fca19d2  file-5.37.tar.gz"
> +sha512sums="9b6ae3dd910a03d2161c91ebc75ac91eb7dbd279563462b77daf902d9ae9f0a70de12c37a498b20c6357d6594059d01841bfd104592107b65c08d8343fca19d2  file-5.37.tar.gz
> +62f9b2fc8f3daeeaa82b5f1fada4ebf84c149ff127b96d610ab210a2b581c5a29385d3b9267fbacc4cadb22ddfafeb5550aab6a926eba099c36e041e11b4a0e5  CVE-2019-18218.patch"
> diff --git a/main/file/CVE-2019-18218.patch b/main/file/CVE-2019-18218.patch
> new file mode 100644
> index 0000000000..f86e2709ea
> --- /dev/null
> +++ b/main/file/CVE-2019-18218.patch
> @@ -0,0 +1,59 @@
> +From b15ccbf355faa2203cccd4e29fa6206b1a1aa1b8 Mon Sep 17 00:00:00 2001
> +From: Christos Zoulas <christos@zoulas.com>
> +Date: Mon, 26 Aug 2019 14:31:39 +0000
> +Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz)
> 
> [..]
Hey Nathan,

Someone already provided a correct patch for this, including backports.
It's easier to use those patches instead. I hope you don't mind.

Thanks for your effort!

Kevin