1 |
commit: 331976f64a3ac2e70aa62d6631db0e148f19d0fe |
2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Jun 12 08:17:44 2018 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Jun 12 08:18:03 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=331976f6 |
7 |
|
8 |
sys-apps/file: Avoid reading past the end of buffer (CVE-2018-10360) |
9 |
|
10 |
Bug: https://bugs.gentoo.org/657930 |
11 |
Package-Manager: Portage-2.3.40, Repoman-2.3.9 |
12 |
|
13 |
sys-apps/file/file-5.33-r2.ebuild | 127 +++++++++++++++++++++ |
14 |
sys-apps/file/files/file-5.33-CVE-2018-10360.patch | 18 +++ |
15 |
2 files changed, 145 insertions(+) |
16 |
|
17 |
diff --git a/sys-apps/file/file-5.33-r2.ebuild b/sys-apps/file/file-5.33-r2.ebuild |
18 |
new file mode 100644 |
19 |
index 00000000000..4537ffb58aa |
20 |
--- /dev/null |
21 |
+++ b/sys-apps/file/file-5.33-r2.ebuild |
22 |
@@ -0,0 +1,127 @@ |
23 |
+# Copyright 1999-2018 Gentoo Foundation |
24 |
+# Distributed under the terms of the GNU General Public License v2 |
25 |
+ |
26 |
+EAPI=6 |
27 |
+ |
28 |
+PYTHON_COMPAT=( python2_7 python3_{4,5,6} pypy ) |
29 |
+DISTUTILS_OPTIONAL=1 |
30 |
+ |
31 |
+inherit distutils-r1 libtool ltprune toolchain-funcs multilib-minimal |
32 |
+ |
33 |
+if [[ ${PV} == "9999" ]] ; then |
34 |
+ EGIT_REPO_URI="https://github.com/glensc/file.git" |
35 |
+ inherit autotools git-r3 |
36 |
+else |
37 |
+ SRC_URI="ftp://ftp.astron.com/pub/file/${P}.tar.gz" |
38 |
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
39 |
+fi |
40 |
+ |
41 |
+DESCRIPTION="identify a file's format by scanning binary data for patterns" |
42 |
+HOMEPAGE="https://www.darwinsys.com/file/" |
43 |
+ |
44 |
+LICENSE="BSD-2" |
45 |
+SLOT="0" |
46 |
+IUSE="python static-libs zlib" |
47 |
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" |
48 |
+ |
49 |
+DEPEND=" |
50 |
+ python? ( |
51 |
+ ${PYTHON_DEPS} |
52 |
+ dev-python/setuptools[${PYTHON_USEDEP}] |
53 |
+ ) |
54 |
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )" |
55 |
+RDEPEND="${DEPEND} |
56 |
+ python? ( !dev-python/python-magic )" |
57 |
+ |
58 |
+PATCHES=( "${FILESDIR}"/${P}-CVE-2018-10360.patch ) |
59 |
+ |
60 |
+src_prepare() { |
61 |
+ default |
62 |
+ |
63 |
+ [[ ${PV} == "9999" ]] && eautoreconf |
64 |
+ elibtoolize |
65 |
+ |
66 |
+ # don't let python README kill main README #60043 |
67 |
+ mv python/README{,.python} || die |
68 |
+} |
69 |
+ |
70 |
+multilib_src_configure() { |
71 |
+ local myeconfargs=( |
72 |
+ --disable-libseccomp |
73 |
+ --enable-fsect-man5 |
74 |
+ $(use_enable static-libs static) |
75 |
+ $(use_enable zlib) |
76 |
+ ) |
77 |
+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" |
78 |
+} |
79 |
+ |
80 |
+src_configure() { |
81 |
+ # when cross-compiling, we need to build up our own file |
82 |
+ # because people often don't keep matching host/target |
83 |
+ # file versions #362941 |
84 |
+ if tc-is-cross-compiler && ! ROOT=/ has_version ~${CATEGORY}/${P} ; then |
85 |
+ mkdir -p "${WORKDIR}"/build || die |
86 |
+ cd "${WORKDIR}"/build || die |
87 |
+ tc-export_build_env BUILD_C{C,XX} |
88 |
+ ECONF_SOURCE=${S} \ |
89 |
+ ac_cv_header_zlib_h=no \ |
90 |
+ ac_cv_lib_z_gzopen=no \ |
91 |
+ CHOST=${CBUILD} \ |
92 |
+ CFLAGS=${BUILD_CFLAGS} \ |
93 |
+ CXXFLAGS=${BUILD_CXXFLAGS} \ |
94 |
+ CPPFLAGS=${BUILD_CPPFLAGS} \ |
95 |
+ LDFLAGS="${BUILD_LDFLAGS} -static" \ |
96 |
+ CC=${BUILD_CC} \ |
97 |
+ CXX=${BUILD_CXX} \ |
98 |
+ econf --disable-shared --disable-libseccomp |
99 |
+ fi |
100 |
+ |
101 |
+ multilib-minimal_src_configure |
102 |
+} |
103 |
+ |
104 |
+multilib_src_compile() { |
105 |
+ if multilib_is_native_abi ; then |
106 |
+ emake |
107 |
+ else |
108 |
+ cd src || die |
109 |
+ emake magic.h #586444 |
110 |
+ emake libmagic.la |
111 |
+ fi |
112 |
+} |
113 |
+ |
114 |
+src_compile() { |
115 |
+ if tc-is-cross-compiler && ! ROOT=/ has_version "~${CATEGORY}/${P}" ; then |
116 |
+ emake -C "${WORKDIR}"/build/src magic.h #586444 |
117 |
+ emake -C "${WORKDIR}"/build/src file |
118 |
+ PATH="${WORKDIR}/build/src:${PATH}" |
119 |
+ fi |
120 |
+ multilib-minimal_src_compile |
121 |
+ |
122 |
+ if use python ; then |
123 |
+ cd python || die |
124 |
+ distutils-r1_src_compile |
125 |
+ fi |
126 |
+} |
127 |
+ |
128 |
+multilib_src_install() { |
129 |
+ if multilib_is_native_abi ; then |
130 |
+ default |
131 |
+ else |
132 |
+ emake -C src install-{nodist_includeHEADERS,libLTLIBRARIES} DESTDIR="${D}" |
133 |
+ fi |
134 |
+} |
135 |
+ |
136 |
+multilib_src_install_all() { |
137 |
+ dodoc ChangeLog MAINT README |
138 |
+ |
139 |
+ # Required for `file -C` |
140 |
+ dodir /usr/share/misc/magic |
141 |
+ insinto /usr/share/misc/magic |
142 |
+ doins -r magic/Magdir/* |
143 |
+ |
144 |
+ if use python ; then |
145 |
+ cd python || die |
146 |
+ distutils-r1_src_install |
147 |
+ fi |
148 |
+ prune_libtool_files |
149 |
+} |
150 |
|
151 |
diff --git a/sys-apps/file/files/file-5.33-CVE-2018-10360.patch b/sys-apps/file/files/file-5.33-CVE-2018-10360.patch |
152 |
new file mode 100644 |
153 |
index 00000000000..a489846b10f |
154 |
--- /dev/null |
155 |
+++ b/sys-apps/file/files/file-5.33-CVE-2018-10360.patch |
156 |
@@ -0,0 +1,18 @@ |
157 |
+Avoid reading past the end of buffer |
158 |
+ |
159 |
+CVE-2018-10360 |
160 |
+ |
161 |
+https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22 |
162 |
+ |
163 |
+--- a/src/readelf.c |
164 |
++++ b/src/readelf.c |
165 |
+@@ -842,7 +842,8 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type, |
166 |
+ |
167 |
+ cname = (unsigned char *) |
168 |
+ &nbuf[doff + prpsoffsets(i)]; |
169 |
+- for (cp = cname; *cp && isprint(*cp); cp++) |
170 |
++ for (cp = cname; cp < nbuf + size && *cp |
171 |
++ && isprint(*cp); cp++) |
172 |
+ continue; |
173 |
+ /* |
174 |
+ * Linux apparently appends a space at the end |