Update to 5.37 with patch for CVE-2019-18218.

PR:		241424
Submitted by:	Nathan Owens <ndowens04@gmail.com>
Approved by:	jharris@widomaker.com (maintainer)
MFH:		2019Q4
Security:	381deebb-f5c9-11e9-9c4f-74d435e60b7c
This commit is contained in:
Raphael Kubo da Costa 2019-11-02 12:23:40 +00:00
parent cd9940a35c
commit 1737a2bca6
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=516311
4 changed files with 85 additions and 4 deletions

View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= file
PORTVERSION= 5.36
PORTVERSION= 5.37
CATEGORIES= sysutils
MASTER_SITES= ftp://ftp.astron.com/pub/file/ \
ftp://ftp.fu-berlin.de/unix/tools/file/

View File

@ -1,3 +1,3 @@
TIMESTAMP = 1550771584
SHA256 (file-5.36.tar.gz) = fb608290c0fd2405a8f63e5717abf6d03e22e183fb21884413d1edd918184379
SIZE (file-5.36.tar.gz) = 875792
TIMESTAMP = 1571780726
SHA256 (file-5.37.tar.gz) = e9c13967f7dd339a3c241b7710ba093560b9a33013491318e88e6b8b57bae07f
SIZE (file-5.37.tar.gz) = 887682

View File

@ -0,0 +1,71 @@
--- src/cdf.c.orig 2019-10-22 21:52:28 UTC
+++ src/cdf.c
@@ -35,7 +35,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.116 2019/08/26 14:31:39 christos Exp $")
#endif
#include <assert.h>
@@ -53,6 +53,10 @@ FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:
#define EFTYPE EINVAL
#endif
+#ifndef SIZE_T_MAX
+#define SIZE_T_MAX CAST(size_t, ~0ULL)
+#endif
+
#include "cdf.h"
#ifdef CDF_DEBUG
@@ -405,7 +409,12 @@ cdf_read_sector(const cdf_info_t *info, void *buf, siz
const cdf_header_t *h, cdf_secid_t id)
{
size_t ss = CDF_SEC_SIZE(h);
- size_t pos = CDF_SEC_POS(h, id);
+ size_t pos;
+
+ if (SIZE_T_MAX / ss < CAST(size_t, id))
+ return -1;
+
+ pos = CDF_SEC_POS(h, id);
assert(ss == len);
return cdf_read(info, CAST(off_t, pos), RCAST(char *, buf) + offs, len);
}
@@ -415,7 +424,12 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *b
size_t len, const cdf_header_t *h, cdf_secid_t id)
{
size_t ss = CDF_SHORT_SEC_SIZE(h);
- size_t pos = CDF_SHORT_SEC_POS(h, id);
+ size_t pos;
+
+ if (SIZE_T_MAX / ss < CAST(size_t, id))
+ return -1;
+
+ pos = CDF_SHORT_SEC_POS(h, id);
assert(ss == len);
if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
@@ -1013,8 +1027,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const
goto out;
}
nelements = CDF_GETUINT32(q, 1);
- if (nelements == 0) {
- DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+ if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
+ DPRINTF(("CDF_VECTOR with nelements == %"
+ SIZE_T_FORMAT "u\n", nelements));
goto out;
}
slen = 2;
@@ -1056,8 +1071,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const
goto out;
inp += nelem;
}
- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
- nelements));
for (j = 0; j < nelements && i < sh.sh_properties;
j++, i++)
{

View File

@ -0,0 +1,10 @@
--- src/cdf.h.orig 2019-10-22 21:52:35 UTC
+++ src/cdf.h
@@ -48,6 +48,7 @@
typedef int32_t cdf_secid_t;
#define CDF_LOOP_LIMIT 10000
+#define CDF_ELEMENT_LIMIT 100000
#define CDF_SECID_NULL 0
#define CDF_SECID_FREE -1