fix #1079847 - fix for CVE-2013-7345

file-5.14-CVE-2013-7345.patch

@@ -0,0 +1,26 @@
+From ef2329cf71acb59204dd981e2c6cce6c81fe467c Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Mon, 25 Mar 2013 14:06:55 +0000
+Subject: [PATCH] limit to 100 repetitions to avoid excessive backtracking
+ Carsten Wolff
+
+---
+ magic/Magdir/commands | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/magic/Magdir/commands b/magic/Magdir/commands
+index 67c3eee..4a7d8dd 100644
+--- a/magic/Magdir/commands
++++ b/magic/Magdir/commands
+@@ -49,7 +49,7 @@
+ !:mime	text/x-awk
+ 0	string/wt	#!\ /usr/bin/awk	awk script text executable
+ !:mime	text/x-awk
+-0	regex		=^\\s*BEGIN\\s*[{]	awk script text
++0	regex		=^\\s{0,100}BEGIN\\s{0,100}[{]	awk script text
+ 
+ # AT&T Bell Labs' Plan 9 shell
+ 0	string/wt	#!\ /bin/rc	Plan 9 rc shell script text executable
+-- 
+1.8.5.5
+

file.spec

@@ -4,7 +4,7 @@
 Summary: A utility for determining file types
 Name: file
 Version: 5.14
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: BSD
 Group: Applications/File
 Source0: ftp://ftp.astron.com/pub/file/file-%{version}.tar.gz
@@ -26,6 +26,7 @@ Patch12: file-5.14-journald.patch
 Patch13: file-5.14-magic_load.patch
 Patch14: file-5.14-CVE-2014-1943.patch
 Patch15: file-5.14-CVE-2014-2270.patch
+Patch16: file-5.14-CVE-2013-7345.patch
 URL: http://www.darwinsys.com/file/
 Requires: file-libs = %{version}-%{release}
 BuildRequires: zlib-devel
@@ -102,6 +103,7 @@ file(1) command.
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
+%patch16 -p1
 
 iconv -f iso-8859-1 -t utf-8 < doc/libmagic.man > doc/libmagic.man_
 touch -r doc/libmagic.man doc/libmagic.man_
@@ -198,6 +200,9 @@ cd %{py3dir}
 %endif
 
 %changelog
+* Mon Mar 24 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-18
+- fix #1079847 - fix for CVE-2013-7345
+
 * Fri Mar 07 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-17
 - fix #1073555 - fix for CVE-2014-2270