Merge branch 'master' into f20

file-5.14-CVE-2014-2270.patch

@@ -0,0 +1,133 @@
+diff --git a/src/softmagic.c b/src/softmagic.c
+index d543f87..e84205d 100644
+--- a/src/softmagic.c
++++ b/src/softmagic.c
+@@ -63,6 +63,7 @@ private void cvt_16(union VALUETYPE *, const struct magic *);
+ private void cvt_32(union VALUETYPE *, const struct magic *);
+ private void cvt_64(union VALUETYPE *, const struct magic *);
+ 
++#define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))
+ /*
+  * softmagic - lookup one file in parsed, in-memory copy of database
+  * Passed the name and FILE * of one file to be typed.
+@@ -1196,7 +1197,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 		}
+ 		switch (cvt_flip(m->in_type, flip)) {
+ 		case FILE_BYTE:
+-			if (nbytes < (offset + 1))
++			if (OFFSET_OOB(nbytes, offset, 1))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1231,7 +1232,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_BESHORT:
+-			if (nbytes < (offset + 2))
++			
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1283,7 +1285,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_LESHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1335,7 +1337,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_SHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1372,7 +1374,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 			break;
+ 		case FILE_BELONG:
+ 		case FILE_BEID3:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1443,7 +1445,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 			break;
+ 		case FILE_LELONG:
+ 		case FILE_LEID3:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1513,7 +1515,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_MELONG:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1583,7 +1585,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_LONG:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1658,14 +1660,14 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 	/* Verify we have enough data to match magic type */
+ 	switch (m->type) {
+ 	case FILE_BYTE:
+-		if (nbytes < (offset + 1)) /* should alway be true */
++		if (OFFSET_OOB(nbytes, offset, 1))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_SHORT:
+ 	case FILE_BESHORT:
+ 	case FILE_LESHORT:
+-		if (nbytes < (offset + 2))
++		if (OFFSET_OOB(nbytes, offset, 2))
+ 			return 0;
+ 		break;
+ 
+@@ -1684,26 +1686,26 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 	case FILE_FLOAT:
+ 	case FILE_BEFLOAT:
+ 	case FILE_LEFLOAT:
+-		if (nbytes < (offset + 4))
++		if (OFFSET_OOB(nbytes, offset, 4))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_DOUBLE:
+ 	case FILE_BEDOUBLE:
+ 	case FILE_LEDOUBLE:
+-		if (nbytes < (offset + 8))
++		if (OFFSET_OOB(nbytes, offset, 8))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_STRING:
+ 	case FILE_PSTRING:
+ 	case FILE_SEARCH:
+-		if (nbytes < (offset + m->vallen))
++		if (OFFSET_OOB(nbytes, offset, m->vallen))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_REGEX:
+-		if (nbytes < offset)
++		if (OFFSET_OOB(nbytes, offset, 0))
+ 			return 0;
+ 		break;
+ 

file.spec

@@ -4,7 +4,7 @@
 Summary: A utility for determining file types
 Name: file
 Version: 5.14
-Release: 16%{?dist}
+Release: 17%{?dist}
 License: BSD
 Group: Applications/File
 Source0: ftp://ftp.astron.com/pub/file/file-%{version}.tar.gz
@@ -25,6 +25,7 @@ Patch11: file-5.14-no-magic.patch
 Patch12: file-5.14-journald.patch
 Patch13: file-5.14-magic_load.patch
 Patch14: file-5.14-CVE-2014-1943.patch
+Patch15: file-5.14-CVE-2014-2270.patch
 URL: http://www.darwinsys.com/file/
 Requires: file-libs = %{version}-%{release}
 BuildRequires: zlib-devel
@@ -100,6 +101,7 @@ file(1) command.
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
 
 iconv -f iso-8859-1 -t utf-8 < doc/libmagic.man > doc/libmagic.man_
 touch -r doc/libmagic.man doc/libmagic.man_
@@ -196,6 +198,9 @@ cd %{py3dir}
 %endif
 
 %changelog
+* Fri Mar 07 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-17
+- fix #1073555 - fix for CVE-2014-2270
+
 * Tue Feb 25 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-16
 - fix potential memory leak introduced in previous commit