From 9d4498863cc61721a87c2be4132902fab0e067f8 Mon Sep 17 00:00:00 2001 From: Jan Kaluza Date: Fri, 7 Mar 2014 09:36:29 +0100 Subject: [PATCH 1/2] fix #1073555 - fix for CVE-2014-2270 --- file.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/file.spec b/file.spec index 879a734..498b178 100644 --- a/file.spec +++ b/file.spec @@ -4,7 +4,7 @@ Summary: A utility for determining file types Name: file Version: 5.14 -Release: 16%{?dist} +Release: 17%{?dist} License: BSD Group: Applications/File Source0: ftp://ftp.astron.com/pub/file/file-%{version}.tar.gz @@ -25,6 +25,7 @@ Patch11: file-5.14-no-magic.patch Patch12: file-5.14-journald.patch Patch13: file-5.14-magic_load.patch Patch14: file-5.14-CVE-2014-1943.patch +Patch15: file-5.14-CVE-2014-2270.patch URL: http://www.darwinsys.com/file/ Requires: file-libs = %{version}-%{release} BuildRequires: zlib-devel @@ -100,6 +101,7 @@ file(1) command. %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 iconv -f iso-8859-1 -t utf-8 < doc/libmagic.man > doc/libmagic.man_ touch -r doc/libmagic.man doc/libmagic.man_ @@ -196,6 +198,9 @@ cd %{py3dir} %endif %changelog +* Fri Mar 07 2014 Jan Kaluza - 5.14-17 +- fix #1073555 - fix for CVE-2014-2270 + * Tue Feb 25 2014 Jan Kaluza - 5.14-16 - fix potential memory leak introduced in previous commit From 672626791518a9bb28579bd6561e6b3135def57a Mon Sep 17 00:00:00 2001 From: Jan Kaluza Date: Fri, 7 Mar 2014 09:47:09 +0100 Subject: [PATCH 2/2] fix #1073555 - fix for CVE-2014-2270 --- file-5.14-CVE-2014-2270.patch | 133 ++++++++++++++++++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 file-5.14-CVE-2014-2270.patch diff --git a/file-5.14-CVE-2014-2270.patch b/file-5.14-CVE-2014-2270.patch new file mode 100644 index 0000000..69505eb --- /dev/null +++ b/file-5.14-CVE-2014-2270.patch @@ -0,0 +1,133 @@ +diff --git a/src/softmagic.c b/src/softmagic.c +index d543f87..e84205d 100644 +--- a/src/softmagic.c ++++ b/src/softmagic.c +@@ -63,6 +63,7 @@ private void cvt_16(union VALUETYPE *, const struct magic *); + private void cvt_32(union VALUETYPE *, const struct magic *); + private void cvt_64(union VALUETYPE *, const struct magic *); + ++#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) + /* + * softmagic - lookup one file in parsed, in-memory copy of database + * Passed the name and FILE * of one file to be typed. +@@ -1196,7 +1197,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + } + switch (cvt_flip(m->in_type, flip)) { + case FILE_BYTE: +- if (nbytes < (offset + 1)) ++ if (OFFSET_OOB(nbytes, offset, 1)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1231,7 +1232,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_BESHORT: +- if (nbytes < (offset + 2)) ++ ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1283,7 +1285,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_LESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1335,7 +1337,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_SHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1372,7 +1374,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + break; + case FILE_BELONG: + case FILE_BEID3: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1443,7 +1445,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + break; + case FILE_LELONG: + case FILE_LEID3: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1513,7 +1515,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_MELONG: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1583,7 +1585,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + offset = ~offset; + break; + case FILE_LONG: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1658,14 +1660,14 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + /* Verify we have enough data to match magic type */ + switch (m->type) { + case FILE_BYTE: +- if (nbytes < (offset + 1)) /* should alway be true */ ++ if (OFFSET_OOB(nbytes, offset, 1)) + return 0; + break; + + case FILE_SHORT: + case FILE_BESHORT: + case FILE_LESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + break; + +@@ -1684,26 +1686,26 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, + case FILE_FLOAT: + case FILE_BEFLOAT: + case FILE_LEFLOAT: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + break; + + case FILE_DOUBLE: + case FILE_BEDOUBLE: + case FILE_LEDOUBLE: +- if (nbytes < (offset + 8)) ++ if (OFFSET_OOB(nbytes, offset, 8)) + return 0; + break; + + case FILE_STRING: + case FILE_PSTRING: + case FILE_SEARCH: +- if (nbytes < (offset + m->vallen)) ++ if (OFFSET_OOB(nbytes, offset, m->vallen)) + return 0; + break; + + case FILE_REGEX: +- if (nbytes < offset) ++ if (OFFSET_OOB(nbytes, offset, 0)) + return 0; + break; +