From 5bcc027a228bc8cde55ba73f7b256877bf302381 Mon Sep 17 00:00:00 2001
From: Jan Kaluza <jkaluza@redhat.com>
Date: Tue, 18 Feb 2014 09:32:40 +0100
Subject: [PATCH 1/4] fix #1065837 - fix for CVE-2014-1943

---
 file-5.14-CVE-2014-1943.patch | 88 +++++++++++++++++++++++++++++++++++
 file.spec                     |  7 ++-
 2 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 file-5.14-CVE-2014-1943.patch

diff --git a/file-5.14-CVE-2014-1943.patch b/file-5.14-CVE-2014-1943.patch
new file mode 100644
index 0000000..9e0cc06
--- /dev/null
+++ b/file-5.14-CVE-2014-1943.patch
@@ -0,0 +1,88 @@
+diff --git a/src/ascmagic.c b/src/ascmagic.c
+index 9f1456a..6dda702 100644
+--- a/src/ascmagic.c
++++ b/src/ascmagic.c
+@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,
+ 		    == NULL)
+ 			goto done;
+ 		if ((rv = file_softmagic(ms, utf8_buf,
+-		    (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
++		    (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
+ 			rv = -1;
+ 	}
+ 
+diff --git a/src/file.h b/src/file.h
+index 2b64399..d1bd332 100644
+--- a/src/file.h
++++ b/src/file.h
+@@ -438,7 +438,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t,
+     unichar **, size_t *, const char **, const char **, const char **);
+ protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
+ protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
+-    int, int);
++    size_t, int, int);
+ protected int file_apprentice(struct magic_set *, const char *, int);
+ protected int file_magicfind(struct magic_set *, const char *, struct mlist *);
+ protected uint64_t file_signextend(struct magic_set *, struct magic *,
+diff --git a/src/funcs.c b/src/funcs.c
+index 4641c8b..e902c15 100644
+--- a/src/funcs.c
++++ b/src/funcs.c
+@@ -228,7 +228,7 @@ file_buffer(struct magic_set *ms, int fd, const char *inname __attribute__ ((unu
+ 
+ 	/* try soft magic tests */
+ 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
+-		if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
++		if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
+ 		    looks_text)) != 0) {
+ 			if ((ms->flags & MAGIC_DEBUG) != 0)
+ 				(void)fprintf(stderr, "softmagic %d\n", m);
+diff --git a/src/softmagic.c b/src/softmagic.c
+index 108d419..ee4b831 100644
+--- a/src/softmagic.c
++++ b/src/softmagic.c
+@@ -41,6 +41,7 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.165 2013/03/07 02:22:24 christos Exp $")
+ #include <stdlib.h>
+ #include <time.h>
+ 
++#define OFFSET_OOB(n, o, i)  ((n) < (o) || (i) >= ((n) - (o)))
+ 
+ private int match(struct magic_set *, struct magic *, uint32_t,
+     const unsigned char *, size_t, size_t, int, int, int, int, int *, int *,
+@@ -69,7 +70,7 @@ private void cvt_64(union VALUETYPE *, const struct magic *);
+ /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */
+ protected int
+ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
+-    int mode, int text)
++    size_t level, int mode, int text)
+ {
+ 	struct mlist *ml;
+ 	int rv, printed_something = 0, need_separator = 0;
+@@ -79,7 +80,7 @@ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
+ 
+ 	for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next)
+ 		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode,
+-		    text, 0, 0, &printed_something, &need_separator,
++		    text, 0, level, &printed_something, &need_separator,
+ 		    NULL)) != 0)
+ 			return rv;
+ 
+@@ -1707,14 +1708,16 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 		break;
+ 
+ 	case FILE_INDIRECT:
+-		if (nbytes < offset)
++		if (offset == 0)
++			return 0;
++		if (OFFSET_OOB(nbytes, offset, 0))
+ 			return 0;
+ 		sbuf = ms->o.buf;
+ 		soffset = ms->offset;
+ 		ms->o.buf = NULL;
+ 		ms->offset = 0;
+ 		rv = file_softmagic(ms, s + offset, nbytes - offset,
+-		    BINTEST, text);
++		    recursion_level, BINTEST, text);
+ 		if ((ms->flags & MAGIC_DEBUG) != 0)
+ 			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
+ 		rbuf = ms->o.buf;
diff --git a/file.spec b/file.spec
index 8054985..53e62ca 100644
--- a/file.spec
+++ b/file.spec
@@ -4,7 +4,7 @@
 Summary: A utility for determining file types
 Name: file
 Version: 5.14
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: BSD
 Group: Applications/File
 Source0: ftp://ftp.astron.com/pub/file/file-%{version}.tar.gz
@@ -24,6 +24,7 @@ Patch10: file-5.14-bad-fsmagic-space.patch
 Patch11: file-5.14-no-magic.patch
 Patch12: file-5.14-journald.patch
 Patch13: file-5.14-magic_load.patch
+Patch14: file-5.14-CVE-2014-1943.patch
 URL: http://www.darwinsys.com/file/
 Requires: file-libs = %{version}-%{release}
 BuildRequires: zlib-devel
@@ -98,6 +99,7 @@ file(1) command.
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
 
 iconv -f iso-8859-1 -t utf-8 < doc/libmagic.man > doc/libmagic.man_
 touch -r doc/libmagic.man doc/libmagic.man_
@@ -194,6 +196,9 @@ cd %{py3dir}
 %endif
 
 %changelog
+* Tue Feb 18 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-15
+- fix #1065837 - fix for CVE-2014-1943
+
 * Wed Jan 15 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-14
 - fix #1051598 - reverse the order of shebang vs. package keyword detection
   in Perl by increasing strength of all Perl patterns

From 1a255d2dd99095984e12f53ed05229e8ca0e04bf Mon Sep 17 00:00:00 2001
From: Jan Kaluza <jkaluza@redhat.com>
Date: Mon, 24 Mar 2014 09:16:34 +0100
Subject: [PATCH 2/4] fix #1079847 - fix for CVE-2013-7345

---
 file-5.14-CVE-2013-7345.patch | 26 ++++++++++++++++++++++++++
 file.spec                     |  7 ++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 file-5.14-CVE-2013-7345.patch

diff --git a/file-5.14-CVE-2013-7345.patch b/file-5.14-CVE-2013-7345.patch
new file mode 100644
index 0000000..5a0374d
--- /dev/null
+++ b/file-5.14-CVE-2013-7345.patch
@@ -0,0 +1,26 @@
+From ef2329cf71acb59204dd981e2c6cce6c81fe467c Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Mon, 25 Mar 2013 14:06:55 +0000
+Subject: [PATCH] limit to 100 repetitions to avoid excessive backtracking
+ Carsten Wolff
+
+---
+ magic/Magdir/commands | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/magic/Magdir/commands b/magic/Magdir/commands
+index 67c3eee..4a7d8dd 100644
+--- a/magic/Magdir/commands
++++ b/magic/Magdir/commands
+@@ -49,7 +49,7 @@
+ !:mime	text/x-awk
+ 0	string/wt	#!\ /usr/bin/awk	awk script text executable
+ !:mime	text/x-awk
+-0	regex		=^\\s*BEGIN\\s*[{]	awk script text
++0	regex		=^\\s{0,100}BEGIN\\s{0,100}[{]	awk script text
+ 
+ # AT&T Bell Labs' Plan 9 shell
+ 0	string/wt	#!\ /bin/rc	Plan 9 rc shell script text executable
+-- 
+1.8.5.5
+
diff --git a/file.spec b/file.spec
index 498b178..96fa380 100644
--- a/file.spec
+++ b/file.spec
@@ -4,7 +4,7 @@
 Summary: A utility for determining file types
 Name: file
 Version: 5.14
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: BSD
 Group: Applications/File
 Source0: ftp://ftp.astron.com/pub/file/file-%{version}.tar.gz
@@ -26,6 +26,7 @@ Patch12: file-5.14-journald.patch
 Patch13: file-5.14-magic_load.patch
 Patch14: file-5.14-CVE-2014-1943.patch
 Patch15: file-5.14-CVE-2014-2270.patch
+Patch16: file-5.14-CVE-2013-7345.patch
 URL: http://www.darwinsys.com/file/
 Requires: file-libs = %{version}-%{release}
 BuildRequires: zlib-devel
@@ -102,6 +103,7 @@ file(1) command.
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
+%patch16 -p1
 
 iconv -f iso-8859-1 -t utf-8 < doc/libmagic.man > doc/libmagic.man_
 touch -r doc/libmagic.man doc/libmagic.man_
@@ -198,6 +200,9 @@ cd %{py3dir}
 %endif
 
 %changelog
+* Mon Mar 24 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-18
+- fix #1079847 - fix for CVE-2013-7345
+
 * Fri Mar 07 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-17
 - fix #1073555 - fix for CVE-2014-2270
 

From 7eb85bd79d5ac662dfff381949b1c504c26ca24a Mon Sep 17 00:00:00 2001
From: Jan Kaluza <jkaluza@redhat.com>
Date: Mon, 24 Mar 2014 09:31:09 +0100
Subject: [PATCH 3/4] fix redefinition of OFFSET_OOB in CVE-2014-2270 patch

---
 file-5.14-CVE-2014-1943.patch | 2 +-
 file-5.14-CVE-2014-2270.patch | 8 --------
 file.spec                     | 5 ++++-
 3 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/file-5.14-CVE-2014-1943.patch b/file-5.14-CVE-2014-1943.patch
index 5885118..7dcf22a 100644
--- a/file-5.14-CVE-2014-1943.patch
+++ b/file-5.14-CVE-2014-1943.patch
@@ -45,7 +45,7 @@ index 108d419..d543f87 100644
  #include <stdlib.h>
  #include <time.h>
  
-+#define OFFSET_OOB(n, o, i)  ((n) < (o) || (i) >= ((n) - (o)))
++#define OFFSET_OOB(n, o, i)  ((n) < (o) || (i) > ((n) - (o)))
  
  private int match(struct magic_set *, struct magic *, uint32_t,
      const unsigned char *, size_t, size_t, int, int, int, int, int *, int *,
diff --git a/file-5.14-CVE-2014-2270.patch b/file-5.14-CVE-2014-2270.patch
index 69505eb..858390d 100644
--- a/file-5.14-CVE-2014-2270.patch
+++ b/file-5.14-CVE-2014-2270.patch
@@ -2,14 +2,6 @@ diff --git a/src/softmagic.c b/src/softmagic.c
 index d543f87..e84205d 100644
 --- a/src/softmagic.c
 +++ b/src/softmagic.c
-@@ -63,6 +63,7 @@ private void cvt_16(union VALUETYPE *, const struct magic *);
- private void cvt_32(union VALUETYPE *, const struct magic *);
- private void cvt_64(union VALUETYPE *, const struct magic *);
- 
-+#define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))
- /*
-  * softmagic - lookup one file in parsed, in-memory copy of database
-  * Passed the name and FILE * of one file to be typed.
 @@ -1196,7 +1197,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
  		}
  		switch (cvt_flip(m->in_type, flip)) {
diff --git a/file.spec b/file.spec
index 96fa380..87a1f72 100644
--- a/file.spec
+++ b/file.spec
@@ -4,7 +4,7 @@
 Summary: A utility for determining file types
 Name: file
 Version: 5.14
-Release: 18%{?dist}
+Release: 19%{?dist}
 License: BSD
 Group: Applications/File
 Source0: ftp://ftp.astron.com/pub/file/file-%{version}.tar.gz
@@ -200,6 +200,9 @@ cd %{py3dir}
 %endif
 
 %changelog
+* Mon Mar 24 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-19
+- fix redefinition of OFFSET_OOB in CVE-2014-2270 patch
+
 * Mon Mar 24 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-18
 - fix #1079847 - fix for CVE-2013-7345
 

From 0ab13b223af0bcbc78379bcfd572c8d2fb7a04e9 Mon Sep 17 00:00:00 2001
From: Jan Kaluza <jkaluza@redhat.com>
Date: Tue, 25 Mar 2014 09:26:09 +0100
Subject: [PATCH 4/4] fix #1079847 - fix potential regression in Perl detection
 caused

  by original patch for CVE-2013-7345
---
 file-5.14-CVE-2013-7345.patch | 3 ++-
 file.spec                     | 6 +++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/file-5.14-CVE-2013-7345.patch b/file-5.14-CVE-2013-7345.patch
index 5a0374d..0bb1287 100644
--- a/file-5.14-CVE-2013-7345.patch
+++ b/file-5.14-CVE-2013-7345.patch
@@ -12,12 +12,13 @@ diff --git a/magic/Magdir/commands b/magic/Magdir/commands
 index 67c3eee..4a7d8dd 100644
 --- a/magic/Magdir/commands
 +++ b/magic/Magdir/commands
-@@ -49,7 +49,7 @@
+@@ -49,7 +49,8 @@
  !:mime	text/x-awk
  0	string/wt	#!\ /usr/bin/awk	awk script text executable
  !:mime	text/x-awk
 -0	regex		=^\\s*BEGIN\\s*[{]	awk script text
 +0	regex		=^\\s{0,100}BEGIN\\s{0,100}[{]	awk script text
++!:strength - 12
  
  # AT&T Bell Labs' Plan 9 shell
  0	string/wt	#!\ /bin/rc	Plan 9 rc shell script text executable
diff --git a/file.spec b/file.spec
index 87a1f72..4340347 100644
--- a/file.spec
+++ b/file.spec
@@ -4,7 +4,7 @@
 Summary: A utility for determining file types
 Name: file
 Version: 5.14
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: BSD
 Group: Applications/File
 Source0: ftp://ftp.astron.com/pub/file/file-%{version}.tar.gz
@@ -200,6 +200,10 @@ cd %{py3dir}
 %endif
 
 %changelog
+* Tue Mar 25 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-20
+- fix #1079847 - fix potential regression in Perl detection caused
+  by original patch for CVE-2013-7345
+
 * Mon Mar 24 2014 Jan Kaluza <jkaluza@redhat.com> - 5.14-19
 - fix redefinition of OFFSET_OOB in CVE-2014-2270 patch