Fix stack-based buffer over-read in file_copystr()

Resolves: RHEL-5733
2023-11-23 13:16:02 +01:00 · 2023-11-23 13:16:02 +01:00 · ff838f9ddc
commit ff838f9ddc
parent 2440c8e0e5
2 changed files with 26 additions and 1 deletions
--- a/file-5.42-cve-strlcpy.patch
+++ b/file-5.42-cve-strlcpy.patch
@ -0,0 +1,20 @@
+diff --git a/src/funcs.c b/src/funcs.c
+index 9bd054f..a5363e7 100644
+--- a/src/funcs.c
+++ b/src/funcs.c
+@@ -54,9 +54,12 @@ FILE_RCSID("@(#)$File: funcs.c,v 1.118 2020/12/08 21:26:00 christos Exp $")
+ protected char *
+ file_copystr(char *buf, size_t blen, size_t width, const char *str)
+ {
+-	if (++width > blen)
+-		width = blen;
+-	strlcpy(buf, str, width);
+	if (blen == 0)
+		return buf;
+	if (width >= blen)
+		width = blen - 1;
+	memcpy(buf, str, width);
+	buf[width] = '\0';
+ 	return buf;
+ }
+ 
--- a/file.spec
+++ b/file.spec
@ -15,7 +15,7 @@
 Summary: Utility for determining file types
 Name: file
 Version: 5.39
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: BSD
 Source0: http://ftp.astron.com/pub/file/file-%{version}.tar.gz

@ -60,6 +60,8 @@ Patch15: file-5.39-static-PIE-binaries.patch
 Patch16: file-5.39-wasm-magic.patch
 # Upstream commit c8deb32eab1089d1841482fb2e91833f114b6712 (#5734)
 Patch17: file-5.41-python-magic-threads.patch
+# Upstream commit 497aabb29cd08d2a5aeb63e45798d65fcbe03502 (#5733)
+Patch18: file-5.42-cve-strlcpy.patch

 URL: https://www.darwinsys.com/file/
 Requires: file-libs%{?_isa} = %{version}-%{release}
@ -239,6 +241,9 @@ cd %{py3dir}
 %endif

 %changelog
+* Thu Nov 23 2023 Vincent Mihalkovic <vmihalko@redhat.com> - 5.39-16
+- Fix stack-based buffer over-read in file_copystr() (CVE-2022-48554)
+
 * Thu Oct 12 2023 Vincent Mihalkovic <vmihalko@redhat.com> - 5.39-15
 - Fix segfault in python3-file-magic concurrent method calls