From 50db698b583ce532047638ba6730276f58113e9ab01df080f637734d06f0763c Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Mon, 17 Mar 2014 13:31:09 +0000 Subject: [PATCH 1/3] . OBS-URL: https://build.opensuse.org/package/show/Base:System/file?expand=0&rev=91 --- ...ut-of-bounds-calculations-Jan-Kaluza.patch | 25 +++++++++++++++++++ file.spec | 3 +++ 2 files changed, 28 insertions(+) create mode 100644 0001-off-by-one-in-out-of-bounds-calculations-Jan-Kaluza.patch diff --git a/0001-off-by-one-in-out-of-bounds-calculations-Jan-Kaluza.patch b/0001-off-by-one-in-out-of-bounds-calculations-Jan-Kaluza.patch new file mode 100644 index 0000000..a1c3724 --- /dev/null +++ b/0001-off-by-one-in-out-of-bounds-calculations-Jan-Kaluza.patch @@ -0,0 +1,25 @@ +From 70c65d2e1841491f59168db1f905e8b14083fb1c Mon Sep 17 00:00:00 2001 +From: Christos Zoulas +Date: Tue, 4 Mar 2014 17:42:19 +0000 +Subject: [PATCH] off by one in out of bounds calculations (Jan Kaluza) + +--- + src/softmagic.c | 4 +- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git src/softmagic.c src/softmagic.c +index 170de95..5ed3998 100644 +--- src/softmagic.c ++++ src/softmagic.c +@@ -72,7 +72,7 @@ private void cvt_16(union VALUETYPE *, const struct magic *); + private void cvt_32(union VALUETYPE *, const struct magic *); + private void cvt_64(union VALUETYPE *, const struct magic *); + +-#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) >= ((n) - (o))) ++#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) + /* + * softmagic - lookup one file in parsed, in-memory copy of database + * Passed the name and FILE * of one file to be typed. +-- +1.7.9.2 + diff --git a/file.spec b/file.spec index 34ab06f..be59d6e 100644 --- a/file.spec +++ b/file.spec @@ -61,6 +61,8 @@ Patch33: file-5.16-ocloexec.patch Patch34: file-5.12-endian.patch Patch35: file-5.12-nitpick.dif Patch36: file-5.15-clear-invalid.patch +# PATCH-FIX-USTREAM last patch for bnc#866750 - CVE-2014-2270: file: crash when parsing some PE executables +Patch37: 0001-off-by-one-in-out-of-bounds-calculations-Jan-Kaluza.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %global _sysconfdir /etc %global _miscdir %{_datadir}/misc @@ -126,6 +128,7 @@ to develop applications that require the magic "file" interface. %patch34 -p0 -b .endian %patch35 -p0 -b .nitpick %patch36 -p1 -b .clear +%patch37 -p0 -b .CVE-2014-2270 %patch -b .0 test -s src/magic.h.in || cp -p src/magic.h src/magic.h.in From 74b00b155c82b98100452cf70f404d38defc30aa308eb521a9564f9ec8bea293 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Mon, 17 Mar 2014 13:34:26 +0000 Subject: [PATCH 2/3] . OBS-URL: https://build.opensuse.org/package/show/Base:System/file?expand=0&rev=92 --- python-magic.changes | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/python-magic.changes b/python-magic.changes index cc89306..5bf438f 100644 --- a/python-magic.changes +++ b/python-magic.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Feb 28 11:17:12 CET 2014 - ro@suse.de + +- adapt version in specfile to 5.17 + ------------------------------------------------------------------- Sun Feb 23 20:34:25 UTC 2014 - andreas.stieger@gmx.de From 305c67f90c91af2028a1c3146c85bc4fb0875f7bfd48aa37a7a87a1190a977aa Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Mon, 17 Mar 2014 14:05:11 +0000 Subject: [PATCH 3/3] . OBS-URL: https://build.opensuse.org/package/show/Base:System/file?expand=0&rev=93 --- file.changes | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/file.changes b/file.changes index bf3a701..8e2518a 100644 --- a/file.changes +++ b/file.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Mar 17 14:04:24 UTC 2014 - werner@suse.de + +- Add patch + 0001-off-by-one-in-out-of-bounds-calculations-Jan-Kaluza.patch + to finally fix bnc#866750 + ------------------------------------------------------------------- Tue Feb 18 10:21:11 UTC 2014 - werner@suse.de