Add temporary patch CVE-2019-18218-46a8443f.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/file?expand=0&rev=195
2019-10-22 13:26:36 +00:00 · 2019-10-22 13:26:36 +00:00 · b3c0fb0be8
commit b3c0fb0be8
parent 2b6ead8ec5
3 changed files with 51 additions and 0 deletions
--- a/CVE-2019-18218-46a8443f.patch
+++ b/CVE-2019-18218-46a8443f.patch
@ -0,0 +1,43 @@
+From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Mon, 26 Aug 2019 14:31:39 +0000
+Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz)
+
+---
+ src/cdf.c |    7 +++----
+ src/cdf.h |    1 +
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- src/cdf.c
+++ src/cdf.c	2019-10-22 13:05:01.410441092 +0000
+@@ -968,8 +968,9 @@ cdf_read_property_info(const cdf_stream_
+ 				goto out;
+ 			}
+ 			nelements = CDF_GETUINT32(q, 1);
+-			if (nelements == 0) {
+-				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+			if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
+				DPRINTF(("CDF_VECTOR with nelements == %"
+				    SIZE_T_FORMAT "u\n", nelements));
+ 				goto out;
+ 			}
+ 			slen = 2;
+@@ -1011,8 +1012,6 @@ cdf_read_property_info(const cdf_stream_
+ 					goto out;
+ 				inp += nelem;
+ 			}
+-			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
+-			    nelements));
+ 			for (j = 0; j < nelements && i < sh.sh_properties;
+ 			    j++, i++)
+ 			{
+--- src/cdf.h
+++ src/cdf.h	2019-10-22 13:05:01.422440872 +0000
+@@ -48,6 +48,7 @@
+ typedef int32_t cdf_secid_t;
+ 
+ #define CDF_LOOP_LIMIT					10000
+#define CDF_ELEMENT_LIMIT				100000
+ 
+ #define CDF_SECID_NULL					0
+ #define CDF_SECID_FREE					-1
--- a/file.changes
+++ b/file.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Oct 22 13:24:26 UTC 2019 - Dr. Werner Fink <werner@suse.de>
+
+- Add temporary patch CVE-2019-18218-46a8443f.patch from upstream
+  to fix bsc#1154661 -- heap-based buffer overflow in cdf_read_property_info in cdf.c
+
 -------------------------------------------------------------------
 Mon Oct 14 13:40:13 UTC 2019 - Dr. Werner Fink <werner@suse.de>

--- a/file.spec
+++ b/file.spec
@ -65,6 +65,7 @@ Patch36:        file-5.15-clear-invalid.patch
 Patch37:        file-secure_getenv.patch
 Patch39:        file-5.28-btrfs-image.dif
 Patch42:        file-upstream.patch
+Patch43:        CVE-2019-18218-46a8443f.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %global         _sysconfdir /etc
 %global         _miscdir    %{_datadir}/misc
@ -134,6 +135,7 @@ to develop applications that require the magic "file" interface.
 %patch37 -p1 -b .getenv
 %patch39 -p1 -b .btrfs
 %patch42 -p0 -b .tmp
+%patch43 -p0 -b .CVE-2019-18218
 %patch -b .0
 test -s src/magic.h.in || cp -p src/magic.h src/magic.h.in
 rm -fv src/magic.h