file: Multiple Secruity fixes

Source: https://github.com/file MR: 97573, 97578, 97583, 97588 Type: Security Fix Disposition: Backport from https://github.com/file/file ChangeID: 159e532d518623f19ba777c8edc24d2dc7e3a4e9 Description: CVE-2019-8905 is the same fix as CVE-2019-8907 Affects < 5.36.0 Fixes: CVE-2019-8904 CVE-2019-8906 CVE-2019-8906 CVE-2019-8907 (From OE-Core rev: 3d7375eb2e459b891b4ba16c1fc486afbfecef2c) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2019-05-31 11:06:08 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-27 18:05:18 +0100
commit: 4faf6e9e07b366b7a4dbc28ae3873a75212ebc31 (patch)
tree: 92749dfb902ba42595410191f9a68c4787bf60d4
parent: 015bfc5971120e3483572cb4eaf0cb7c15b64349 (diff)
download: poky-4faf6e9e07b366b7a4dbc28ae3873a75212ebc31.tar.gz
4 files changed, 180 insertions, 0 deletions
diff --git a/meta/recipes-devtools/file/file/CVE-2019-8904.patch b/meta/recipes-devtools/file/file/CVE-2019-8904.patch
new file mode 100644
index 0000000000..5c3d6f73a4
--- /dev/null
+++ b/meta/recipes-devtools/file/file/CVE-2019-8904.patch
@@ -0,0 +1,30 @@
+From 94b7501f48e134e77716e7ebefc73d6bbe72ba55 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Mon, 18 Feb 2019 17:30:41 +0000
+Subject: [PATCH] PR/62: spinpx: Avoid non-nul-terminated string read.
+Upstream-Status: Backport
+CVE: CVE-2019-8904
+Affects < 5.36
+[Fixup for thud context]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/readelf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+Index: git/src/readelf.c
+===================================================================
+--- git.orig/src/readelf.c
+++ git/src/readelf.c
+@@ -558,8 +558,8 @@ do_bid_note(struct magic_set *ms, unsign
+        }
+        if (namesz == 4 && strcmp((char *)&nbuf[noff], "Go") == 0 &&
+            type == NT_GO_BUILD_ID && descsz < 128) {
+-               if (file_printf(ms, ", Go BuildID=%s",
+-                   (char *)&nbuf[doff]) == -1)
+               if (file_printf(ms, ", Go BuildID=%.*s",
+                   CAST(int, descsz), CAST(char *, &nbuf[doff])) == -1)
+                        return 1;
+                return 1;
+        }
diff --git a/meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch b/meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch
new file mode 100644
index 0000000000..a55b94c61a
--- /dev/null
+++ b/meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch
@@ -0,0 +1,120 @@
+From d65781527c8134a1202b2649695d48d5701ac60b Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Mon, 18 Feb 2019 17:46:56 +0000
+Subject: [PATCH] PR/62: spinpx: limit size of file_printable.
+Upstream-Status: Backport
+CVE: CVE-2019-8905
+CVE: CVE-2019-8907
+affects < 5.36
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/file.h      |  4 ++--
+ src/funcs.c     |  9 +++++----
+ src/readelf.c   |  7 ++++---
+ src/softmagic.c | 14 ++++++++------
+ 4 files changed, 19 insertions(+), 15 deletions(-)
+Index: git/src/file.h
+===================================================================
+--- git.orig/src/file.h
+++ git/src/file.h
+@@ -501,7 +501,7 @@ protected int file_looks_utf8(const unsi
+     size_t *);
+ protected size_t file_pstring_length_size(const struct magic *);
+ protected size_t file_pstring_get_length(const struct magic *, const char *);
+-protected char * file_printable(char *, size_t, const char *);
+protected char * file_printable(char *, size_t, const char *, size_t);
+ #ifdef __EMX__
+ protected int file_os2_apptype(struct magic_set *, const char *, const void *,
+     size_t);
+Index: git/src/funcs.c
+===================================================================
+--- git.orig/src/funcs.c
+++ git/src/funcs.c
+@@ -595,12 +595,13 @@ file_pop_buffer(struct magic_set *ms, fi
+  * convert string to ascii printable format.
+  */
+ protected char *
+-file_printable(char *buf, size_t bufsiz, const char *str)
+file_printable(char *buf, size_t bufsiz, const char *str, size_t slen)
+ {
+-       char *ptr, *eptr;
+       char *ptr, *eptr = buf + bufsiz - 1;
+        const unsigned char *s = (const unsigned char *)str;
+       const unsigned char *es = s + slen;
+ 
+-       for (ptr = buf, eptr = ptr + bufsiz - 1; ptr < eptr && *s; s++) {
+       for (ptr = buf;  ptr < eptr && s < es && *s; s++) {
+                if (isprint(*s)) {
+                        *ptr++ = *s;
+                        continue;
+Index: git/src/readelf.c
+===================================================================
+--- git.orig/src/readelf.c
+++ git/src/readelf.c
+@@ -750,7 +750,7 @@ do_core_note(struct magic_set *ms, unsig
+                        if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
+                            "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
+                            file_printable(sbuf, sizeof(sbuf),
+-                           CAST(char *, pi.cpi_name)),
+                           CAST(char *, pi.cpi_name), sizeof(pi.cpi_name)),
+                            elf_getu32(swap, (uint32_t)pi.cpi_pid),
+                            elf_getu32(swap, pi.cpi_euid),
+                            elf_getu32(swap, pi.cpi_egid),
+@@ -1655,7 +1655,8 @@ dophn_exec(struct magic_set *ms, int cla
+                return -1;
+        if (interp[0])
+                if (file_printf(ms, ", interpreter %s",
+-                   file_printable(ibuf, sizeof(ibuf), interp)) == -1)
+                   file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp)))
+                       == -1)
+                        return -1;
+        return 0;
+ }
+Index: git/src/softmagic.c
+===================================================================
+--- git.orig/src/softmagic.c
+++ git/src/softmagic.c
+@@ -616,8 +616,8 @@ mprint(struct magic_set *ms, struct magi
+        case FILE_LESTRING16:
+                if (m->reln == '=' || m->reln == '!') {
+                        if (file_printf(ms, F(ms, desc, "%s"), 
+-                           file_printable(sbuf, sizeof(sbuf), m->value.s))
+-                           == -1)
+                           file_printable(sbuf, sizeof(sbuf), m->value.s,
+                           sizeof(m->value.s))) == -1)
+                                return -1;
+                        t = ms->offset + m->vallen;
+                }
+@@ -644,7 +644,8 @@ mprint(struct magic_set *ms, struct magi
+                        }
+ 
+                        if (file_printf(ms, F(ms, desc, "%s"),
+-                           file_printable(sbuf, sizeof(sbuf), str)) == -1)
+                           file_printable(sbuf, sizeof(sbuf), str,
+                               sizeof(p->s) - (str - p->s))) == -1)
+                                return -1;
+ 
+                        if (m->type == FILE_PSTRING)
+@@ -750,7 +751,7 @@ mprint(struct magic_set *ms, struct magi
+                        return -1;
+                }
+                rval = file_printf(ms, F(ms, desc, "%s"),
+-                   file_printable(sbuf, sizeof(sbuf), cp));
+                   file_printable(sbuf, sizeof(sbuf), cp, ms->search.rm_len));
+                free(cp);
+ 
+                if (rval == -1)
+@@ -777,7 +778,8 @@ mprint(struct magic_set *ms, struct magi
+                break;
+        case FILE_DER:
+                if (file_printf(ms, F(ms, desc, "%s"), 
+-                   file_printable(sbuf, sizeof(sbuf), ms->ms_value.s)) == -1)
+                   file_printable(sbuf, sizeof(sbuf), ms->ms_value.s,
+                        sizeof(ms->ms_value.s))) == -1)
+                        return -1;
+                t = ms->offset;
+                break;
diff --git a/meta/recipes-devtools/file/file/CVE-2019-8906.patch b/meta/recipes-devtools/file/file/CVE-2019-8906.patch
new file mode 100644
index 0000000000..1079ac6675
--- /dev/null
+++ b/meta/recipes-devtools/file/file/CVE-2019-8906.patch
@@ -0,0 +1,27 @@
+From 2858eaf99f6cc5aae129bcbf1e24ad160240185f Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Wed, 2 Jan 2019 19:44:14 +0000
+Subject: [PATCH] Avoid OOB read (found by ASAN reported by F. Alonso)
+Upstream-Status: Backport
+CVE: CVE-2019-8906
+Affects < 5.36
+[Fixup for thud context]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/readelf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+Index: git/src/readelf.c
+===================================================================
+--- git.orig/src/readelf.c
+++ git/src/readelf.c
+@@ -745,7 +745,7 @@ do_core_note(struct magic_set *ms, unsig
+                        char sbuf[512];
+                        struct NetBSD_elfcore_procinfo pi;
+                        memset(&pi, 0, sizeof(pi));
+-                       memcpy(&pi, nbuf + doff, descsz);
+                       memcpy(&pi, nbuf + doff, MIN(descsz, sizeof(pi)));
+ 
+                        if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
+                            "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
diff --git a/meta/recipes-devtools/file/file_5.34.bb b/meta/recipes-devtools/file/file_5.34.bb
index 5d92913cb0..cb19642ff1 100644
--- a/meta/recipes-devtools/file/file_5.34.bb
+++ b/meta/recipes-devtools/file/file_5.34.bb
@@ -16,6 +16,9 @@ UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)"
 SRC_URI = "git://github.com/file/file.git \
        file://debian-742262.patch \
+        file://CVE-2019-8906.patch \
+        file://CVE-2019-8904.patch \
+        file://CVE-2019-8905_CVE-2019-8907.patch \
        "
 SRCREV = "315cef2f699da3c31a54bd3c6c6070680fbaf1f5"
author	Armin Kuster <akuster@mvista.com>	2019-05-31 11:06:08 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +0100
commit	4faf6e9e07b366b7a4dbc28ae3873a75212ebc31 (patch)
tree	92749dfb902ba42595410191f9a68c4787bf60d4
parent	015bfc5971120e3483572cb4eaf0cb7c15b64349 (diff)
download	poky-4faf6e9e07b366b7a4dbc28ae3873a75212ebc31.tar.gz

diff --git a/meta/recipes-devtools/file/file/CVE-2019-8904.patch b/meta/recipes-devtools/file/file/CVE-2019-8904.patch new file mode 100644 index 0000000000..5c3d6f73a4 --- /dev/null +++ b/meta/recipes-devtools/file/file/CVE-2019-8904.patch
@@ -0,0 +1,30 @@
		1	From 94b7501f48e134e77716e7ebefc73d6bbe72ba55 Mon Sep 17 00:00:00 2001
		2	From: Christos Zoulas <christos@zoulas.com>
		3	Date: Mon, 18 Feb 2019 17:30:41 +0000
		4	Subject: [PATCH] PR/62: spinpx: Avoid non-nul-terminated string read.
		5
		6	Upstream-Status: Backport
		7	CVE: CVE-2019-8904
		8	Affects < 5.36
		9	[Fixup for thud context]
		10	Signed-off-by: Armin Kuster <akuster@mvista.com>
		11
		12	---
		13	src/readelf.c \| 6 +++---
		14	1 file changed, 3 insertions(+), 3 deletions(-)
		15
		16	Index: git/src/readelf.c
		17	===================================================================
		18	--- git.orig/src/readelf.c
		19	+++ git/src/readelf.c
		20	@@ -558,8 +558,8 @@ do_bid_note(struct magic_set *ms, unsign
		21	}
		22	if (namesz == 4 && strcmp((char *)&nbuf[noff], "Go") == 0 &&
		23	type == NT_GO_BUILD_ID && descsz < 128) {
		24	- if (file_printf(ms, ", Go BuildID=%s",
		25	- (char *)&nbuf[doff]) == -1)
		26	+ if (file_printf(ms, ", Go BuildID=%.*s",
		27	+ CAST(int, descsz), CAST(char *, &nbuf[doff])) == -1)
		28	return 1;
		29	return 1;
		30	}


diff --git a/meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch b/meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch new file mode 100644 index 0000000000..a55b94c61a --- /dev/null +++ b/meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch
@@ -0,0 +1,120 @@
		1	From d65781527c8134a1202b2649695d48d5701ac60b Mon Sep 17 00:00:00 2001
		2	From: Christos Zoulas <christos@zoulas.com>
		3	Date: Mon, 18 Feb 2019 17:46:56 +0000
		4	Subject: [PATCH] PR/62: spinpx: limit size of file_printable.
		5
		6	Upstream-Status: Backport
		7	CVE: CVE-2019-8905
		8	CVE: CVE-2019-8907
		9	affects < 5.36
		10
		11	Signed-off-by: Armin Kuster <akuster@mvista.com>
		12
		13	---
		14	src/file.h \| 4 ++--
		15	src/funcs.c \| 9 +++++----
		16	src/readelf.c \| 7 ++++---
		17	src/softmagic.c \| 14 ++++++++------
		18	4 files changed, 19 insertions(+), 15 deletions(-)
		19
		20	Index: git/src/file.h
		21	===================================================================
		22	--- git.orig/src/file.h
		23	+++ git/src/file.h
		24	@@ -501,7 +501,7 @@ protected int file_looks_utf8(const unsi
		25	size_t *);
		26	protected size_t file_pstring_length_size(const struct magic *);
		27	protected size_t file_pstring_get_length(const struct magic , const char );
		28	-protected char * file_printable(char , size_t, const char );
		29	+protected char * file_printable(char , size_t, const char , size_t);
		30	#ifdef __EMX__
		31	protected int file_os2_apptype(struct magic_set , const char , const void *,
		32	size_t);
		33	Index: git/src/funcs.c
		34	===================================================================
		35	--- git.orig/src/funcs.c
		36	+++ git/src/funcs.c
		37	@@ -595,12 +595,13 @@ file_pop_buffer(struct magic_set *ms, fi
		38	* convert string to ascii printable format.
		39	*/
		40	protected char *
		41	-file_printable(char buf, size_t bufsiz, const char str)
		42	+file_printable(char buf, size_t bufsiz, const char str, size_t slen)
		43	{
		44	- char ptr, eptr;
		45	+ char ptr, eptr = buf + bufsiz - 1;
		46	const unsigned char s = (const unsigned char )str;
		47	+ const unsigned char *es = s + slen;
		48
		49	- for (ptr = buf, eptr = ptr + bufsiz - 1; ptr < eptr && *s; s++) {
		50	+ for (ptr = buf; ptr < eptr && s < es && *s; s++) {
		51	if (isprint(*s)) {
		52	ptr++ = s;
		53	continue;
		54	Index: git/src/readelf.c
		55	===================================================================
		56	--- git.orig/src/readelf.c
		57	+++ git/src/readelf.c
		58	@@ -750,7 +750,7 @@ do_core_note(struct magic_set *ms, unsig
		59	if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
		60	"gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
		61	file_printable(sbuf, sizeof(sbuf),
		62	- CAST(char *, pi.cpi_name)),
		63	+ CAST(char *, pi.cpi_name), sizeof(pi.cpi_name)),
		64	elf_getu32(swap, (uint32_t)pi.cpi_pid),
		65	elf_getu32(swap, pi.cpi_euid),
		66	elf_getu32(swap, pi.cpi_egid),
		67	@@ -1655,7 +1655,8 @@ dophn_exec(struct magic_set *ms, int cla
		68	return -1;
		69	if (interp[0])
		70	if (file_printf(ms, ", interpreter %s",
		71	- file_printable(ibuf, sizeof(ibuf), interp)) == -1)
		72	+ file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp)))
		73	+ == -1)
		74	return -1;
		75	return 0;
		76	}
		77	Index: git/src/softmagic.c
		78	===================================================================
		79	--- git.orig/src/softmagic.c
		80	+++ git/src/softmagic.c
		81	@@ -616,8 +616,8 @@ mprint(struct magic_set *ms, struct magi
		82	case FILE_LESTRING16:
		83	if (m->reln == '=' \|\| m->reln == '!') {
		84	if (file_printf(ms, F(ms, desc, "%s"),
		85	- file_printable(sbuf, sizeof(sbuf), m->value.s))
		86	- == -1)
		87	+ file_printable(sbuf, sizeof(sbuf), m->value.s,
		88	+ sizeof(m->value.s))) == -1)
		89	return -1;
		90	t = ms->offset + m->vallen;
		91	}
		92	@@ -644,7 +644,8 @@ mprint(struct magic_set *ms, struct magi
		93	}
		94
		95	if (file_printf(ms, F(ms, desc, "%s"),
		96	- file_printable(sbuf, sizeof(sbuf), str)) == -1)
		97	+ file_printable(sbuf, sizeof(sbuf), str,
		98	+ sizeof(p->s) - (str - p->s))) == -1)
		99	return -1;
		100
		101	if (m->type == FILE_PSTRING)
		102	@@ -750,7 +751,7 @@ mprint(struct magic_set *ms, struct magi
		103	return -1;
		104	}
		105	rval = file_printf(ms, F(ms, desc, "%s"),
		106	- file_printable(sbuf, sizeof(sbuf), cp));
		107	+ file_printable(sbuf, sizeof(sbuf), cp, ms->search.rm_len));
		108	free(cp);
		109
		110	if (rval == -1)
		111	@@ -777,7 +778,8 @@ mprint(struct magic_set *ms, struct magi
		112	break;
		113	case FILE_DER:
		114	if (file_printf(ms, F(ms, desc, "%s"),
		115	- file_printable(sbuf, sizeof(sbuf), ms->ms_value.s)) == -1)
		116	+ file_printable(sbuf, sizeof(sbuf), ms->ms_value.s,
		117	+ sizeof(ms->ms_value.s))) == -1)
		118	return -1;
		119	t = ms->offset;
		120	break;


diff --git a/meta/recipes-devtools/file/file/CVE-2019-8906.patch b/meta/recipes-devtools/file/file/CVE-2019-8906.patch new file mode 100644 index 0000000000..1079ac6675 --- /dev/null +++ b/meta/recipes-devtools/file/file/CVE-2019-8906.patch
@@ -0,0 +1,27 @@
		1	From 2858eaf99f6cc5aae129bcbf1e24ad160240185f Mon Sep 17 00:00:00 2001
		2	From: Christos Zoulas <christos@zoulas.com>
		3	Date: Wed, 2 Jan 2019 19:44:14 +0000
		4	Subject: [PATCH] Avoid OOB read (found by ASAN reported by F. Alonso)
		5
		6	Upstream-Status: Backport
		7	CVE: CVE-2019-8906
		8	Affects < 5.36
		9	[Fixup for thud context]
		10	Signed-off-by: Armin Kuster <akuster@mvista.com>
		11	---
		12	src/readelf.c \| 4 ++--
		13	1 file changed, 2 insertions(+), 2 deletions(-)
		14
		15	Index: git/src/readelf.c
		16	===================================================================
		17	--- git.orig/src/readelf.c
		18	+++ git/src/readelf.c
		19	@@ -745,7 +745,7 @@ do_core_note(struct magic_set *ms, unsig
		20	char sbuf[512];
		21	struct NetBSD_elfcore_procinfo pi;
		22	memset(&pi, 0, sizeof(pi));
		23	- memcpy(&pi, nbuf + doff, descsz);
		24	+ memcpy(&pi, nbuf + doff, MIN(descsz, sizeof(pi)));
		25
		26	if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
		27	"gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",


diff --git a/meta/recipes-devtools/file/file_5.34.bb b/meta/recipes-devtools/file/file_5.34.bb index 5d92913cb0..cb19642ff1 100644 --- a/meta/recipes-devtools/file/file_5.34.bb +++ b/meta/recipes-devtools/file/file_5.34.bb
@@ -16,6 +16,9 @@ UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)"
16		16
17	SRC_URI = "git://github.com/file/file.git \	17	SRC_URI = "git://github.com/file/file.git \
18	file://debian-742262.patch \	18	file://debian-742262.patch \
		19	file://CVE-2019-8906.patch \
		20	file://CVE-2019-8904.patch \
		21	file://CVE-2019-8905_CVE-2019-8907.patch \
19	"	22	"
20		23
21	SRCREV = "315cef2f699da3c31a54bd3c6c6070680fbaf1f5"	24	SRCREV = "315cef2f699da3c31a54bd3c6c6070680fbaf1f5"