[gentoo-commits] repo/gentoo:master commit in: sys-apps/file/, sys-apps/file/files/

[Thomas Deutschmann]

commit:     331976f64a3ac2e70aa62d6631db0e148f19d0fe
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Tue Jun 12 08:17:44 2018 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Tue Jun 12 08:18:03 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=331976f6

sys-apps/file: Avoid reading past the end of buffer (CVE-2018-10360)

Bug: https://bugs.gentoo.org/657930
Package-Manager: Portage-2.3.40, Repoman-2.3.9

 sys-apps/file/file-5.33-r2.ebuild                  | 127 +++++++++++++++++++++
 sys-apps/file/files/file-5.33-CVE-2018-10360.patch |  18 +++
 2 files changed, 145 insertions(+)

diff --git a/sys-apps/file/file-5.33-r2.ebuild 
b/sys-apps/file/file-5.33-r2.ebuild
new file mode 100644
index 00000000000..4537ffb58aa
--- /dev/null
+++ b/sys-apps/file/file-5.33-r2.ebuild
@@ -0,0 +1,127 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 python3_{4,5,6} pypy )
+DISTUTILS_OPTIONAL=1
+
+inherit distutils-r1 libtool ltprune toolchain-funcs multilib-minimal
+
+if [[ ${PV} == "9999" ]] ; then
+       EGIT_REPO_URI="https://github.com/glensc/file.git";
+       inherit autotools git-r3
+else
+       SRC_URI="ftp://ftp.astron.com/pub/file/${P}.tar.gz";
+       KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 
~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux 
~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris 
~sparc64-solaris ~x64-solaris ~x86-solaris"
+fi
+
+DESCRIPTION="identify a file's format by scanning binary data for patterns"
+HOMEPAGE="https://www.darwinsys.com/file/";
+
+LICENSE="BSD-2"
+SLOT="0"
+IUSE="python static-libs zlib"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+
+DEPEND="
+       python? (
+               ${PYTHON_DEPS}
+               dev-python/setuptools[${PYTHON_USEDEP}]
+       )
+       zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )"
+RDEPEND="${DEPEND}
+       python? ( !dev-python/python-magic )"
+
+PATCHES=( "${FILESDIR}"/${P}-CVE-2018-10360.patch )
+
+src_prepare() {
+       default
+
+       [[ ${PV} == "9999" ]] && eautoreconf
+       elibtoolize
+
+       # don't let python README kill main README #60043
+       mv python/README{,.python} || die
+}
+
+multilib_src_configure() {
+       local myeconfargs=(
+               --disable-libseccomp
+               --enable-fsect-man5
+               $(use_enable static-libs static)
+               $(use_enable zlib)
+       )
+       ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+}
+
+src_configure() {
+       # when cross-compiling, we need to build up our own file
+       # because people often don't keep matching host/target
+       # file versions #362941
+       if tc-is-cross-compiler && ! ROOT=/ has_version ~${CATEGORY}/${P} ; then
+               mkdir -p "${WORKDIR}"/build || die
+               cd "${WORKDIR}"/build || die
+               tc-export_build_env BUILD_C{C,XX}
+               ECONF_SOURCE=${S} \
+               ac_cv_header_zlib_h=no \
+               ac_cv_lib_z_gzopen=no \
+               CHOST=${CBUILD} \
+               CFLAGS=${BUILD_CFLAGS} \
+               CXXFLAGS=${BUILD_CXXFLAGS} \
+               CPPFLAGS=${BUILD_CPPFLAGS} \
+               LDFLAGS="${BUILD_LDFLAGS} -static" \
+               CC=${BUILD_CC} \
+               CXX=${BUILD_CXX} \
+               econf --disable-shared --disable-libseccomp
+       fi
+
+       multilib-minimal_src_configure
+}
+
+multilib_src_compile() {
+       if multilib_is_native_abi ; then
+               emake
+       else
+               cd src || die
+               emake magic.h #586444
+               emake libmagic.la
+       fi
+}
+
+src_compile() {
+       if tc-is-cross-compiler && ! ROOT=/ has_version "~${CATEGORY}/${P}" ; 
then
+               emake -C "${WORKDIR}"/build/src magic.h #586444
+               emake -C "${WORKDIR}"/build/src file
+               PATH="${WORKDIR}/build/src:${PATH}"
+       fi
+       multilib-minimal_src_compile
+
+       if use python ; then
+               cd python || die
+               distutils-r1_src_compile
+       fi
+}
+
+multilib_src_install() {
+       if multilib_is_native_abi ; then
+               default
+       else
+               emake -C src install-{nodist_includeHEADERS,libLTLIBRARIES} 
DESTDIR="${D}"
+       fi
+}
+
+multilib_src_install_all() {
+       dodoc ChangeLog MAINT README
+
+       # Required for `file -C`
+       dodir /usr/share/misc/magic
+       insinto /usr/share/misc/magic
+       doins -r magic/Magdir/*
+
+       if use python ; then
+               cd python || die
+               distutils-r1_src_install
+       fi
+       prune_libtool_files
+}

diff --git a/sys-apps/file/files/file-5.33-CVE-2018-10360.patch 
b/sys-apps/file/files/file-5.33-CVE-2018-10360.patch
new file mode 100644
index 00000000000..a489846b10f
--- /dev/null
+++ b/sys-apps/file/files/file-5.33-CVE-2018-10360.patch
@@ -0,0 +1,18 @@
+Avoid reading past the end of buffer
+
+CVE-2018-10360
+
+https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22
+
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -842,7 +842,8 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, 
uint32_t type,
+ 
+                               cname = (unsigned char *)
+                                   &nbuf[doff + prpsoffsets(i)];
+-                              for (cp = cname; *cp && isprint(*cp); cp++)
++                              for (cp = cname; cp < nbuf + size && *cp
++                                  && isprint(*cp); cp++)
+                                       continue;
+                               /*
+                                * Linux apparently appends a space at the end