[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: file: Fix CVE-2017-1000249.
From: |
Efraim Flashner |
Subject: |
01/01: gnu: file: Fix CVE-2017-1000249. |
Date: |
Tue, 5 Sep 2017 16:05:12 -0400 (EDT) |
efraim pushed a commit to branch master
in repository guix.
commit f1597427f220b0799b9c8847768d2f5a93fe3730
Author: Efraim Flashner <address@hidden>
Date: Tue Sep 5 23:02:56 2017 +0300
gnu: file: Fix CVE-2017-1000249.
* gnu/packages/file.scm (file)[replacement]: New field.
(file/fixed): New variable.
* gnu/packages/commencement.scm (file-boot0): Use package/inherit.
* gnu/packages/patches/file-CVE-2017-1000249.patch.
* gnu/local.mk (dist_patch_DATA): Register it.
---
gnu/local.mk | 1 +
gnu/packages/commencement.scm | 3 +--
gnu/packages/file.scm | 11 ++++++++--
gnu/packages/patches/file-CVE-2017-1000249.patch | 27 ++++++++++++++++++++++++
4 files changed, 38 insertions(+), 4 deletions(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index edfecc7..445d126 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -603,6 +603,7 @@ dist_patch_DATA =
\
%D%/packages/patches/fasthenry-spFactor.patch \
%D%/packages/patches/fcgi-2.4.0-gcc44-fixes.patch \
%D%/packages/patches/fcgi-2.4.0-poll.patch \
+ %D%/packages/patches/file-CVE-2017-1000249.patch \
%D%/packages/patches/findutils-localstatedir.patch \
%D%/packages/patches/findutils-gnulib-multi-core.patch \
%D%/packages/patches/findutils-test-xargs.patch \
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 2b67881..7bbe1be 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -112,8 +112,7 @@
(define file-boot0
(package-with-bootstrap-guile
- (package-with-explicit-inputs (package
- (inherit file)
+ (package-with-explicit-inputs (package/inherit file
(name "file-boot0"))
`(("make" ,gnu-make-boot0)
,@%bootstrap-inputs)
diff --git a/gnu/packages/file.scm b/gnu/packages/file.scm
index 050e671..3bc8e1d 100644
--- a/gnu/packages/file.scm
+++ b/gnu/packages/file.scm
@@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013 Andreas Enge <address@hidden>
;;; Copyright © 2014, 2015 Mark H Weaver <address@hidden>
-;;; Copyright © 2016 Efraim Flashner <address@hidden>
+;;; Copyright © 2016, 2017 Efraim Flashner <address@hidden>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -27,7 +27,8 @@
(define-public file
(package
- (name "file")
+ (replacement file/fixed)
+ (name "file")
(version "5.30")
(source (origin
(method url-fetch)
@@ -51,3 +52,9 @@ of the file.")
(license bsd-2)
(home-page "http://www.darwinsys.com/file/")))
+(define file/fixed
+ (package
+ (inherit file)
+ (source (origin
+ (inherit (package-source file))
+ (patches (search-patches "file-CVE-2017-1000249.patch"))))))
diff --git a/gnu/packages/patches/file-CVE-2017-1000249.patch
b/gnu/packages/patches/file-CVE-2017-1000249.patch
new file mode 100644
index 0000000..505acf1
--- /dev/null
+++ b/gnu/packages/patches/file-CVE-2017-1000249.patch
@@ -0,0 +1,27 @@
+https://github.com/file/file/commit/35c94dc6acc418f1ad7f6241a6680e5327495793.patch
+http://openwall.com/lists/oss-security/2017/09/05/3
+
+The patch is minorly modified to apply to file-5.30
+
+From 35c94dc6acc418f1ad7f6241a6680e5327495793 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <address@hidden>
+Date: Sun, 27 Aug 2017 07:55:02 +0000
+Subject: [PATCH] Fix always true condition (Thomas Jarosch)
+
+---
+ src/readelf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/readelf.c b/src/readelf.c
+index 81451827..5f425c97 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -511,7 +511,7 @@ do_bid_note(struct magic_set *ms, unsigned char *nbuf,
uint32_t type,
+ size_t noff, size_t doff, int *flags)
+ {
+ if (namesz == 4 && strcmp((char *)&nbuf[noff], "GNU") == 0 &&
+- type == NT_GNU_BUILD_ID && (descsz >= 4 || descsz <= 20)) {
++ type == NT_GNU_BUILD_ID && (descsz >= 4 && descsz <= 20)) {
+ uint8_t desc[20];
+ const char *btype;
+ uint32_t i;