git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
file
1
0
Fork 0
Files Pull Requests 0 Wiki
Browse Source

Import Debian version 5.04-5+squeeze4

Christoph Biedl 11 years ago
parent
da55ca55e9
commit
e5fff4ac46
5 changed files with 208 additions and 0 deletions
Split View Show Diff Stats
  1. 153 0
      debian/patches/CVE-2014-2270.patch
  2. 17 0
      debian/patches/fix-segv-from-loop-overrun.patch
  3. 17 0
      debian/patches/limit-repetitions-in-awk-detection.patch
  4. 4 0
      debian/patches/series
  5. 17 0
      debian/patches/use-s-format-to-print-untrusted-string.patch

+ 153 - 0
debian/patches/CVE-2014-2270.patch
View File 

@@ -0,0 +1,153 @@
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Wed Jan 8 22:22:54 2014 +0000
 
+Last-Update: 2014-03-05
 
+Upstream-Commit:
 
+    447558595a3650db2886cd2f416ad0beba965801
 
+    70c65d2e1841491f59168db1f905e8b14083fb1c
 
+Description:
 
+ PR/313: Aaron Reffett: Check properly for exceeding the offset.
 
+ .
 
+ off by one in out of bounds calculations (Jan Kaluza)
 
+ .
 
+ CVE-2014-2270
 
+ Backport for 5.04: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
 
+
 
+--- a/src/softmagic.c
 
++++ b/src/softmagic.c
 
+@@ -60,6 +60,7 @@
 
+ private void cvt_32(union VALUETYPE *, const struct magic *);
 
+ private void cvt_64(union VALUETYPE *, const struct magic *);
 
+ 
++#define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))
 
+ /*
 
+  * softmagic - lookup one file in parsed, in-memory copy of database
 
+  * Passed the name and FILE * of one file to be typed.
 
+@@ -1085,7 +1086,7 @@
 
+ 		}
 
+ 		switch (m->in_type) {
 
+ 		case FILE_BYTE:
 
+-			if (nbytes < (offset + 1))
 
++			if (OFFSET_OOB(nbytes, offset, 1))
 
+ 				return 0;
 
+ 			if (off) {
 
+ 				switch (m->in_op & FILE_OPS_MASK) {
 
+@@ -1120,7 +1121,7 @@
 
+ 				offset = ~offset;
 
+ 			break;
 
+ 		case FILE_BESHORT:
 
+-			if (nbytes < (offset + 2))
 
++			if (OFFSET_OOB(nbytes, offset, 2))
 
+ 				return 0;
 
+ 			if (off) {
 
+ 				switch (m->in_op & FILE_OPS_MASK) {
 
+@@ -1172,7 +1173,7 @@
 
+ 				offset = ~offset;
 
+ 			break;
 
+ 		case FILE_LESHORT:
 
+-			if (nbytes < (offset + 2))
 
++			if (OFFSET_OOB(nbytes, offset, 2))
 
+ 				return 0;
 
+ 			if (off) {
 
+ 				switch (m->in_op & FILE_OPS_MASK) {
 
+@@ -1224,7 +1225,7 @@
 
+ 				offset = ~offset;
 
+ 			break;
 
+ 		case FILE_SHORT:
 
+-			if (nbytes < (offset + 2))
 
++			if (OFFSET_OOB(nbytes, offset, 2))
 
+ 				return 0;
 
+ 			if (off) {
 
+ 				switch (m->in_op & FILE_OPS_MASK) {
 
+@@ -1261,7 +1262,7 @@
 
+ 			break;
 
+ 		case FILE_BELONG:
 
+ 		case FILE_BEID3:
 
+-			if (nbytes < (offset + 4))
 
++			if (OFFSET_OOB(nbytes, offset, 4))
 
+ 				return 0;
 
+ 			if (off) {
 
+ 				switch (m->in_op & FILE_OPS_MASK) {
 
+@@ -1332,7 +1333,7 @@
 
+ 			break;
 
+ 		case FILE_LELONG:
 
+ 		case FILE_LEID3:
 
+-			if (nbytes < (offset + 4))
 
++			if (OFFSET_OOB(nbytes, offset, 4))
 
+ 				return 0;
 
+ 			if (off) {
 
+ 				switch (m->in_op & FILE_OPS_MASK) {
 
+@@ -1402,7 +1403,7 @@
 
+ 				offset = ~offset;
 
+ 			break;
 
+ 		case FILE_MELONG:
 
+-			if (nbytes < (offset + 4))
 
++			if (OFFSET_OOB(nbytes, offset, 4))
 
+ 				return 0;
 
+ 			if (off) {
 
+ 				switch (m->in_op & FILE_OPS_MASK) {
 
+@@ -1472,7 +1473,7 @@
 
+ 				offset = ~offset;
 
+ 			break;
 
+ 		case FILE_LONG:
 
+-			if (nbytes < (offset + 4))
 
++			if (OFFSET_OOB(nbytes, offset, 4))
 
+ 				return 0;
 
+ 			if (off) {
 
+ 				switch (m->in_op & FILE_OPS_MASK) {
 
+@@ -1539,14 +1540,14 @@
 
+ 	/* Verify we have enough data to match magic type */
 
+ 	switch (m->type) {
 
+ 	case FILE_BYTE:
 
+-		if (nbytes < (offset + 1)) /* should alway be true */
 
++		if (OFFSET_OOB(nbytes, offset, 1))
 
+ 			return 0;
 
+ 		break;
 
+ 
+ 	case FILE_SHORT:
 
+ 	case FILE_BESHORT:
 
+ 	case FILE_LESHORT:
 
+-		if (nbytes < (offset + 2))
 
++		if (OFFSET_OOB(nbytes, offset, 2))
 
+ 			return 0;
 
+ 		break;
 
+ 
+@@ -1565,26 +1566,26 @@
 
+ 	case FILE_FLOAT:
 
+ 	case FILE_BEFLOAT:
 
+ 	case FILE_LEFLOAT:
 
+-		if (nbytes < (offset + 4))
 
++		if (OFFSET_OOB(nbytes, offset, 4))
 
+ 			return 0;
 
+ 		break;
 
+ 
+ 	case FILE_DOUBLE:
 
+ 	case FILE_BEDOUBLE:
 
+ 	case FILE_LEDOUBLE:
 
+-		if (nbytes < (offset + 8))
 
++		if (OFFSET_OOB(nbytes, offset, 8))
 
+ 			return 0;
 
+ 		break;
 
+ 
+ 	case FILE_STRING:
 
+ 	case FILE_PSTRING:
 
+ 	case FILE_SEARCH:
 
+-		if (nbytes < (offset + m->vallen))
 
++		if (OFFSET_OOB(nbytes, offset, m->vallen))
 
+ 			return 0;
 
+ 		break;
 
+ 
+ 	case FILE_REGEX:
 
+-		if (nbytes < offset)
 
++		if (OFFSET_OOB(nbytes, offset, 0))
 
+ 			return 0;
 
+ 		break;
 
+ 
+@@ -1594,7 +1595,7 @@
 
+ 	  	if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
 
+ 		    file_printf(ms, "%s", m->desc) == -1)
 
+ 			return -1;
 
+-		if (nbytes < offset)
 
++		if (OFFSET_OOB(nbytes, offset, 0))
 
+ 			return 0;
 
+ 		return file_softmagic(ms, s + offset, nbytes - offset,
 
+ 		    recursion_level, BINTEST);

+ 17 - 0
debian/patches/fix-segv-from-loop-overrun.patch
View File 

@@ -0,0 +1,17 @@
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Thu Jan 28 23:25:18 2010 +0000
 
+Upstream-Commit: 0d74a0ec9fc45bd0887b157747012a3aa694f4ae
 
+Description:
 
+ fix segv from loop overrun
 
+
 
+--- a/src/softmagic.c
 
++++ b/src/softmagic.c
 
+@@ -945,7 +945,7 @@
 
+ 			buf = (const char *)s + offset;
 
+ 			end = last = (const char *)s + nbytes;
 
+ 			/* mget() guarantees buf <= last */
 
+-			for (lines = linecnt, b = buf; lines &&
 
++			for (lines = linecnt, b = buf; lines && b < end &&
 
+ 			     ((b = CAST(const char *,
 
+ 				 memchr(c = b, '\n', CAST(size_t, (end - b)))))
 
+ 			     || (b = CAST(const char *,

+ 17 - 0
debian/patches/limit-repetitions-in-awk-detection.patch
View File 

@@ -0,0 +1,17 @@
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Mon Mar 25 14:06:55 2013 +0000
 
+Upstream-Commit ef2329cf71acb59204dd981e2c6cce6c81fe467c
 
+Description:
 
+ limit to 100 repetitions to avoid excessive backtracking Carsten Wolff
 
+
 
+--- a/magic/Magdir/commands
 
++++ b/magic/Magdir/commands
 
+@@ -52,7 +52,7 @@
 
+ # update to distinguish from *.vcf files
 
+ # this is broken because postscript has /EBEGIN{ for example.
 
+ #0	search/Ww	BEGIN {			awk script text
 
+-0	regex		=^\\s*BEGIN\\s*[{]	awk script text
 
++0	regex		=^\\s{0,100}BEGIN\\s{0,100}[{]	awk script text
 
+ 
+ # AT&T Bell Labs' Plan 9 shell
 
+ 0	string/w	#!\ /bin/rc	Plan 9 rc shell script text executable

+ 4 - 0
debian/patches/series
View File 

@@ -84,3 +84,7 @@ cdf-cert-bff-crashes
 
 cdf-restore-prefix
 
 cdf-word-detection
 
 CVE-2014-1943.patch
 
+limit-repetitions-in-awk-detection.patch
 
+fix-segv-from-loop-overrun.patch
 
+use-s-format-to-print-untrusted-string.patch
 
+CVE-2014-2270.patch

+ 17 - 0
debian/patches/use-s-format-to-print-untrusted-string.patch
View File 

@@ -0,0 +1,17 @@
 
+Upstream-Author: Reuben Thomas <rrt@sc3d.org>
 
+Date: Mon Sep 20 14:24:01 2010 +0000
 
+Upstream-Commit: b05926f28f3cab0ef77101f89be154329dcb8dea
 
+Description:
 
+ Use '%s' format to print untrusted string.
 
+
 
+--- a/src/softmagic.c
 
++++ b/src/softmagic.c
 
+@@ -1592,7 +1592,7 @@
 
+ 		if (offset == 0)
 
+ 			return 0;
 
+ 	  	if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
 
+-		    file_printf(ms, m->desc) == -1)
 
++		    file_printf(ms, "%s", m->desc) == -1)
 
+ 			return -1;
 
+ 		if (nbytes < offset)
 
+ 			return 0;