gnu: file: Fix CVE-2018-10360.

* gnu/packages/patches/file-CVE-2018-10360.patch: New file.
* gnu/packages/file.scm (file)[replacement]: New field.
(file/fixed): New variable.
* gnu/packages/commencement.scm (file-boot0): Use 'package/inherit' to
receive security fixes.
* gnu/local.mk (dist_patch_DATA): Register it.

diff --git a/gnu/local.mk b/gnu/local.mk
index 0a945e4..925d955 100644 (file)
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,7 @@ dist_patch_DATA =                                           \
   %D%/packages/patches/fcgi-2.4.0-poll.patch                   \
   %D%/packages/patches/fifo-map-fix-flags-for-gcc.patch                \
   %D%/packages/patches/fifo-map-remove-catch.hpp.patch         \
+  %D%/packages/patches/file-CVE-2018-10360.patch               \
   %D%/packages/patches/findutils-gnulib-libio.patch            \
   %D%/packages/patches/findutils-localstatedir.patch           \
   %D%/packages/patches/findutils-makedev.patch                 \

diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 0aa65fe..bd48eb7 100644 (file)
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -126,8 +126,7 @@
 
 (define file-boot0
   (package-with-bootstrap-guile
-   (package-with-explicit-inputs (package
-                                   (inherit file)
+   (package-with-explicit-inputs (package/inherit file
                                    (name "file-boot0"))
                                  `(("make" ,gnu-make-boot0)
                                    ,@%bootstrap-inputs)

diff --git a/gnu/packages/file.scm b/gnu/packages/file.scm
index 78f0360..4518c8d 100644 (file)
--- a/gnu/packages/file.scm
+++ b/gnu/packages/file.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -30,6 +31,7 @@
   (package
     (name "file")
     (version "5.33")
+    (replacement file/fixed)
     (source (origin
               (method url-fetch)
               (uri (string-append "ftp://ftp.astron.com/pub/file/file-"
@@ -51,3 +53,10 @@ extensions to tell you the type of a file, but looks at the actual contents
 of the file.  This package provides the libmagic library.")
    (license bsd-2)
    (home-page "https://www.darwinsys.com/file/")))
+
+(define file/fixed
+  (package
+    (inherit file)
+    (source
+      (origin (inherit (package-source file))
+              (patches (search-patches "file-CVE-2018-10360.patch"))))))

diff --git a/gnu/packages/patches/file-CVE-2018-10360.patch b/gnu/packages/patches/file-CVE-2018-10360.patch
new file mode 100644 (file)
index 0000000..9285611
--- /dev/null
+++ b/gnu/packages/patches/file-CVE-2018-10360.patch
@@ -0,0 +1,27 @@
+https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22.patch
+The leading part of the patch starting at line 27 was trimmed off.
+This patch should be OK to drop with file@5.35.
+
+From a642587a9c9e2dd7feacdf513c3643ce26ad3c22 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Sat, 9 Jun 2018 16:00:06 +0000
+Subject: [PATCH] Avoid reading past the end of buffer (Rui Reis)
+
+---
+ src/readelf.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/readelf.c b/src/readelf.c
+index 79c83f9f5..1f41b4611 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -842,7 +842,8 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
+ 
+                               cname = (unsigned char *)
+                                   &nbuf[doff + prpsoffsets(i)];
+-                              for (cp = cname; *cp && isprint(*cp); cp++)
++                              for (cp = cname; cp < nbuf + size && *cp
++                                  && isprint(*cp); cp++)
+                                       continue;
+                               /*
+                                * Linux apparently appends a space at the end