commit 0e55dde2eaab6f39db74803f286a906bf8573aca · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

file: patch for CVE-2018-10360 (#43856)

from Gentoo, based on upstream commit.

(cherry picked from commit 6546d17cfff4fc2a0f867d15f0d431e604b25740)
It seems not clear if _this_ version was affected by the CVE,
but the patch seems safe enough, so apply it to be sure.

authored by Will Dietz and committed by Vladimír Čunát 7 years ago 0e55dde2 d1a47f37

+20

2 changed files

expand all

unified split

pkgs

tools

misc

file

default.nix

file-5.33-CVE-2018-10360.patch

pkgs/tools/misc/file/default.nix

··· 15 15 nativeBuildInputs = stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) file; 16 16 buildInputs = [ zlib ]; 17 17 18 + patches = [ ./file-5.33-CVE-2018-10360.patch ]; 19 + 18 20 doCheck = true; 19 21 20 22

+18

pkgs/tools/misc/file/file-5.33-CVE-2018-10360.patch

··· 1 + Avoid reading past the end of buffer 2 + 3 + CVE-2018-10360 4 + 5 + https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22 6 + 7 + --- a/src/readelf.c 8 + +++ b/src/readelf.c 9 + @@ -842,7 +842,8 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type, 10 + 11 + cname = (unsigned char *) 12 + &nbuf[doff + prpsoffsets(i)]; 13 + - for (cp = cname; *cp && isprint(*cp); cp++) 14 + + for (cp = cname; cp < nbuf + size && *cp 15 + + && isprint(*cp); cp++) 16 + continue; 17 + /* 18 + * Linux apparently appends a space at the end