From 3d7375eb2e459b891b4ba16c1fc486afbfecef2c Mon Sep 17 00:00:00 2001
From: Armin Kuster <akuster@mvista.com>
Date: Fri, 31 May 2019 11:06:08 -0700
Subject: file: Multiple Secruity fixes

Source: https://github.com/file
MR: 97573, 97578, 97583, 97588
Type: Security Fix
Disposition: Backport from https://github.com/file/file
ChangeID: 159e532d518623f19ba777c8edc24d2dc7e3a4e9
Description:

CVE-2019-8905 is the same fix as CVE-2019-8907

Affects < 5.36.0

Fixes:
CVE-2019-8904
CVE-2019-8906
CVE-2019-8906
CVE-2019-8907

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../recipes-devtools/file/file/CVE-2019-8904.patch |  30 ++++++
 .../file/file/CVE-2019-8905_CVE-2019-8907.patch    | 120 +++++++++++++++++++++
 .../recipes-devtools/file/file/CVE-2019-8906.patch |  27 +++++
 meta/recipes-devtools/file/file_5.34.bb            |   3 +
 4 files changed, 180 insertions(+)
 create mode 100644 meta/recipes-devtools/file/file/CVE-2019-8904.patch
 create mode 100644 meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch
 create mode 100644 meta/recipes-devtools/file/file/CVE-2019-8906.patch

(limited to 'meta/recipes-devtools')

diff --git a/meta/recipes-devtools/file/file/CVE-2019-8904.patch b/meta/recipes-devtools/file/file/CVE-2019-8904.patch
new file mode 100644
index 0000000000..5c3d6f73a4
--- /dev/null
+++ b/meta/recipes-devtools/file/file/CVE-2019-8904.patch
@@ -0,0 +1,30 @@
+From 94b7501f48e134e77716e7ebefc73d6bbe72ba55 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Mon, 18 Feb 2019 17:30:41 +0000
+Subject: [PATCH] PR/62: spinpx: Avoid non-nul-terminated string read.
+
+Upstream-Status: Backport
+CVE: CVE-2019-8904
+Affects < 5.36
+[Fixup for thud context]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/readelf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+Index: git/src/readelf.c
+===================================================================
+--- git.orig/src/readelf.c
++++ git/src/readelf.c
+@@ -558,8 +558,8 @@ do_bid_note(struct magic_set *ms, unsign
+ 	}
+ 	if (namesz == 4 && strcmp((char *)&nbuf[noff], "Go") == 0 &&
+ 	    type == NT_GO_BUILD_ID && descsz < 128) {
+-		if (file_printf(ms, ", Go BuildID=%s",
+-		    (char *)&nbuf[doff]) == -1)
++		if (file_printf(ms, ", Go BuildID=%.*s",
++		    CAST(int, descsz), CAST(char *, &nbuf[doff])) == -1)
+ 			return 1;
+ 		return 1;
+ 	}
diff --git a/meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch b/meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch
new file mode 100644
index 0000000000..a55b94c61a
--- /dev/null
+++ b/meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch
@@ -0,0 +1,120 @@
+From d65781527c8134a1202b2649695d48d5701ac60b Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Mon, 18 Feb 2019 17:46:56 +0000
+Subject: [PATCH] PR/62: spinpx: limit size of file_printable.
+
+Upstream-Status: Backport
+CVE: CVE-2019-8905
+CVE: CVE-2019-8907
+affects < 5.36
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/file.h      |  4 ++--
+ src/funcs.c     |  9 +++++----
+ src/readelf.c   |  7 ++++---
+ src/softmagic.c | 14 ++++++++------
+ 4 files changed, 19 insertions(+), 15 deletions(-)
+
+Index: git/src/file.h
+===================================================================
+--- git.orig/src/file.h
++++ git/src/file.h
+@@ -501,7 +501,7 @@ protected int file_looks_utf8(const unsi
+     size_t *);
+ protected size_t file_pstring_length_size(const struct magic *);
+ protected size_t file_pstring_get_length(const struct magic *, const char *);
+-protected char * file_printable(char *, size_t, const char *);
++protected char * file_printable(char *, size_t, const char *, size_t);
+ #ifdef __EMX__
+ protected int file_os2_apptype(struct magic_set *, const char *, const void *,
+     size_t);
+Index: git/src/funcs.c
+===================================================================
+--- git.orig/src/funcs.c
++++ git/src/funcs.c
+@@ -595,12 +595,13 @@ file_pop_buffer(struct magic_set *ms, fi
+  * convert string to ascii printable format.
+  */
+ protected char *
+-file_printable(char *buf, size_t bufsiz, const char *str)
++file_printable(char *buf, size_t bufsiz, const char *str, size_t slen)
+ {
+-	char *ptr, *eptr;
++	char *ptr, *eptr = buf + bufsiz - 1;
+ 	const unsigned char *s = (const unsigned char *)str;
++	const unsigned char *es = s + slen;
+ 
+-	for (ptr = buf, eptr = ptr + bufsiz - 1; ptr < eptr && *s; s++) {
++	for (ptr = buf;  ptr < eptr && s < es && *s; s++) {
+ 		if (isprint(*s)) {
+ 			*ptr++ = *s;
+ 			continue;
+Index: git/src/readelf.c
+===================================================================
+--- git.orig/src/readelf.c
++++ git/src/readelf.c
+@@ -750,7 +750,7 @@ do_core_note(struct magic_set *ms, unsig
+ 			if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
+ 			    "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
+ 			    file_printable(sbuf, sizeof(sbuf),
+-			    CAST(char *, pi.cpi_name)),
++			    CAST(char *, pi.cpi_name), sizeof(pi.cpi_name)),
+ 			    elf_getu32(swap, (uint32_t)pi.cpi_pid),
+ 			    elf_getu32(swap, pi.cpi_euid),
+ 			    elf_getu32(swap, pi.cpi_egid),
+@@ -1655,7 +1655,8 @@ dophn_exec(struct magic_set *ms, int cla
+ 		return -1;
+ 	if (interp[0])
+ 		if (file_printf(ms, ", interpreter %s",
+-		    file_printable(ibuf, sizeof(ibuf), interp)) == -1)
++		    file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp)))
++			== -1)
+ 			return -1;
+ 	return 0;
+ }
+Index: git/src/softmagic.c
+===================================================================
+--- git.orig/src/softmagic.c
++++ git/src/softmagic.c
+@@ -616,8 +616,8 @@ mprint(struct magic_set *ms, struct magi
+   	case FILE_LESTRING16:
+ 		if (m->reln == '=' || m->reln == '!') {
+ 			if (file_printf(ms, F(ms, desc, "%s"), 
+-			    file_printable(sbuf, sizeof(sbuf), m->value.s))
+-			    == -1)
++			    file_printable(sbuf, sizeof(sbuf), m->value.s,
++			    sizeof(m->value.s))) == -1)
+ 				return -1;
+ 			t = ms->offset + m->vallen;
+ 		}
+@@ -644,7 +644,8 @@ mprint(struct magic_set *ms, struct magi
+ 			}
+ 
+ 			if (file_printf(ms, F(ms, desc, "%s"),
+-			    file_printable(sbuf, sizeof(sbuf), str)) == -1)
++			    file_printable(sbuf, sizeof(sbuf), str,
++				sizeof(p->s) - (str - p->s))) == -1)
+ 				return -1;
+ 
+ 			if (m->type == FILE_PSTRING)
+@@ -750,7 +751,7 @@ mprint(struct magic_set *ms, struct magi
+ 			return -1;
+ 		}
+ 		rval = file_printf(ms, F(ms, desc, "%s"),
+-		    file_printable(sbuf, sizeof(sbuf), cp));
++		    file_printable(sbuf, sizeof(sbuf), cp, ms->search.rm_len));
+ 		free(cp);
+ 
+ 		if (rval == -1)
+@@ -777,7 +778,8 @@ mprint(struct magic_set *ms, struct magi
+ 		break;
+ 	case FILE_DER:
+ 		if (file_printf(ms, F(ms, desc, "%s"), 
+-		    file_printable(sbuf, sizeof(sbuf), ms->ms_value.s)) == -1)
++		    file_printable(sbuf, sizeof(sbuf), ms->ms_value.s,
++                        sizeof(ms->ms_value.s))) == -1)
+ 			return -1;
+ 		t = ms->offset;
+ 		break;
diff --git a/meta/recipes-devtools/file/file/CVE-2019-8906.patch b/meta/recipes-devtools/file/file/CVE-2019-8906.patch
new file mode 100644
index 0000000000..1079ac6675
--- /dev/null
+++ b/meta/recipes-devtools/file/file/CVE-2019-8906.patch
@@ -0,0 +1,27 @@
+From 2858eaf99f6cc5aae129bcbf1e24ad160240185f Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Wed, 2 Jan 2019 19:44:14 +0000
+Subject: [PATCH] Avoid OOB read (found by ASAN reported by F. Alonso)
+
+Upstream-Status: Backport
+CVE: CVE-2019-8906
+Affects < 5.36
+[Fixup for thud context]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/readelf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: git/src/readelf.c
+===================================================================
+--- git.orig/src/readelf.c
++++ git/src/readelf.c
+@@ -745,7 +745,7 @@ do_core_note(struct magic_set *ms, unsig
+ 			char sbuf[512];
+ 			struct NetBSD_elfcore_procinfo pi;
+ 			memset(&pi, 0, sizeof(pi));
+-			memcpy(&pi, nbuf + doff, descsz);
++			memcpy(&pi, nbuf + doff, MIN(descsz, sizeof(pi)));
+ 
+ 			if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
+ 			    "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
diff --git a/meta/recipes-devtools/file/file_5.34.bb b/meta/recipes-devtools/file/file_5.34.bb
index 5d92913cb0..cb19642ff1 100644
--- a/meta/recipes-devtools/file/file_5.34.bb
+++ b/meta/recipes-devtools/file/file_5.34.bb
@@ -16,6 +16,9 @@ UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)"
 
 SRC_URI = "git://github.com/file/file.git \
         file://debian-742262.patch \
+        file://CVE-2019-8906.patch \
+        file://CVE-2019-8904.patch \
+        file://CVE-2019-8905_CVE-2019-8907.patch \
         "
 
 SRCREV = "315cef2f699da3c31a54bd3c6c6070680fbaf1f5"
-- 
cgit 1.2.3-korg