file: patch for CVE-2018-10360 (#43856)

from Gentoo, based on upstream commit. (cherry picked from commit 6546d17) It seems not clear if _this_ version was affected by the CVE, but the patch seems safe enough, so apply it to be sure.
NixOS · Aug 1, 2018 · 0e55dde · 0e55dde
1 parent d1a47f3
commit 0e55dde
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/pkgs/tools/misc/file/default.nix b/pkgs/tools/misc/file/default.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) file;
   buildInputs = [ zlib ];
 
+  patches = [ ./file-5.33-CVE-2018-10360.patch ];
+
   doCheck = true;
 
 

diff --git a/pkgs/tools/misc/file/file-5.33-CVE-2018-10360.patch b/pkgs/tools/misc/file/file-5.33-CVE-2018-10360.patch
@@ -0,0 +1,18 @@
+Avoid reading past the end of buffer
+
+CVE-2018-10360
+
+https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22
+
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -842,7 +842,8 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
+
+ 				cname = (unsigned char *)
+ 				    &nbuf[doff + prpsoffsets(i)];
+-				for (cp = cname; *cp && isprint(*cp); cp++)
++				for (cp = cname; cp < nbuf + size && *cp
++				    && isprint(*cp); cp++)
+ 					continue;
+ 				/*
+ 				 * Linux apparently appends a space at the end