rpms/file/FC-6 file-4.19-hower.patch,NONE,1.1 file.spec,1.56,1.57
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Mar 30 09:01:41 UTC 2007
- Previous message (by thread): rpms/aspell-gd/devel .cvsignore, 1.2, 1.3 aspell-gd.spec, 1.10, 1.11 sources, 1.2, 1.3
- Next message (by thread): rpms/aspell-id/devel .cvsignore, 1.2, 1.3 aspell-id.spec, 1.9, 1.10 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mbacovsk
Update of /cvs/dist/rpms/file/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv23601
Modified Files:
file.spec
Added Files:
file-4.19-hower.patch
Log Message:
* Fri Mar 30 2007 Martin Bacovsky <mbacovsk at redhat.com> - 4.19-2
- Resolves: #233164: CVE-2007-1536 file 4.20 fixes a heap
overflow in that can result in arbitrary code execution
file-4.19-hower.patch:
file.h | 2 +-
funcs.c | 44 ++++++++++++++++++++++++++------------------
magic.c | 3 +--
3 files changed, 28 insertions(+), 21 deletions(-)
--- NEW FILE file-4.19-hower.patch ---
--- file-4.19.orig/src/magic.c
+++ file-4.19/src/magic.c
@@ -94,7 +94,7 @@
goto free1;
}
- ms->o.ptr = ms->o.buf = malloc(ms->o.size = 1024);
+ ms->o.ptr = ms->o.buf = malloc(ms->o.left = ms->o.size = 1024);
if (ms->o.buf == NULL)
goto free1;
@@ -106,7 +106,6 @@
if (ms->c.off == NULL)
goto free3;
- ms->o.len = 0;
ms->haderr = 0;
ms->error = -1;
ms->mlist = NULL;
only in patch2:
unchanged:
--- file-4.19.orig/src/file.h
+++ file-4.19/src/file.h
@@ -276,7 +276,7 @@
/* Accumulation buffer */
char *buf;
char *ptr;
- size_t len;
+ size_t left;
size_t size;
/* Printable buffer */
char *pbuf;
only in patch2:
unchanged:
--- file-4.19.orig/src/funcs.c
+++ file-4.19/src/funcs.c
@@ -26,6 +26,7 @@
*/
#include "file.h"
#include "magic.h"
+#include <assert.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
@@ -52,28 +53,32 @@
file_printf(struct magic_set *ms, const char *fmt, ...)
{
va_list ap;
- size_t len;
+ size_t len, size;
char *buf;
va_start(ap, fmt);
- if ((len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap)) >= ms->o.len) {
+ if ((len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap)) >= ms->o.left) {
+ long diff; /* XXX: really ptrdiff_t */
+
va_end(ap);
- if ((buf = realloc(ms->o.buf, len + 1024)) == NULL) {
- file_oomem(ms, len + 1024);
+ size = (ms->o.size - ms->o.left) + len + 1024;
+ if ((buf = realloc(ms->o.buf, size)) == NULL) {
+ file_oomem(ms, size);
return -1;
}
- ms->o.ptr = buf + (ms->o.ptr - ms->o.buf);
+ diff = ms->o.ptr - ms->o.buf;
+ ms->o.ptr = buf + diff;
ms->o.buf = buf;
- ms->o.len = ms->o.size - (ms->o.ptr - ms->o.buf);
- ms->o.size = len + 1024;
+ ms->o.left = size - diff;
+ ms->o.size = size;
va_start(ap, fmt);
- len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap);
+ len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap);
}
- ms->o.ptr += len;
- ms->o.len -= len;
va_end(ap);
+ ms->o.ptr += len;
+ ms->o.left -= len;
return 0;
}
@@ -172,8 +177,8 @@
protected const char *
file_getbuffer(struct magic_set *ms)
{
- char *nbuf, *op, *np;
- size_t nsize;
+ char *pbuf, *op, *np;
+ size_t psize, len;
if (ms->haderr)
return NULL;
@@ -181,14 +186,17 @@
if (ms->flags & MAGIC_RAW)
return ms->o.buf;
- nsize = ms->o.len * 4 + 1;
- if (ms->o.psize < nsize) {
- if ((nbuf = realloc(ms->o.pbuf, nsize)) == NULL) {
- file_oomem(ms, nsize);
+ len = ms->o.size - ms->o.left;
+ /* * 4 is for octal representation, + 1 is for NUL */
+ psize = len * 4 + 1;
+ assert(psize > len);
+ if (ms->o.psize < psize) {
+ if ((pbuf = realloc(ms->o.pbuf, psize)) == NULL) {
+ file_oomem(ms, psize);
return NULL;
}
- ms->o.psize = nsize;
- ms->o.pbuf = nbuf;
+ ms->o.psize = psize;
+ ms->o.pbuf = pbuf;
}
#if defined(HAVE_WCHAR_H) && defined(HAVE_MBRTOWC) && defined(HAVE_WCWIDTH)
Index: file.spec
===================================================================
RCS file: /cvs/dist/rpms/file/FC-6/file.spec,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- file.spec 26 Jan 2007 15:22:47 -0000 1.56
+++ file.spec 30 Mar 2007 09:01:38 -0000 1.57
@@ -3,7 +3,7 @@
Summary: A utility for determining file types.
Name: file
Version: 4.19
-Release: 1%{dist}
+Release: 2%{dist}
License: distributable
Group: Applications/File
Source0: ftp://ftp.astron.com/pub/file/file-%{version}.tar.gz
@@ -21,6 +21,7 @@
Patch20: file-4.17-bash.patch
Patch21: file-4.19-ELF.patch
Patch22: file-4.19-ooffice.patch
+Patch23: file-4.19-hower.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: zlib-devel
@@ -48,6 +49,7 @@
%patch20 -p1 -b .bash
%patch21 -p1 -b .ELF
%patch22 -p1 -b .ooffice
+%patch23 -p1 -b .hower
iconv -f iso-8859-1 -t utf-8 < doc/libmagic.man > doc/libmagic.man_
mv doc/libmagic.man_ doc/libmagic.man
@@ -93,7 +95,11 @@
%{_libdir}/libmagic.*
%changelog
-* Fri Jan 26 2007 Martin Bacovsky <mbacovsk at redhat.com> - 4.19-1.fc6
+* Fri Mar 30 2007 Martin Bacovsky <mbacovsk at redhat.com> - 4.19-2
+- Resolves: #233164: CVE-2007-1536 file 4.20 fixes a heap
+ overflow in that can result in arbitrary code execution
+
+* Fri Jan 26 2007 Martin Bacovsky <mbacovsk at redhat.com> - 4.19-1
- Resolves: #224334 - file does not recognize OpenOffice "native" formats
- upgrade to new upstream 4.19
- patch revision and cleaning
- Previous message (by thread): rpms/aspell-gd/devel .cvsignore, 1.2, 1.3 aspell-gd.spec, 1.10, 1.11 sources, 1.2, 1.3
- Next message (by thread): rpms/aspell-id/devel .cvsignore, 1.2, 1.3 aspell-id.spec, 1.9, 1.10 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list