Bug 241424

Summary:

sysutils/file: Update to 5.37, Fix CVE-2019-18218

Product:

Ports & Packages

Reporter:

Nathan <ndowens04>

Component:

Individual Port(s)

Assignee:

Raphael Kubo da Costa <rakuco>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

jharris, ports-secteam, rakuco

Priority:

Normal

Keywords:

buildisok, security

Version:

Latest

Flags:

jharris: maintainer-feedback+
koobs: merge-quarterly?

Hardware:

Any

OS:

Any

URL:

https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84

Attachments:

Description	Flags
update ; add CVE patch	jharris: maintainer-approval+
VuXML entry	none

Description Nathan 2019-10-22 22:09:07 UTC

Created attachment 208516 [details]
update ; add CVE patch

Built fine in poudriere for:
12/13-amd64 12/13-i386 and 12arm64

Updated to 5.37; Cherry-picked from Github URL listed for CVE-2019-18218 listed here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218

Comment 1 Automation User 2019-10-22 22:18:09 UTC

Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/90736914

Comment 2 Nathan 2019-10-23 00:48:43 UTC

Hold off on this patch, noticed one thing I have to fix in the patch, will fix soon :)

Comment 3 Nathan 2019-10-23 01:23:36 UTC

Nervermind, relooking at it, and retesting patch, it does apply correctly after all, so feel free to continue

Comment 4 Kubilay Kocak freebsd_committer

2019-10-23 02:14:38 UTC

^Triage: Pending VuXML entry

Comment 5 Nathan 2019-10-23 20:18:41 UTC

Created attachment 208539 [details]
VuXML entry

Comment 6 jharris 2019-10-27 22:08:05 UTC

Approved, albeit without personally testing.  Thanks!

Comment 7 commit-hook freebsd_committer

2019-11-02 12:19:52 UTC

A commit references this bug:

Author: rakuco
Date: Sat Nov  2 12:19:34 UTC 2019
New revision: 516308
URL: https://svnweb.freebsd.org/changeset/ports/516308

Log:
  Add entry for heap buffer overflow in sysutils/file.

  PR:		241424
  Submitted by:	Nathan Owens <ndowens04@gmail.com>
  Approved by:	jharris@widomaker.com (maintainer)

Changes:
  head/security/vuxml/vuln.xml

Comment 8 commit-hook freebsd_committer

2019-11-02 12:23:56 UTC

A commit references this bug:

Author: rakuco
Date: Sat Nov  2 12:23:41 UTC 2019
New revision: 516311
URL: https://svnweb.freebsd.org/changeset/ports/516311

Log:
  Update to 5.37 with patch for CVE-2019-18218.

  PR:		241424
  Submitted by:	Nathan Owens <ndowens04@gmail.com>
  Approved by:	jharris@widomaker.com (maintainer)
  MFH:		2019Q4
  Security:	381deebb-f5c9-11e9-9c4f-74d435e60b7c

Changes:
  head/sysutils/file/Makefile
  head/sysutils/file/distinfo
  head/sysutils/file/files/
  head/sysutils/file/files/patch-src_cdf.c
  head/sysutils/file/files/patch-src_cdf.h

Comment 9 commit-hook freebsd_committer

2019-11-02 12:26:58 UTC

A commit references this bug:

Author: rakuco
Date: Sat Nov  2 12:26:06 UTC 2019
New revision: 516312
URL: https://svnweb.freebsd.org/changeset/ports/516312

Log:
  Adjust entry 381deebb-f5c9-11e9-9c4f-74d435e60b7c for sysutils/file.

  Upstream version 5.37 is vulnerable, but the update to 5.37 in the ports tree
  was landed with a fix for the CVE entry.

  PR:		241424

Changes:
  head/security/vuxml/vuln.xml

Comment 10 Raphael Kubo da Costa freebsd_committer

2019-11-02 12:27:36 UTC

Thank you!

Comment 11 commit-hook freebsd_committer

2019-11-03 11:54:01 UTC

A commit references this bug:

Author: rakuco
Date: Sun Nov  3 11:53:37 UTC 2019
New revision: 516412
URL: https://svnweb.freebsd.org/changeset/ports/516412

Log:
  MFH: r516311

  Update to 5.37 with patch for CVE-2019-18218.

  PR:		241424
  Submitted by:	Nathan Owens <ndowens04@gmail.com>
  Approved by:	jharris@widomaker.com (maintainer)
  Security:	381deebb-f5c9-11e9-9c4f-74d435e60b7c

  Approved by:	ports-secteam (miwi)

Changes:
_U  branches/2019Q4/
  branches/2019Q4/sysutils/file/Makefile
  branches/2019Q4/sysutils/file/distinfo
  branches/2019Q4/sysutils/file/files/