Patch from Matthias Ferdinand on pkgsrc-users.
The do_core_note function in readelf.c in libmagic.a in file
5.33 allows remote attackers to cause a denial of service
(out-of-bounds read and application crash) via a crafted ELF
file.
The actual fix as been done by "pkglint -F */*/buildlink3.mk", and was
reviewed manually.
There are some .include lines that still are indented with zero spaces
although the surrounding .if is indented. This is existing practice.
Fix unbalanced regex (fixes build with some sed flavors).
file 5.28
* PR/555: Avoid overflow for offset > nbytes
* PR/550: Segv on DER parsing:
- use the correct variable for length
- set offset to 0 on failure.
-----------------------------
2016-05-13 12:00 Christos Zoulas <christos@zoulas.com>
* release 5.27
2016-04-18 9:35 Christos Zoulas <christos@zoulas.com>
* Errors comparing DER entries or computing offsets
are just indications of malformed non-DER files.
Don't print them.
* Offset comparison was off-by-one.
* Fix compression code (Werner Fink)
* Put new bytes constant in the right file (not the generated one)
2015-09-16 9:50 Christos Zoulas <christos@zoulas.com>
* release 5.25
2015-09-11 13:25 Christos Zoulas <christos@zoulas.com>
* add a limit to the length of regex searches
2015-09-08 9:50 Christos Zoulas <christos@zoulas.com>
* fix problems with --parameter (Christoph Biedl)
2015-07-11 10:35 Christos Zoulas <christos@zoulas.com>
* Windows fixes PR#466 (Jason Hood)
2015-07-09 10:35 Christos Zoulas <christos@zoulas.com>
* release 5.24
2015-06-11 8:52 Christos Zoulas <christos@zoulas.com>
* redo long option encoding to fix off-by-one in 5.23
2015-06-10 13:50 Christos Zoulas <christos@zoulas.com>
* release 5.23
2015-06-09 16:10 Christos Zoulas <christos@zoulas.com>
* Fix issue with regex range for magic with offset
* Always return true from mget with USE (success to mget not match
indication). Fixes mime evaluation after USE magic
* PR#459: Don't insert magic entries to the list if there are parsing
errors for them.
2015-06-03 16:00 Christos Zoulas <christos@zoulas.com>
* PR#455: Add utf-7 encoding
2015-06-03 14:30 Christos Zoulas <christos@zoulas.com>
* PR#455: Implement -Z, look inside, but don't report on compression
* PR#454: Fix allocation error on bad magic.
2015-05-29 10:30 Christos Zoulas <christos@zoulas.com>
* handle MAGIC_CONTINUE everywhere, not just in softmagic
2015-05-21 14:30 Christos Zoulas <christos@zoulas.com>
* don't print descriptions for NAME types when mime.
2015-04-09 15:59 Christos Zoulas <christos@zoulas.com>
* Add --extension to list the known extensions for this file type
Idea by Andrew J Roazen
2015-02-14 12:23 Christos Zoulas <christos@zoulas.com>
* Bump file search buffer size to 1M.
2015-01-09 14:35 Christos Zoulas <christos@zoulas.com>
* Fix multiple issues with date formats reported by Christoph Biedl:
- T_LOCAL meaning was reversed
- Arithmetic did not work
Also stop adjusting daylight savings for gmt printing.
2015-01-05 13:00 Christos Zoulas <christos@zoulas.com>
* PR#411: Fix memory corruption from corrupt cdf file.
Problems found with existing digests:
Package memconf distfile memconf-2.16/memconf.gz
b6f4b736cac388dddc5070670351cf7262aba048 [recorded]
95748686a5ad8144232f4d4abc9bf052721a196f [calculated]
Problems found locating distfiles:
Package dc-tools: missing distfile dc-tools/abs0-dc-burn-netbsd-1.5-0-gae55ec9
Package ipw-firmware: missing distfile ipw2100-fw-1.2.tgz
Package iwi-firmware: missing distfile ipw2200-fw-2.3.tgz
Package nvnet: missing distfile nvnet-netbsd-src-20050620.tgz
Package syslog-ng: missing distfile syslog-ng-3.7.2.tar.gz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
Bugs fixed:
* restructure elf note printing to avoid repeated messages
* add note limit, suggested by Alexander Cherepanov
* Bail out on partial pread()'s (Alexander Cherepanov)
* Fix incorrect bounds check in file_printable (Alexander Cherepanov)
* PR/405: ignore SIGPIPE from uncompress programs
* change printable -> file_printable and use it in
more places for safety
* Fix for CVE-2014-9620.
* Fix CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487
Changelog:
2014-06-12 12:28 Christos Zoulas <christos@zoulas.com>
* release 5.19
2014-06-09 9:04 Christos Zoulas <christos@zoulas.com>
* Misc buffer overruns and missing buffer size tests in cdf parsing
(Francisco Alonso, Jan Kaluza)
2014-06-02 14:50 Christos Zoulas <christos@zoulas.com>
* Enforce limit of 8K on regex searches that have no limits
* Allow the l modifier for regex to mean line count. Default
to byte count. If line count is specified, assume a max
of 80 characters per line to limit the byte count.
* Don't allow conversions to be used for dates, allowing
the mask field to be used as an offset.
2014-05-30 12:51 Christos Zoulas <christos@zoulas.com>
* Make the range operator limit the length of the
regex search.
2014-05-14 19:23 Christos Zoulas <christos@zoulas.com>
* 347: Windows fixes
* 352: Hangul word processor recognition
* 354: Encoding irregularities in text files
2014-05-06 6:12 Christos Zoulas <christos@zoulas.com>
* Fix uninitialized title in CDF files (Jan Kaluza)
2014-05-04 14:55 Christos Zoulas <christos@zoulas.com>
* 351: Fix compilation of empty files
2014-04-30 17:39 Christos Zoulas <christos@zoulas.com>
* Fix integer formats: We don't specify 'l' or
'h' and 'hh' specifiers anymore, only 'll' for
quads and nothing for the rest. This is so that
magic writing is simpler.
2014-04-01 15:25 Christos Zoulas <christos@zoulas.com>
* 341: Jan Kaluza, fix memory leak
* 342: Jan Kaluza, fix out of bounds read
2014-03-28 15:25 Christos Zoulas <christos@zoulas.com>
* Fix issue with long formats not matching fmtcheck
Changelog:
2014-03-26 11:25 Christos Zoulas <christos@zoulas.com>
* release 5.18
2014-03-15 17:45 Christos Zoulas <christos@zoulas.com>
* add fmtcheck(3) for those who don't have it
2014-03-14 15:12 Christos Zoulas <christos@zoulas.com>
* prevent mime entries from being attached to magic
entries with no descriptions
* adjust magic strength for regex type
* remove superfluous ascmagic with encoding test
2014-03-06 12:01 Christos Zoulas <christos@zoulas.com>
* fix regression fix echo -ne "\012\013\014" | file -i -
which printed "binary" instead of "application/octet-stream"
* add size_t overflow check for magic file size
2014-02-27 16:01 Christos Zoulas <christos@zoulas.com>
* experimental support for matching with CFD CLSID
2014-02-18 13:04 Kimmo Suominen (kimmo@suominen.com)
* Cache old LC_CTYPE locale before setting it to "C", so
we can use it to restore LC_CTYPE instead of asking
setlocale() to scan the environment variables.
<mf+ml.pkgsrc-users@netzwerkagentursaarland.de> on pkgsrc-users.
Changes:
2014-02-12 18:21 Christos Zoulas <christos@zoulas.com>
* Count recursion levels through indirect magic
2014-02-11 10:40 Christos Zoulas <christos@zoulas.com>
* Prevent infinite recursion on files with indirect offsets of 0
2014-01-30 21:00 Christos Zoulas <christos@zoulas.com>
* Add -E flag that makes file print filesystem errors to stderr
and exit.
2014-01-08 17:20 Christos Zoulas <christos@zoulas.com>
* mime printing could print results from multiple magic entries
if there were multiple matches.
* in some cases overflow was not detected when computing offsets
in softmagic.
2013-12-05 12:00 Christos Zoulas <christos@zoulas.com>
* use strcasestr() to for cdf strings
* reset to the "C" locale while doing regex operations, or case
insensitive comparisons; this is provisional
2013-11-19 20:10 Christos Zoulas <christos@zoulas.com>
* always leave magic file loaded, don't unload for magic_check, etc.
* fix default encoding to binary instead of unknown which broke recently
* handle empty and one byte files, less specially so that
--mime-encoding does not break completely.
`
2013-11-06 14:40 Christos Zoulas <christos@zoulas.com>
* fix erroneous non-zero exit code from non-existant file and message
2013-10-29 14:25 Christos Zoulas <christos@zoulas.com>
* add CDF MSI file detection (Guy Helmer)
2013-09-03 11:56 Christos Zoulas <christos@zoulas.com>
* Don't mix errors and regular output if there was an error
* in magic_descriptor() don't close the file and try to restore
its position
2013-05-30 17:25 Christos Zoulas <christos@zoulas.com>
* Don't treat magic as an error if offset was past EOF (Christoph Biedl)
2013-05-28 17:25 Christos Zoulas <christos@zoulas.com>
* Fix spacing issues in softmagic and elf (Jan Kaluza)
2013-05-02 18:00 Christos Zoulas <christos@zoulas.com>
* Fix segmentation fault with multiple magic_load commands.
2013-04-22 11:20 Christos Zoulas <christos@zoulas.com>
* The way "default" was implemented was not very useful
because the "if something was printed at that level"
was not easily controlled by the user, and the format
was bound to a string which is too restrictive. Add
a "clear" for that level keyword and make "default"
void. This way one can do:
>>13 clear x
>>13 lelong 1 foo
>>13 lelong 2 bar
>>13 default x
>>>13 lelong x unknown %x
2013-03-25 13:20 Christos Zoulas <christos@zoulas.com>
* disallow strength setting in "name" entries
2013-03-06 21:24 Christos Zoulas <christos@zoulas.com>
* fix recursive magic separator printing
2013-02-26 19:28 Christos Zoulas <christos@zoulas.com>
* limit recursion level for mget
* fix pread() related breakage in cdf
* handle offsets properly in recursive "use"
2013-02-18 10:39 Christos Zoulas <christos@zoulas.com>
* add elf reading of debug info to determine if file is stripped
(Jan Kaluza)
* use pread()
2013-01-25 18:05 Christos Zoulas <christos@zoulas.com>
* change mime description size from 64 to 80 to accommodate OOXML.
2013-01-11 14:50 Christos Zoulas <christos@zoulas.com>
* Warn about inconsistent continuation levels.
* Change fsmagic to add a space after it prints.
2013-01-10 21:00 Christos Zoulas <christos@zoulas.com>
* Make getline public so that file can link against it.
Perhaps it is better to rename it, or hide it differently.
Fixes builds on platforms that do not provide it.
2013-01-07 16:30 Christos Zoulas <christos@zoulas.com>
* Add SuS d{,1,2,4,8}, u{,1,2,4,8} and document
what long, int, short, etc is (Guy Harris)
2013-01-06 11:20 Christos Zoulas <christos@zoulas.com>
* add magic_version function and constant
* Redo memory allocation and de-allocation.
(prevents double frees on non mmap platforms)
* Fix bug with name/use having to do with passing
found state from the parent to the child and back.
2012-12-19 8:47 Christos Zoulas <christos@zoulas.com>
* Only print elf capabilities for archs we know (Jan Kaluza)
2012-10-30 19:14 Christos Zoulas <christos@zoulas.com>
* Add "name" and "use" file types in order to look
inside mach-o files.
2012-09-06 10:40 Christos Zoulas <christos@zoulas.com>
* make --version exit 0 (Matthew Schultz)
* add string/T (Jan Kaluza)
2012-08-09 2:15 Christos Zoulas <christos@zoulas.com>
* add z and t modifiers for our own vasprintf
* search for $HOME/.magic.mgc if it is there first
* fix reads from a pipe, and preserve errno
2012-05-15 13:12 Christos Zoulas <christos@zoulas.com>
* use ctime_r, asctime_r
2012-04-06 17:18 Christos Zoulas <christos@zoulas.com>
* Fixes for indirect offsets to handle apple disk formats
2012-04-03 18:26 Christos Zoulas <christos@zoulas.com>
* Add windows date field types
* More info for windows shortcuts (incomplete)
- Updating package for file from 5.00 to 5.03
- Adding/updating patch which prevents non-gcc is invoked
with gcc's warning options
Upstream changes:
2009-05-06 10:25 Christos Zoulas <christos@zoulas.com>
* Avoid null dereference in cdf code (Drew Yao)
* More cdf bounds checks and overflow checks
2009-05-01 18:37 Christos Zoulas <christos@zoulas.com>
* Buffer overflow fixes from Drew Yao
2009-04-30 17:10 Christos Zoulas <christos@zoulas.com>
* Fix more cdf lossage. All the documents I have
right now print the correct information.
2009-03-27 18:43 Christos Zoulas <christos@zoulas.com>
* don't print \012- separators in the same magic entry
if it consists of multiple magic printing lines.
2009-03-23 10:20 Christos Zoulas <christos@zoulas.com>
* Avoid file descriptor leak in compress code from
(Daniel Novotny)
2009-03-18 16:50 Christos Zoulas <christos@zoulas.com>
* Allow escaping of relation characters, so that we can say \^[A-Z]
and the ^ is not eaten as a relation char.
* Fix troff and fortran to their previous glory using
regex. This was broken since their removel from ascmagic.
2009-03-10 16:50 Christos Zoulas <christos@zoulas.com>
* don't use strlen in strndup() (Toby Peterson)
2009-03-10 7:45 Christos Zoulas <christos@zoulas.com>
* avoid c99 syntax.
2009-02-23 15:45 Christos Zoulas <christos@zoulas.com>
* make the cdf code use the buffer first if available,
and then the fd code.
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
Pkgsrc changes:
o Adapt patch-aa to new file
Upstream changes:
2008-12-12 15:50 Christos Zoulas <christos@zoulas.com>
* fix initial offset calculation for non 4K sector files
* add loop limits to avoid DoS attacks by constructing
looping sector references.
2008-12-03 13:05 Christos Zoulas <christos@zoulas.com>
* fix memory botches on cdf file parsing.
* exit with non-zero value for any error, not just for the last
file processed.
2008-11-09 20:42 Charles Longeau <chl@tuxfamily.org>
* Replace all str{cpy,cat} functions with strl{cpy,cat}
* Ensure that strl{cpy,cat} are included in libmagic,
as needed.
2008-11-06 18:18 Christos Zoulas <christos@zoulas.com>
* Handle ID3 format files.
2008-11-06 23:00 Reuben Thomas <rrt@sc3d.org>
* Fix --mime, --mime-type and --mime-encoding under new scheme.
* Rename "ascii" to "text" and add "encoding" test.
* Return a precise ("utf-16le" or "utf-16be") MIME charset for
UTF-16.
* Fix error in comment caused by automatic indentation adding
words!
2008-11-06 10:35 Christos Zoulas <christos@astron.com>
* use memchr instead of strchr because the string
might not be NUL terminated (Scott MacVicar)
2008-11-03 07:31 Reuben Thomas <rrt@sc3d.org>
* Fix a printf with a non-literal format string.
* Fix formatting and punctuation of help for "--apple".
2008-10-30 11:00 Reuben Thomas <rrt@sc3d.org>
* Correct words counts in comments of struct magic.
* Fix handle_annotation to allow both Apple and MIME types to be
printed, and to return correct code if MIME type is
printed (1, not 0) or if there's an error (-1 not 1).
* Fix output of charset for MIME type (precede with semi-colon;
fixes Debian bug #501460).
* Fix potential attacks via conversion specifications in magic
strings.
* Add a FIXME for Debian bug #488562 (magic files should be
read in a defined order, by sorting the names).
2008-10-18 16:45 Christos Zoulas <christos@astron.com>
* Added APPLE file creator/type
2008-10-12 10:20 Christos Zoulas <christos@astron.com>
* Added CDF parsing
2008-10-09 16:40 Christos Zoulas <christos@astron.com>
* filesystem and msdos patches (Joerg Jenderek)
2008-10-09 13:20 Christos Zoulas <christos@astron.com>
* correct --exclude documentation issues: remove troff and fortran
and rename "token" to "tokens". (Randy McMurchy)
2008-10-01 10:30 Christos Zoulas <christos@astron.com>
* Read ~/.magic in addition to the default magic file not instead
of, as documented in the man page.
2008-09-10 21:30 Reuben Thomas <rrt@sc3d.org>
* Comment out graphviz patterns, as they match too many files.
2008-08-25 23:56 Reuben Thomas <rrt@sc3d.org>
* Add text/x-lua MIME type for Lua scripts.
* Escape { in regex in graphviz patterns.
After the barrier, the builtin.mk file is parsed with a PATH that includes
LOCALBASE in front, which gives wrong results if file is installed in
LOCALBASE.
New in this release is a BNF file that shows the syntax of magic
files. Many more checks have been added to the magic parser and
badly formatted magic entries have been fixed. There is now a
"default" statement in the magic entires. Finally a exploitable
flaw in the print buffer management has been fixed.
Recent changes include:
2006-10-31 15:14 Christos Zoulas <christos@zoulas.com>
* Check offset before copying (Mike Frysinger)
* merge duplicated code
* add quad date support
* make sure that we nul terminate desc (Ryoji Kanai)
* don't process elf notes multiple times
* allow -z to report empty compressed files
* use calloc to initialize the ascii buffers (Jos van den Oever)
2006-06-08 11:11 Christos Zoulas <christos@zoulas.com>
* QNX fixes (Mike Gorchak)
* Add quad support.
* FIFO checks (Dr. Werner Fink)
* Linux ELF fixes (Dr. Werner Fink)
* Magic format checks (Dr. Werner Fink)
* Magic format function improvent (Karl Chen)
2006-05-03 11:11 Christos Zoulas <christos@zoulas.com>
* Pick up some elf changes and some constant fixes from SUSE
* Identify gnu tar vs. posix tar
* When keep going, don't print spurious newlines (Radek Vokál)
2006-04-01 12:02 Christos Zoulas <christos@zoulas.com>
* Use calloc instead of malloc (Mike Frysinger)
* Fix configure script to detect wctypes.h (Mike Frysinger)
Recent changes include:
2006-03-02 16:06 Christos Zoulas <christos@zoulas.com>
* Print empty if the file is (Mike Frysinger)
* Don't try to read past the end of the buffer (Mike Frysinger)
* Sort magic entries by strength [experimental]
2005-11-29 13:26 Christos Zoulas <christos@zoulas.com>
* Use iswprint() to convert the output string.
(Bastien Nocera)
2005-10-31 8:54 Christos Zoulas <christos@zoulas.com>
* Fix regression where the core info was not completely processed
(Radek Vokál)
2005-10-20 11:15 Christos Zoulas <christos@zoulas.com>
* Middle Endian magic (Diomidis Spinellis)
2005-10-17 11:15 Christos Zoulas <christos@zoulas.com>
* Open with O_BINARY for CYGWIN (Corinna Vinschen)
* Don't close stdin (Arkadiusz Miskiewicz)
* Look for note sections in non executables.
2005-09-20 13:33 Christos Zoulas <christos@zoulas.com>
* Don't print SVR4 Style in core files multiple times
(Radek Vokál)
2005-08-27 04:09 Christos Zoulas <christos@zoulas.com>
* Cygwin changes Corinna Vinschen
2005-08-18 09:53 Christos Zoulas <christos@zoulas.com>
* Remove erroreous mention of /etc/magic in the file man page
This is gentoo bug 101639. (Mike Frysinger)
* Cross-compile support and detection (Mike Frysinger)
2005-08-12 10:17 Christos Zoulas <christos@zoulas.com>
* Add -h flag and dereference symlinks if POSIXLY_CORRECT
is set.
2005-07-29 13:57 Christos Zoulas <christos@zoulas.com>
* Avoid search and regex buffer overflows (Kelledin)
2005-07-12 11:48 Christos Zoulas <christos@zoulas.com>
* Provide stub implementations for {v,}nsprintf() for older
OS's that don't have them.
* Change mbstate_t autoconf detection macro from AC_MBSTATE_T
to AC_TYPE_MBSTATE_T.
2005-06-25 11:48 Christos Zoulas <christos@zoulas.com>
* Dynamically allocate the string buffers and make the
default read size 256K.
2005-06-01 00:00 Joerg Sonnenberger <joerg@britannica.bec.de>
* Dragonfly ELF note support
2005-03-14 00:00 Giuliano Bertoletti <gb@symbolic.it>
* Avoid NULL pointer dereference in time conversion.
2005-03-06 00:00 Joerg Walter <jwalt@mail.garni.ch>
* Add indirect magic offset support, and search mode.
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
