From owner-svn-ports-head@freebsd.org  Sat Nov  2 12:23:41 2019
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id EFCCF1A3796;
 Sat,  2 Nov 2019 12:23:41 +0000 (UTC)
 (envelope-from rakuco@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 474ys964dLz4bQF;
 Sat,  2 Nov 2019 12:23:41 +0000 (UTC)
 (envelope-from rakuco@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B4197235C1;
 Sat,  2 Nov 2019 12:23:41 +0000 (UTC)
 (envelope-from rakuco@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id xA2CNfmu085140;
 Sat, 2 Nov 2019 12:23:41 GMT (envelope-from rakuco@FreeBSD.org)
Received: (from rakuco@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id xA2CNeYs085136;
 Sat, 2 Nov 2019 12:23:40 GMT (envelope-from rakuco@FreeBSD.org)
Message-Id: <201911021223.xA2CNeYs085136@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rakuco set sender to
 rakuco@FreeBSD.org using -f
From: Raphael Kubo da Costa <rakuco@FreeBSD.org>
Date: Sat, 2 Nov 2019 12:23:40 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r516311 - in head/sysutils/file: . files
X-SVN-Group: ports-head
X-SVN-Commit-Author: rakuco
X-SVN-Commit-Paths: in head/sysutils/file: . files
X-SVN-Commit-Revision: 516311
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2019 12:23:42 -0000

Author: rakuco
Date: Sat Nov  2 12:23:40 2019
New Revision: 516311
URL: https://svnweb.freebsd.org/changeset/ports/516311

Log:
  Update to 5.37 with patch for CVE-2019-18218.
  
  PR:		241424
  Submitted by:	Nathan Owens <ndowens04@gmail.com>
  Approved by:	jharris@widomaker.com (maintainer)
  MFH:		2019Q4
  Security:	381deebb-f5c9-11e9-9c4f-74d435e60b7c

Added:
  head/sysutils/file/files/
  head/sysutils/file/files/patch-src_cdf.c   (contents, props changed)
  head/sysutils/file/files/patch-src_cdf.h   (contents, props changed)
Modified:
  head/sysutils/file/Makefile
  head/sysutils/file/distinfo

Modified: head/sysutils/file/Makefile
==============================================================================
--- head/sysutils/file/Makefile	Sat Nov  2 12:22:16 2019	(r516310)
+++ head/sysutils/file/Makefile	Sat Nov  2 12:23:40 2019	(r516311)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	file
-PORTVERSION=	5.36
+PORTVERSION=	5.37
 CATEGORIES=	sysutils
 MASTER_SITES=	ftp://ftp.astron.com/pub/file/ \
 		ftp://ftp.fu-berlin.de/unix/tools/file/

Modified: head/sysutils/file/distinfo
==============================================================================
--- head/sysutils/file/distinfo	Sat Nov  2 12:22:16 2019	(r516310)
+++ head/sysutils/file/distinfo	Sat Nov  2 12:23:40 2019	(r516311)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1550771584
-SHA256 (file-5.36.tar.gz) = fb608290c0fd2405a8f63e5717abf6d03e22e183fb21884413d1edd918184379
-SIZE (file-5.36.tar.gz) = 875792
+TIMESTAMP = 1571780726
+SHA256 (file-5.37.tar.gz) = e9c13967f7dd339a3c241b7710ba093560b9a33013491318e88e6b8b57bae07f
+SIZE (file-5.37.tar.gz) = 887682

Added: head/sysutils/file/files/patch-src_cdf.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/sysutils/file/files/patch-src_cdf.c	Sat Nov  2 12:23:40 2019	(r516311)
@@ -0,0 +1,71 @@
+--- src/cdf.c.orig	2019-10-22 21:52:28 UTC
++++ src/cdf.c
+@@ -35,7 +35,7 @@
+ #include "file.h"
+ 
+ #ifndef lint
+-FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
++FILE_RCSID("@(#)$File: cdf.c,v 1.116 2019/08/26 14:31:39 christos Exp $")
+ #endif
+ 
+ #include <assert.h>
+@@ -53,6 +53,10 @@ FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:
+ #define EFTYPE EINVAL
+ #endif
+ 
++#ifndef SIZE_T_MAX
++#define SIZE_T_MAX CAST(size_t, ~0ULL)
++#endif
++
+ #include "cdf.h"
+ 
+ #ifdef CDF_DEBUG
+@@ -405,7 +409,12 @@ cdf_read_sector(const cdf_info_t *info, void *buf, siz
+     const cdf_header_t *h, cdf_secid_t id)
+ {
+ 	size_t ss = CDF_SEC_SIZE(h);
+-	size_t pos = CDF_SEC_POS(h, id);
++	size_t pos;
++
++	if (SIZE_T_MAX / ss < CAST(size_t, id))
++		return -1;
++
++	pos = CDF_SEC_POS(h, id);
+ 	assert(ss == len);
+ 	return cdf_read(info, CAST(off_t, pos), RCAST(char *, buf) + offs, len);
+ }
+@@ -415,7 +424,12 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *b
+     size_t len, const cdf_header_t *h, cdf_secid_t id)
+ {
+ 	size_t ss = CDF_SHORT_SEC_SIZE(h);
+-	size_t pos = CDF_SHORT_SEC_POS(h, id);
++	size_t pos;
++
++	if (SIZE_T_MAX / ss < CAST(size_t, id))
++		return -1;
++
++	pos = CDF_SHORT_SEC_POS(h, id);
+ 	assert(ss == len);
+ 	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
+ 		DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
+@@ -1013,8 +1027,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const 
+ 				goto out;
+ 			}
+ 			nelements = CDF_GETUINT32(q, 1);
+-			if (nelements == 0) {
+-				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
++			if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
++				DPRINTF(("CDF_VECTOR with nelements == %"
++				    SIZE_T_FORMAT "u\n", nelements));
+ 				goto out;
+ 			}
+ 			slen = 2;
+@@ -1056,8 +1071,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const 
+ 					goto out;
+ 				inp += nelem;
+ 			}
+-			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
+-			    nelements));
+ 			for (j = 0; j < nelements && i < sh.sh_properties;
+ 			    j++, i++)
+ 			{

Added: head/sysutils/file/files/patch-src_cdf.h
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/sysutils/file/files/patch-src_cdf.h	Sat Nov  2 12:23:40 2019	(r516311)
@@ -0,0 +1,10 @@
+--- src/cdf.h.orig	2019-10-22 21:52:35 UTC
++++ src/cdf.h
+@@ -48,6 +48,7 @@
+ typedef int32_t cdf_secid_t;
+ 
+ #define CDF_LOOP_LIMIT					10000
++#define CDF_ELEMENT_LIMIT				100000
+ 
+ #define CDF_SECID_NULL					0
+ #define CDF_SECID_FREE					-1