--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hello stable release team,
for the upcoming stable point release, I've just uploaded src:file
("Recognize the type of data in a file using "magic" numbers") as
version 1:5.35-4+deb10u2.
Content:
* Change default for name/use to 50.
Type: limitation relaxed upstream
Debian bug: https://bugs.debian.org/928009
Fixed in in stable and testing: 1:5.38-5 (May 2020)
Problem: The old limit turned out to be too strict, and instead of
avoiding DoS this broke legitimate use of that feature. Also, Paul
Wise (Cc:'ed), asked me repeatedly to backport this to buster, I
trust he has good reason to to so.
Regards,
Christoph
-- System Information:
Debian Release: 10.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.10 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru file-5.35/debian/changelog file-5.35/debian/changelog
--- file-5.35/debian/changelog 2019-10-22 21:57:17.000000000 +0200
+++ file-5.35/debian/changelog 2021-01-25 22:40:17.000000000 +0100
@@ -1,3 +1,9 @@
+file (1:5.35-4+deb10u2) buster; urgency=medium
+
+ * Change default for name/use to 50. Closes: #928009
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Mon, 25 Jan 2021 22:40:17 +0100
+
file (1:5.35-4+deb10u1) buster-security; urgency=high
* Cherry-pick commit to restrict the number of CDF_VECTOR elements.
diff -Nru file-5.35/debian/patches/increase.number.use.magic.limit.patch file-5.35/debian/patches/increase.number.use.magic.limit.patch
--- file-5.35/debian/patches/increase.number.use.magic.limit.patch 1970-01-01 01:00:00.000000000 +0100
+++ file-5.35/debian/patches/increase.number.use.magic.limit.patch 2021-01-25 22:40:17.000000000 +0100
@@ -0,0 +1,17 @@
+Subject: Change default for name/use to 50
+Origin: Part of FILE5_38-65-gdf476c81 <https://github.com/file/file/commit/FILE5_38-65-gdf476c81>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Thu Mar 19 20:41:11 2020 +0000
+Bug-Debian: https://bugs.debian.org/928009
+
+--- a/src/file.h
++++ b/src/file.h
+@@ -437,7 +437,7 @@
+ uint16_t regex_max;
+ size_t bytes_max; /* number of bytes to read from file */
+ #define FILE_INDIR_MAX 50
+-#define FILE_NAME_MAX 30
++#define FILE_NAME_MAX 50
+ #define FILE_ELF_SHNUM_MAX 32768
+ #define FILE_ELF_PHNUM_MAX 2048
+ #define FILE_ELF_NOTES_MAX 256
diff -Nru file-5.35/debian/patches/series file-5.35/debian/patches/series
--- file-5.35/debian/patches/series 2019-10-22 20:57:20.000000000 +0200
+++ file-5.35/debian/patches/series 2021-01-25 22:40:17.000000000 +0100
@@ -18,6 +18,8 @@
cherry-pick.FILE5_36-1-gecca6e54.fix-casts-and-bounds-check-found-by-oss-fuzz.patch
cherry-pick.FILE5_36-24-g9b2f9d6a.cast-to-unsigned-first-to-appease-ubsan-oss-fuzz.patch
cherry-pick.FILE5_37-67-g46a8443f.limit-the-number-of-elements-in-a-vector-found-by-oss-fuzz.patch
+# part of FILE5_38-65-gdf476c81
+increase.number.use.magic.limit.patch
# patches that should go upstream
--- End Message ---