Bug#981096: buster-pu: package file/1:5.35-4+deb10u1

[Christoph Biedl]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Hello stable release team,

for the upcoming stable point release, I've just uploaded src:file
("Recognize the type of data in a file using "magic" numbers") as
version 1:5.35-4+deb10u2.

Content:

* Change default for name/use to 50.

Type: limitation relaxed upstream
Debian bug: https://bugs.debian.org/928009
Fixed in in stable and testing: 1:5.38-5 (May 2020)

Problem: The old limit turned out to be too strict, and instead of
avoiding DoS this broke legitimate use of that feature. Also, Paul
Wise (Cc:'ed), asked me repeatedly to backport this to buster, I
trust he has good reason to to so.

Regards,

    Christoph


-- System Information:
Debian Release: 10.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.10 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


diff -Nru file-5.35/debian/changelog file-5.35/debian/changelog
--- file-5.35/debian/changelog  2019-10-22 21:57:17.000000000 +0200
+++ file-5.35/debian/changelog  2021-01-25 22:40:17.000000000 +0100
@@ -1,3 +1,9 @@
+file (1:5.35-4+deb10u2) buster; urgency=medium
+
+  * Change default for name/use to 50. Closes: #928009
+
+ -- Christoph Biedl <debian.a...@manchmal.in-ulm.de>  Mon, 25 Jan 2021 
22:40:17 +0100
+
 file (1:5.35-4+deb10u1) buster-security; urgency=high
 
   * Cherry-pick commit to restrict the number of CDF_VECTOR elements.
diff -Nru file-5.35/debian/patches/increase.number.use.magic.limit.patch 
file-5.35/debian/patches/increase.number.use.magic.limit.patch
--- file-5.35/debian/patches/increase.number.use.magic.limit.patch      
1970-01-01 01:00:00.000000000 +0100
+++ file-5.35/debian/patches/increase.number.use.magic.limit.patch      
2021-01-25 22:40:17.000000000 +0100
@@ -0,0 +1,17 @@
+Subject: Change default for name/use to 50
+Origin: Part of FILE5_38-65-gdf476c81 
<https://github.com/file/file/commit/FILE5_38-65-gdf476c81>
+Upstream-Author: Christos Zoulas <chris...@zoulas.com>
+Date: Thu Mar 19 20:41:11 2020 +0000
+Bug-Debian: https://bugs.debian.org/928009
+
+--- a/src/file.h
++++ b/src/file.h
+@@ -437,7 +437,7 @@
+       uint16_t regex_max;
+       size_t bytes_max;               /* number of bytes to read from file */
+ #define       FILE_INDIR_MAX                  50
+-#define       FILE_NAME_MAX                   30
++#define       FILE_NAME_MAX                   50
+ #define       FILE_ELF_SHNUM_MAX              32768
+ #define       FILE_ELF_PHNUM_MAX              2048
+ #define       FILE_ELF_NOTES_MAX              256
diff -Nru file-5.35/debian/patches/series file-5.35/debian/patches/series
--- file-5.35/debian/patches/series     2019-10-22 20:57:20.000000000 +0200
+++ file-5.35/debian/patches/series     2021-01-25 22:40:17.000000000 +0100
@@ -18,6 +18,8 @@
 
cherry-pick.FILE5_36-1-gecca6e54.fix-casts-and-bounds-check-found-by-oss-fuzz.patch
 
cherry-pick.FILE5_36-24-g9b2f9d6a.cast-to-unsigned-first-to-appease-ubsan-oss-fuzz.patch
 
cherry-pick.FILE5_37-67-g46a8443f.limit-the-number-of-elements-in-a-vector-found-by-oss-fuzz.patch
+# part of FILE5_38-65-gdf476c81
+increase.number.use.magic.limit.patch
 
 # patches that should go upstream