Version in base suite: 5.39-3

Base version: file_5.39-3
Target version: file_5.39-3+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/file/file_5.39-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/f/file/file_5.39-3+deb11u1.dsc

 changelog                                                                                            |    7 ++
 patches/cherry-pick.FILE5_41-68-g497aabb2.PR-310-p870613-Don-t-use-strlcpy-to-copy-the-string-.patch |   31 ++++++++++
 patches/series                                                                                       |    1 
 3 files changed, 39 insertions(+)

diff -Nru file-5.39/debian/changelog file-5.39/debian/changelog
--- file-5.39/debian/changelog	2020-11-19 21:21:06.000000000 +0000
+++ file-5.39/debian/changelog	2023-08-30 18:51:00.000000000 +0000
@@ -1,3 +1,10 @@
+file (1:5.39-3+deb11u1) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * stack-based buffer over-read in file_copystr in funcs.c (CVE-2022-48554)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 30 Aug 2023 20:51:00 +0200
+
 file (1:5.39-3) unstable; urgency=medium
 
   * Upload to unstable
diff -Nru file-5.39/debian/patches/cherry-pick.FILE5_41-68-g497aabb2.PR-310-p870613-Don-t-use-strlcpy-to-copy-the-string-.patch file-5.39/debian/patches/cherry-pick.FILE5_41-68-g497aabb2.PR-310-p870613-Don-t-use-strlcpy-to-copy-the-string-.patch
--- file-5.39/debian/patches/cherry-pick.FILE5_41-68-g497aabb2.PR-310-p870613-Don-t-use-strlcpy-to-copy-the-string-.patch	1970-01-01 00:00:00.000000000 +0000
+++ file-5.39/debian/patches/cherry-pick.FILE5_41-68-g497aabb2.PR-310-p870613-Don-t-use-strlcpy-to-copy-the-string-.patch	2023-08-30 18:51:00.000000000 +0000
@@ -0,0 +1,31 @@
+From: Christos Zoulas <christos@zoulas.com>
+Date: Mon, 14 Feb 2022 16:26:10 +0000
+Subject: PR/310: p870613: Don't use strlcpy to copy the string, it will try to
+ scan the source string to find out how much space is needed the source string
+ might not be NUL terminated.
+Origin: https://github.com/file/file/commit/497aabb29cd08d2a5aeb63e45798d65fcbe03502
+Bug: https://bugs.astron.com/view.php?id=310
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-48554
+
+---
+ src/funcs.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/src/funcs.c
++++ b/src/funcs.c
+@@ -51,9 +51,12 @@
+ protected char *
+ file_copystr(char *buf, size_t blen, size_t width, const char *str)
+ {
+-	if (++width > blen)
+-		width = blen;
+-	strlcpy(buf, str, width);
++	if (blen == 0)
++		return buf;
++	if (width >= blen)
++		width = blen - 1;
++	memcpy(buf, str, width);
++	buf[width] = '\0';
+ 	return buf;
+ }
+ 
diff -Nru file-5.39/debian/patches/series file-5.39/debian/patches/series
--- file-5.39/debian/patches/series	2020-11-03 07:01:52.000000000 +0000
+++ file-5.39/debian/patches/series	2023-08-30 18:51:00.000000000 +0000
@@ -2,6 +2,7 @@
 
 # cherry-picked commits. Keep in upstream's chronological order
 cherry-pick.FILE5_39-9-g85b7ab83.include-alternate-format-to-the-list-of-uninteresting-formats.patch
+cherry-pick.FILE5_41-68-g497aabb2.PR-310-p870613-Don-t-use-strlcpy-to-copy-the-string-.patch
 
 # patches that should go upstream
 upstream.disable.att3b.patch