There's a merged pull request on the void-packages repository

file: add patch for CVE-2019-18218
https://github.com/void-linux/void-packages/pull/15881

Description:
CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-18218
Patch: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84