diff options
author | Leo Famulari <leo@famulari.name> | 2018-01-10 01:04:19 -0800 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2018-01-11 14:13:17 -0800 |
commit | 138c08899ba73049de8afd2b74a8cf6845a1d9e1 (patch) | |
tree | 0e7dd7ca0be3498a7b1b5a9b48f1e2361b0107a2 | |
parent | ce577655a3829a64014afcd520c8405114443d89 (diff) | |
download | patches-138c08899ba73049de8afd2b74a8cf6845a1d9e1.tar patches-138c08899ba73049de8afd2b74a8cf6845a1d9e1.tar.gz |
gnu: libvorbis: Fix CVE-2017-{14632,14633}.
* gnu/packages/patches/libvorbis-CVE-2017-14632.patch,
gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xiph.scm (libvorbis)[replacement]: New field.
(libvorbis/fixed): New variable.
-rw-r--r-- | gnu/local.mk | 2 | ||||
-rw-r--r-- | gnu/packages/patches/libvorbis-CVE-2017-14632.patch | 63 | ||||
-rw-r--r-- | gnu/packages/patches/libvorbis-CVE-2017-14633.patch | 43 | ||||
-rw-r--r-- | gnu/packages/xiph.scm | 9 |
4 files changed, 117 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 8c397d9256..eec46af0d0 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -851,6 +851,8 @@ dist_patch_DATA = \ %D%/packages/patches/libusb-0.1-disable-tests.patch \ %D%/packages/patches/libusb-for-axoloti.patch \ %D%/packages/patches/libvdpau-va-gl-unbundle.patch \ + %D%/packages/patches/libvorbis-CVE-2017-14632.patch \ + %D%/packages/patches/libvorbis-CVE-2017-14633.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \ %D%/packages/patches/libxcb-python-3.5-compat.patch \ %D%/packages/patches/libxml2-CVE-2016-4658.patch \ diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14632.patch b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch new file mode 100644 index 0000000000..99debf2104 --- /dev/null +++ b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch @@ -0,0 +1,63 @@ +Fix CVE-2017-14632: + +https://gitlab.xiph.org/xiph/vorbis/issues/2328 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632 + +Patch copied from upstream source repository: + +https://gitlab.xiph.org/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d327f + +From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> +Date: Wed, 15 Nov 2017 18:22:59 +0100 +Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb + if not initialized + +If the number of channels is not within the allowed range +we call oggback_writeclear altough it's not initialized yet. + +This fixes + + =23371== Invalid free() / delete / delete[] / realloc() + ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530) + ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2) + ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652) + ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) + ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x10D82A: open_output_file (sox.c:1556) + ==23371== by 0x10D82A: process (sox.c:1753) + ==23371== by 0x10D82A: main (sox.c:3012) + ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd + ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298) + ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785) + ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) + ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x10D82A: open_output_file (sox.c:1556) + ==23371== by 0x10D82A: process (sox.c:1753) + ==23371== by 0x10D82A: main (sox.c:3012) + +as seen when using the testcase from CVE-2017-11333 with +008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was +there before. +--- + lib/info.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/info.c b/lib/info.c +index 7bc4ea4..8d0b2ed 100644 +--- a/lib/info.c ++++ b/lib/info.c +@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v, + private_state *b=v->backend_state; + + if(!b||vi->channels<=0||vi->channels>256){ ++ b = NULL; + ret=OV_EFAULT; + goto err_out; + } +-- +2.15.1 + diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14633.patch b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch new file mode 100644 index 0000000000..ec6bf5265c --- /dev/null +++ b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch @@ -0,0 +1,43 @@ +Fix CVE-2017-14633: + +https://gitlab.xiph.org/xiph/vorbis/issues/2329 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633 + +Patch copied from upstream source repository: + +https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993 + +From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> +Date: Tue, 31 Oct 2017 18:32:46 +0100 +Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels + +Otherwise + + for(i=0;i<vi->channels;i++){ + /* the encoder setup assumes that all the modes used by any + specific bitrate tweaking use the same floor */ + int submap=info->chmuxlist[i]; + +overreads later in mapping0_forward since chmuxlist is a fixed array of +256 elements max. +--- + lib/info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/info.c b/lib/info.c +index fe759ed..7bc4ea4 100644 +--- a/lib/info.c ++++ b/lib/info.c +@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v, + oggpack_buffer opb; + private_state *b=v->backend_state; + +- if(!b||vi->channels<=0){ ++ if(!b||vi->channels<=0||vi->channels>256){ + ret=OV_EFAULT; + goto err_out; + } +-- +2.15.1 + diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm index 9277f57ad4..e9ab06de42 100644 --- a/gnu/packages/xiph.scm +++ b/gnu/packages/xiph.scm @@ -79,6 +79,7 @@ periodic timestamps for seeking.") (define libvorbis (package (name "libvorbis") + (replacement libvorbis/fixed) (version "1.3.5") (source (origin (method url-fetch) @@ -102,6 +103,14 @@ polyphonic) audio and music at fixed and variable bitrates from 16 to "See COPYING in the distribution.")) (home-page "http://xiph.org/vorbis/"))) +(define libvorbis/fixed + (package + (inherit libvorbis) + (source (origin + (inherit (package-source libvorbis)) + (patches (search-patches "libvorbis-CVE-2017-14633.patch" + "libvorbis-CVE-2017-14632.patch")))))) + (define libtheora (package (name "libtheora") |