[notify] libvorbis: security fixes for: CVE-2017-14160, CVE-2017-14632, and CVE-2017-14633 closes FS#1595
This commit is contained in:
parent
27d01bcddb
commit
f0344af4ee
@ -1 +1,4 @@
|
||||
943275d84d55dfa072ec3a2566fd9bfa CVE-2017-14160.patch
|
||||
d32bb2a15cde558464ff6b1a7199d9c6 CVE-2017-14632.patch
|
||||
d54deff7374d7205441cf5e4dfd32bee CVE-2017-14633.patch
|
||||
28cb28097c07a735d6af56e598e1c90f libvorbis-1.3.5.tar.xz
|
||||
|
@ -1,5 +1,8 @@
|
||||
untrusted comment: verify with /etc/ports/opt.pub
|
||||
RWSE3ohX2g5d/UIMCRs21S+z38O3cqsSsk5E910XdPfJ54oGNA8VPRaNuGeoJTyDTksoe26yejpyCVC/SSXubHVGihLKojs03AE=
|
||||
SHA256 (Pkgfile) = 493517cd1f5498d39bff632f5becea6dd7ecb18455d73313d6de32c527cc83b0
|
||||
RWSE3ohX2g5d/XBLjepyAeVAsv0mpvzium7JjPBpyQUlW+ZuPdO7oz0ATE3bC1nBn5EHSwuxsNGum4EOVduL32Cr08X2/7IVtwk=
|
||||
SHA256 (Pkgfile) = 833e8c8db431ef3375b53fa800a7d06a33a9b6e62913ff5ec6c8dd5d8c1b51ad
|
||||
SHA256 (.footprint) = 709e3fdd589a25de7fa9ca41700639d37f7dae5eba48fe6cffa354efd8625b37
|
||||
SHA256 (libvorbis-1.3.5.tar.xz) = 54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1
|
||||
SHA256 (CVE-2017-14633.patch) = d1a44c7a683b3d1ab2bd645ef4ee21002cb1c7466975073381ed1e533153e328
|
||||
SHA256 (CVE-2017-14632.patch) = 2fed965880686a145c0da6abbb08224d0ed26e4bf1b1c3a8f7b5d2d33f6bc8e7
|
||||
SHA256 (CVE-2017-14160.patch) = f93bf45de3a21db0fa9bb9cd25edefb1182bf24d61028a86cbf45fbcd11fbdf5
|
||||
|
58
libvorbis/CVE-2017-14160.patch
Normal file
58
libvorbis/CVE-2017-14160.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git.agx@sigxcpu.org>
|
||||
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
|
||||
Date: Wed, 15 Nov 2017 13:12:00 +0100
|
||||
Subject: [PATCH] CVE-2017-14160: make sure we don't overflow
|
||||
|
||||
---
|
||||
lib/psy.c | 9 ++++-----
|
||||
1 file changed, 4 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/psy.c b/lib/psy.c
|
||||
index 422c6f1e..8bbf6cf3 100644
|
||||
--- a/lib/psy.c
|
||||
+++ b/lib/psy.c
|
||||
@@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,const long *b,
|
||||
XY[i] = tXY;
|
||||
}
|
||||
|
||||
- for (i = 0, x = 0.f;; i++, x += 1.f) {
|
||||
+ for (i = 0, x = 0.f; i < n; i++, x += 1.f) {
|
||||
|
||||
lo = b[i] >> 16;
|
||||
if( lo>=0 ) break;
|
||||
@@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,const long *b,
|
||||
noise[i] = R - offset;
|
||||
}
|
||||
|
||||
- for ( ;; i++, x += 1.f) {
|
||||
+ for ( ; i < n; i++, x += 1.f) {
|
||||
|
||||
lo = b[i] >> 16;
|
||||
hi = b[i] & 0xffff;
|
||||
if(hi>=n)break;
|
||||
-
|
||||
tN = N[hi] - N[lo];
|
||||
tX = X[hi] - X[lo];
|
||||
tXX = XX[hi] - XX[lo];
|
||||
@@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,const long *b,
|
||||
|
||||
if (fixed <= 0) return;
|
||||
|
||||
- for (i = 0, x = 0.f;; i++, x += 1.f) {
|
||||
+ for (i = 0, x = 0.f; i < n; i++, x += 1.f) {
|
||||
hi = i + fixed / 2;
|
||||
lo = hi - fixed;
|
||||
if(lo>=0)break;
|
||||
@@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,const long *b,
|
||||
|
||||
if (R - offset < noise[i]) noise[i] = R - offset;
|
||||
}
|
||||
- for ( ;; i++, x += 1.f) {
|
||||
+ for ( ; i < n; i++, x += 1.f) {
|
||||
|
||||
hi = i + fixed / 2;
|
||||
lo = hi - fixed;
|
||||
--
|
||||
2.15.0
|
||||
|
51
libvorbis/CVE-2017-14632.patch
Normal file
51
libvorbis/CVE-2017-14632.patch
Normal file
@ -0,0 +1,51 @@
|
||||
From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
|
||||
Date: Wed, 15 Nov 2017 18:22:59 +0100
|
||||
Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
|
||||
if not initialized
|
||||
|
||||
If the number of channels is not within the allowed range
|
||||
we call oggback_writeclear altough it's not initialized yet.
|
||||
|
||||
This fixes
|
||||
|
||||
=23371== Invalid free() / delete / delete[] / realloc()
|
||||
==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
|
||||
==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
|
||||
==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
|
||||
==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
|
||||
==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
|
||||
==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
|
||||
==23371== by 0x10D82A: open_output_file (sox.c:1556)
|
||||
==23371== by 0x10D82A: process (sox.c:1753)
|
||||
==23371== by 0x10D82A: main (sox.c:3012)
|
||||
==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
|
||||
==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
|
||||
==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
|
||||
==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
|
||||
==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
|
||||
==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
|
||||
==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
|
||||
==23371== by 0x10D82A: open_output_file (sox.c:1556)
|
||||
==23371== by 0x10D82A: process (sox.c:1753)
|
||||
==23371== by 0x10D82A: main (sox.c:3012)
|
||||
|
||||
as seen when using the testcase from CVE-2017-11333 with
|
||||
008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
|
||||
there before.
|
||||
---
|
||||
lib/info.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/lib/info.c b/lib/info.c
|
||||
index 7bc4ea42..8d0b2edd 100644
|
||||
--- a/lib/info.c
|
||||
+++ b/lib/info.c
|
||||
@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
|
||||
private_state *b=v->backend_state;
|
||||
|
||||
if(!b||vi->channels<=0||vi->channels>256){
|
||||
+ b = NULL;
|
||||
ret=OV_EFAULT;
|
||||
goto err_out;
|
||||
}
|
31
libvorbis/CVE-2017-14633.patch
Normal file
31
libvorbis/CVE-2017-14633.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
|
||||
Date: Tue, 31 Oct 2017 18:32:46 +0100
|
||||
Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
|
||||
|
||||
Otherwise
|
||||
|
||||
for(i=0;i<vi->channels;i++){
|
||||
/* the encoder setup assumes that all the modes used by any
|
||||
specific bitrate tweaking use the same floor */
|
||||
int submap=info->chmuxlist[i];
|
||||
|
||||
overreads later in mapping0_forward since chmuxlist is a fixed array of
|
||||
256 elements max.
|
||||
---
|
||||
lib/info.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/info.c b/lib/info.c
|
||||
index fe759edf..7bc4ea42 100644
|
||||
--- a/lib/info.c
|
||||
+++ b/lib/info.c
|
||||
@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
|
||||
oggpack_buffer opb;
|
||||
private_state *b=v->backend_state;
|
||||
|
||||
- if(!b||vi->channels<=0){
|
||||
+ if(!b||vi->channels<=0||vi->channels>256){
|
||||
ret=OV_EFAULT;
|
||||
goto err_out;
|
||||
}
|
@ -1,21 +1,28 @@
|
||||
# Description: Vorbis codec library
|
||||
# URL: http://www.xiph.org/ogg/vorbis/
|
||||
# Maintainer: Jose V Beneyto, sepen at crux dot nu
|
||||
# Packager: Tilman Sauerbeck, tilman at crux dot nu
|
||||
# URL: https://www.xiph.org/ogg/vorbis/
|
||||
# Maintainer: Danny Rawlins, crux at romster dot me
|
||||
# Depends on: libogg
|
||||
|
||||
name=libvorbis
|
||||
version=1.3.5
|
||||
release=1
|
||||
source=(http://downloads.xiph.org/releases/vorbis/$name-$version.tar.xz)
|
||||
release=2
|
||||
source=(https://downloads.xiph.org/releases/vorbis/$name-$version.tar.xz
|
||||
CVE-2017-14633.patch
|
||||
CVE-2017-14632.patch
|
||||
CVE-2017-14160.patch)
|
||||
|
||||
build() {
|
||||
cd $name-$version
|
||||
cd $name-$version
|
||||
|
||||
./configure --prefix=/usr
|
||||
# https://security-tracker.debian.org/tracker/source-package/libvorbis
|
||||
patch -p1 -i $SRC/CVE-2017-14633.patch
|
||||
patch -p1 -i $SRC/CVE-2017-14632.patch
|
||||
patch -p1 -i $SRC/CVE-2017-14160.patch
|
||||
|
||||
make
|
||||
make DESTDIR=$PKG install
|
||||
./configure --prefix=/usr
|
||||
|
||||
rm -rf $PKG/usr/share/doc
|
||||
make
|
||||
make DESTDIR=$PKG install
|
||||
|
||||
rm -rf $PKG/usr/share/doc
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user