From f0344af4ee764125b3c263d74fd866fcc0610dec Mon Sep 17 00:00:00 2001
From: Danny Rawlins <monster.romster@gmail.com>
Date: Wed, 7 Mar 2018 01:15:29 +1100
Subject: [PATCH] [notify] libvorbis: security fixes for: CVE-2017-14160,
 CVE-2017-14632, and CVE-2017-14633 closes FS#1595

---
 libvorbis/.md5sum              |  3 ++
 libvorbis/.signature           |  7 ++--
 libvorbis/CVE-2017-14160.patch | 58 ++++++++++++++++++++++++++++++++++
 libvorbis/CVE-2017-14632.patch | 51 ++++++++++++++++++++++++++++++
 libvorbis/CVE-2017-14633.patch | 31 ++++++++++++++++++
 libvorbis/Pkgfile              | 27 ++++++++++------
 6 files changed, 165 insertions(+), 12 deletions(-)
 create mode 100644 libvorbis/CVE-2017-14160.patch
 create mode 100644 libvorbis/CVE-2017-14632.patch
 create mode 100644 libvorbis/CVE-2017-14633.patch

diff --git a/libvorbis/.md5sum b/libvorbis/.md5sum
index e3dcf5477..8bbbeef92 100644
--- a/libvorbis/.md5sum
+++ b/libvorbis/.md5sum
@@ -1 +1,4 @@
+943275d84d55dfa072ec3a2566fd9bfa  CVE-2017-14160.patch
+d32bb2a15cde558464ff6b1a7199d9c6  CVE-2017-14632.patch
+d54deff7374d7205441cf5e4dfd32bee  CVE-2017-14633.patch
 28cb28097c07a735d6af56e598e1c90f  libvorbis-1.3.5.tar.xz
diff --git a/libvorbis/.signature b/libvorbis/.signature
index e0f6c770a..15a02858a 100644
--- a/libvorbis/.signature
+++ b/libvorbis/.signature
@@ -1,5 +1,8 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/UIMCRs21S+z38O3cqsSsk5E910XdPfJ54oGNA8VPRaNuGeoJTyDTksoe26yejpyCVC/SSXubHVGihLKojs03AE=
-SHA256 (Pkgfile) = 493517cd1f5498d39bff632f5becea6dd7ecb18455d73313d6de32c527cc83b0
+RWSE3ohX2g5d/XBLjepyAeVAsv0mpvzium7JjPBpyQUlW+ZuPdO7oz0ATE3bC1nBn5EHSwuxsNGum4EOVduL32Cr08X2/7IVtwk=
+SHA256 (Pkgfile) = 833e8c8db431ef3375b53fa800a7d06a33a9b6e62913ff5ec6c8dd5d8c1b51ad
 SHA256 (.footprint) = 709e3fdd589a25de7fa9ca41700639d37f7dae5eba48fe6cffa354efd8625b37
 SHA256 (libvorbis-1.3.5.tar.xz) = 54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1
+SHA256 (CVE-2017-14633.patch) = d1a44c7a683b3d1ab2bd645ef4ee21002cb1c7466975073381ed1e533153e328
+SHA256 (CVE-2017-14632.patch) = 2fed965880686a145c0da6abbb08224d0ed26e4bf1b1c3a8f7b5d2d33f6bc8e7
+SHA256 (CVE-2017-14160.patch) = f93bf45de3a21db0fa9bb9cd25edefb1182bf24d61028a86cbf45fbcd11fbdf5
diff --git a/libvorbis/CVE-2017-14160.patch b/libvorbis/CVE-2017-14160.patch
new file mode 100644
index 000000000..9ad9d18f7
--- /dev/null
+++ b/libvorbis/CVE-2017-14160.patch
@@ -0,0 +1,58 @@
+From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001
+Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git.agx@sigxcpu.org>
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 15 Nov 2017 13:12:00 +0100
+Subject: [PATCH] CVE-2017-14160: make sure we don't overflow
+
+---
+ lib/psy.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/lib/psy.c b/lib/psy.c
+index 422c6f1e..8bbf6cf3 100644
+--- a/lib/psy.c
++++ b/lib/psy.c
+@@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,const long *b,
+     XY[i] = tXY;
+   }
+ 
+-  for (i = 0, x = 0.f;; i++, x += 1.f) {
++  for (i = 0, x = 0.f; i < n; i++, x += 1.f) {
+ 
+     lo = b[i] >> 16;
+     if( lo>=0 ) break;
+@@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,const long *b,
+     noise[i] = R - offset;
+   }
+ 
+-  for ( ;; i++, x += 1.f) {
++  for ( ; i < n; i++, x += 1.f) {
+ 
+     lo = b[i] >> 16;
+     hi = b[i] & 0xffff;
+     if(hi>=n)break;
+-
+     tN = N[hi] - N[lo];
+     tX = X[hi] - X[lo];
+     tXX = XX[hi] - XX[lo];
+@@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,const long *b,
+ 
+   if (fixed <= 0) return;
+ 
+-  for (i = 0, x = 0.f;; i++, x += 1.f) {
++  for (i = 0, x = 0.f; i < n; i++, x += 1.f) {
+     hi = i + fixed / 2;
+     lo = hi - fixed;
+     if(lo>=0)break;
+@@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,const long *b,
+ 
+     if (R - offset < noise[i]) noise[i] = R - offset;
+   }
+-  for ( ;; i++, x += 1.f) {
++  for ( ; i < n; i++, x += 1.f) {
+ 
+     hi = i + fixed / 2;
+     lo = hi - fixed;
+-- 
+2.15.0
+
diff --git a/libvorbis/CVE-2017-14632.patch b/libvorbis/CVE-2017-14632.patch
new file mode 100644
index 000000000..9ff5a8ca1
--- /dev/null
+++ b/libvorbis/CVE-2017-14632.patch
@@ -0,0 +1,51 @@
+From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 15 Nov 2017 18:22:59 +0100
+Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
+ if not initialized
+
+If the number of channels is not within the allowed range
+we call oggback_writeclear altough it's not initialized yet.
+
+This fixes
+
+    =23371== Invalid free() / delete / delete[] / realloc()
+    ==23371==    at 0x4C2CE1B: free (vg_replace_malloc.c:530)
+    ==23371==    by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
+    ==23371==    by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
+    ==23371==    by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
+    ==23371==    by 0x10D82A: process (sox.c:1753)
+    ==23371==    by 0x10D82A: main (sox.c:3012)
+    ==23371==  Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
+    ==23371==    at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
+    ==23371==    by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
+    ==23371==    by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
+    ==23371==    by 0x10D82A: process (sox.c:1753)
+    ==23371==    by 0x10D82A: main (sox.c:3012)
+
+as seen when using the testcase from CVE-2017-11333 with
+008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
+there before.
+---
+ lib/info.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/info.c b/lib/info.c
+index 7bc4ea42..8d0b2edd 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+   private_state *b=v->backend_state;
+ 
+   if(!b||vi->channels<=0||vi->channels>256){
++    b = NULL;
+     ret=OV_EFAULT;
+     goto err_out;
+   }
diff --git a/libvorbis/CVE-2017-14633.patch b/libvorbis/CVE-2017-14633.patch
new file mode 100644
index 000000000..069927c7b
--- /dev/null
+++ b/libvorbis/CVE-2017-14633.patch
@@ -0,0 +1,31 @@
+From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Tue, 31 Oct 2017 18:32:46 +0100
+Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
+
+Otherwise
+
+ for(i=0;i<vi->channels;i++){
+      /* the encoder setup assumes that all the modes used by any
+         specific bitrate tweaking use the same floor */
+      int submap=info->chmuxlist[i];
+
+overreads later in mapping0_forward since chmuxlist is a fixed array of
+256 elements max.
+---
+ lib/info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/info.c b/lib/info.c
+index fe759edf..7bc4ea42 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+   oggpack_buffer opb;
+   private_state *b=v->backend_state;
+ 
+-  if(!b||vi->channels<=0){
++  if(!b||vi->channels<=0||vi->channels>256){
+     ret=OV_EFAULT;
+     goto err_out;
+   }
diff --git a/libvorbis/Pkgfile b/libvorbis/Pkgfile
index 6036da968..6461bb154 100644
--- a/libvorbis/Pkgfile
+++ b/libvorbis/Pkgfile
@@ -1,21 +1,28 @@
 # Description: Vorbis codec library
-# URL: http://www.xiph.org/ogg/vorbis/
-# Maintainer: Jose V Beneyto, sepen at crux dot nu
-# Packager: Tilman Sauerbeck, tilman at crux dot nu
+# URL: https://www.xiph.org/ogg/vorbis/
+# Maintainer: Danny Rawlins, crux at romster dot me
 # Depends on: libogg
 
 name=libvorbis
 version=1.3.5
-release=1
-source=(http://downloads.xiph.org/releases/vorbis/$name-$version.tar.xz)
+release=2
+source=(https://downloads.xiph.org/releases/vorbis/$name-$version.tar.xz
+	CVE-2017-14633.patch
+	CVE-2017-14632.patch
+	CVE-2017-14160.patch)
 
 build() {
-    cd $name-$version
+	cd $name-$version
 
-    ./configure --prefix=/usr
+	# https://security-tracker.debian.org/tracker/source-package/libvorbis
+	patch -p1 -i $SRC/CVE-2017-14633.patch
+	patch -p1 -i $SRC/CVE-2017-14632.patch
+	patch -p1 -i $SRC/CVE-2017-14160.patch
 
-    make
-    make DESTDIR=$PKG install
+	./configure --prefix=/usr
 
-    rm -rf $PKG/usr/share/doc
+	make
+	make DESTDIR=$PKG install
+
+	rm -rf $PKG/usr/share/doc
 }