[PATCH] gnu: libvorbis: Fix CVE-2017-{14632,14633}.

DoneSubmitted by Leo Famulari.
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 10 Jan 2018 10:07
(address . guix-patches@gnu.org)
9a94afdf5d9bcc8a61f31acdf346bbab1f44307f.1515575258.git.leo@famulari.name
* gnu/packages/patches/libvorbis-CVE-2017-14632.patch,gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.* gnu/local.mk (dist_patch_DATA): Add them.* gnu/packages/xiph.scm (libvorbis)[replacement]: New field.(libvorbis/fixed): New variable.--- gnu/local.mk | 2 + .../patches/libvorbis-CVE-2017-14632.patch | 63 ++++++++++++++++++++++ .../patches/libvorbis-CVE-2017-14633.patch | 43 +++++++++++++++ gnu/packages/xiph.scm | 9 ++++ 4 files changed, 117 insertions(+) create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14632.patch create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14633.patch
Toggle diff (160 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 44868d4bb..4b451c7a9 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -851,6 +851,8 @@ dist_patch_DATA = \ %D%/packages/patches/libusb-0.1-disable-tests.patch \ %D%/packages/patches/libusb-for-axoloti.patch \ %D%/packages/patches/libvdpau-va-gl-unbundle.patch \+ %D%/packages/patches/libvorbis-CVE-2017-14632.patch \+ %D%/packages/patches/libvorbis-CVE-2017-14633.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \ %D%/packages/patches/libxcb-python-3.5-compat.patch \ %D%/packages/patches/libxml2-CVE-2016-4658.patch \diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14632.patch b/gnu/packages/patches/libvorbis-CVE-2017-14632.patchnew file mode 100644index 000000000..99debf210--- /dev/null+++ b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch@@ -0,0 +1,63 @@+Fix CVE-2017-14632:++https://gitlab.xiph.org/xiph/vorbis/issues/2328+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632++Patch copied from upstream source repository:++https://gitlab.xiph.org/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d327f++From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>+Date: Wed, 15 Nov 2017 18:22:59 +0100+Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb+ if not initialized++If the number of channels is not within the allowed range+we call oggback_writeclear altough it's not initialized yet.++This fixes++ =23371== Invalid free() / delete / delete[] / realloc()+ ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)+ ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)+ ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)+ ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)+ ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)+ ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)+ ==23371== by 0x10D82A: open_output_file (sox.c:1556)+ ==23371== by 0x10D82A: process (sox.c:1753)+ ==23371== by 0x10D82A: main (sox.c:3012)+ ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd+ ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)+ ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)+ ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)+ ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)+ ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)+ ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)+ ==23371== by 0x10D82A: open_output_file (sox.c:1556)+ ==23371== by 0x10D82A: process (sox.c:1753)+ ==23371== by 0x10D82A: main (sox.c:3012)++as seen when using the testcase from CVE-2017-11333 with+008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was+there before.+---+ lib/info.c | 1 ++ 1 file changed, 1 insertion(+)++diff --git a/lib/info.c b/lib/info.c+index 7bc4ea4..8d0b2ed 100644+--- a/lib/info.c++++ b/lib/info.c+@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,+ private_state *b=v->backend_state;+ + if(!b||vi->channels<=0||vi->channels>256){++ b = NULL;+ ret=OV_EFAULT;+ goto err_out;+ }+-- +2.15.1+diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14633.patch b/gnu/packages/patches/libvorbis-CVE-2017-14633.patchnew file mode 100644index 000000000..ec6bf5265--- /dev/null+++ b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch@@ -0,0 +1,43 @@+Fix CVE-2017-14633:++https://gitlab.xiph.org/xiph/vorbis/issues/2329+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633++Patch copied from upstream source repository:++https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993++From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>+Date: Tue, 31 Oct 2017 18:32:46 +0100+Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels++Otherwise++ for(i=0;i<vi->channels;i++){+ /* the encoder setup assumes that all the modes used by any+ specific bitrate tweaking use the same floor */+ int submap=info->chmuxlist[i];++overreads later in mapping0_forward since chmuxlist is a fixed array of+256 elements max.+---+ lib/info.c | 2 +-+ 1 file changed, 1 insertion(+), 1 deletion(-)++diff --git a/lib/info.c b/lib/info.c+index fe759ed..7bc4ea4 100644+--- a/lib/info.c++++ b/lib/info.c+@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,+ oggpack_buffer opb;+ private_state *b=v->backend_state;+ +- if(!b||vi->channels<=0){++ if(!b||vi->channels<=0||vi->channels>256){+ ret=OV_EFAULT;+ goto err_out;+ }+-- +2.15.1+diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scmindex 9277f57ad..e9ab06de4 100644--- a/gnu/packages/xiph.scm+++ b/gnu/packages/xiph.scm@@ -79,6 +79,7 @@ periodic timestamps for seeking.") (define libvorbis (package (name "libvorbis")+ (replacement libvorbis/fixed) (version "1.3.5") (source (origin (method url-fetch)@@ -102,6 +103,14 @@ polyphonic) audio and music at fixed and variable bitrates from 16 to "See COPYING in the distribution.")) (home-page "http://xiph.org/vorbis/"))) +(define libvorbis/fixed+ (package+ (inherit libvorbis)+ (source (origin+ (inherit (package-source libvorbis))+ (patches (search-patches "libvorbis-CVE-2017-14633.patch"+ "libvorbis-CVE-2017-14632.patch"))))))+ (define libtheora (package (name "libtheora")-- 2.15.1
L
L
Ludovic Courtès wrote on 11 Jan 2018 22:24
control message for bug #30061
(address . control@debbugs.gnu.org)
87lgh4nl6o.fsf@gnu.org
tags 30061 security
L
L
Ludovic Courtès wrote on 11 Jan 2018 22:25
Re: [bug#30061] [PATCH] gnu: libvorbis: Fix CVE-2017-{14632,14633}.
(name . Leo Famulari)(address . leo@famulari.name)(address . 30061@debbugs.gnu.org)
87h8rsnl4i.fsf@gnu.org
Hi,
Leo Famulari <leo@famulari.name> skribis:
Toggle quote (6 lines)> * gnu/packages/patches/libvorbis-CVE-2017-14632.patch,> gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.> * gnu/local.mk (dist_patch_DATA): Add them.> * gnu/packages/xiph.scm (libvorbis)[replacement]: New field.> (libvorbis/fixed): New variable.
LGTM.
On ‘core-updates’, should we perform a rebuild instead of grafting?
Thank you!
Ludo’.
L
L
Leo Famulari wrote on 11 Jan 2018 23:33
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 30061-done@debbugs.gnu.org)
20180111223322.GA12238@jasmine.lan
On Thu, Jan 11, 2018 at 10:25:33PM +0100, Ludovic Courtès wrote:
Toggle quote (12 lines)> Hi,> > Leo Famulari <leo@famulari.name> skribis:> > > * gnu/packages/patches/libvorbis-CVE-2017-14632.patch,> > gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.> > * gnu/local.mk (dist_patch_DATA): Add them.> > * gnu/packages/xiph.scm (libvorbis)[replacement]: New field.> > (libvorbis/fixed): New variable.> > LGTM.
Pushed as 138c08899ba73049de8afd2b74a8cf6845a1d9e1
Toggle quote (2 lines)> On ‘core-updates’, should we perform a rebuild instead of grafting?
Yes, I merged master into core-updates and ungrafted libvorbis ine6ebc7b13225f0eddc404b7d8e136120b962181e
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpX5jIACgkQJkb6MLrKfwjXeA//QpH4EHthoNVDzlsLhf+xSUKWTh5zTRkRR5hQZPlikKEqJB9gDrMVv71Z06HY2f9Yz2W8b+vxsBPFo6tYeiVOyUZ3LrK3CbejYNo82LO84NGGJZteakwIL7czMftHSZgEPmZSD82KVqfDPL/As3+BsKBmi/U6FE1DnKEdBLtsERgq7ErCD5GdLpnb94l1uFLONTQymO4FOwafaGbOGCPBUdk1rcnx2mTZgmuo6RgkcblRq719rPk/RXICaIab0ovTaM4A3hATXn20yfPVaPylb1xZpU/Pu0Q6P67gX5Ln1X8J9TfaVi60+Oz/VUF2Hy0OvmVukvmHS4KnhO92ixIDQOgpMnC1pMEhyEVTZMr7B6Ni1eKWav9EAhUziDUL9li/jHnqbKQWFW/3zs2lqC0jgSn+1yUxGOTKRWLj7sxC0L7Bdcp+DGH86sU/kDaMFZ6iFY+HfcXKh/5WcOYJjm4p5Su1QeKKwQpdkJLmIuYUSkmf8pwXYkzZ5486hR7KOjMimEXH5jOHrQsCAO3EgS83l3K+M6tWx9yORmZvuMDKi6I9+wJ3bh+GKAVFpHRvSMfP2psrEvuHy15Ecmnsui1HyiohFfE7aJGSPpUqNm9UTKG0PVhv3tK4UwL9OpW05WDJxqJfo1u9dF4+P1Amm2+M7MkYjShym9lkBvnSKliHn5I==thrW-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 30061@debbugs.gnu.org