[PATCH] gnu: libvorbis: Fix CVE-2017-{14632,14633}.

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 10 Jan 2018 10:07
(address . guix-patches@gnu.org)
9a94afdf5d9bcc8a61f31acdf346bbab1f44307f.1515575258.git.leo@famulari.name
* gnu/packages/patches/libvorbis-CVE-2017-14632.patch,
gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xiph.scm (libvorbis)[replacement]: New field.
(libvorbis/fixed): New variable.
---
gnu/local.mk | 2 +
.../patches/libvorbis-CVE-2017-14632.patch | 63 ++++++++++++++++++++++
.../patches/libvorbis-CVE-2017-14633.patch | 43 +++++++++++++++
gnu/packages/xiph.scm | 9 ++++
4 files changed, 117 insertions(+)
create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14632.patch
create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14633.patch

Toggle diff (160 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 44868d4bb..4b451c7a9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -851,6 +851,8 @@ dist_patch_DATA = \
%D%/packages/patches/libusb-0.1-disable-tests.patch \
%D%/packages/patches/libusb-for-axoloti.patch \
%D%/packages/patches/libvdpau-va-gl-unbundle.patch \
+ %D%/packages/patches/libvorbis-CVE-2017-14632.patch \
+ %D%/packages/patches/libvorbis-CVE-2017-14633.patch \
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
%D%/packages/patches/libxcb-python-3.5-compat.patch \
%D%/packages/patches/libxml2-CVE-2016-4658.patch \
diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14632.patch b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch
new file mode 100644
index 000000000..99debf210
--- /dev/null
+++ b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch
@@ -0,0 +1,63 @@
+Fix CVE-2017-14632:
+
+https://gitlab.xiph.org/xiph/vorbis/issues/2328
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632
+
+Patch copied from upstream source repository:
+
+https://gitlab.xiph.org/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d327f
+
+From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 15 Nov 2017 18:22:59 +0100
+Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
+ if not initialized
+
+If the number of channels is not within the allowed range
+we call oggback_writeclear altough it's not initialized yet.
+
+This fixes
+
+ =23371== Invalid free() / delete / delete[] / realloc()
+ ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
+ ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
+ ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
+ ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+ ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x10D82A: open_output_file (sox.c:1556)
+ ==23371== by 0x10D82A: process (sox.c:1753)
+ ==23371== by 0x10D82A: main (sox.c:3012)
+ ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
+ ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
+ ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
+ ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+ ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x10D82A: open_output_file (sox.c:1556)
+ ==23371== by 0x10D82A: process (sox.c:1753)
+ ==23371== by 0x10D82A: main (sox.c:3012)
+
+as seen when using the testcase from CVE-2017-11333 with
+008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
+there before.
+---
+ lib/info.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/info.c b/lib/info.c
+index 7bc4ea4..8d0b2ed 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+ private_state *b=v->backend_state;
+
+ if(!b||vi->channels<=0||vi->channels>256){
++ b = NULL;
+ ret=OV_EFAULT;
+ goto err_out;
+ }
+--
+2.15.1
+
diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14633.patch b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch
new file mode 100644
index 000000000..ec6bf5265
--- /dev/null
+++ b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch
@@ -0,0 +1,43 @@
+Fix CVE-2017-14633:
+
+https://gitlab.xiph.org/xiph/vorbis/issues/2329
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
+
+Patch copied from upstream source repository:
+
+https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993
+
+From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Tue, 31 Oct 2017 18:32:46 +0100
+Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
+
+Otherwise
+
+ for(i=0;i<vi->channels;i++){
+ /* the encoder setup assumes that all the modes used by any
+ specific bitrate tweaking use the same floor */
+ int submap=info->chmuxlist[i];
+
+overreads later in mapping0_forward since chmuxlist is a fixed array of
+256 elements max.
+---
+ lib/info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/info.c b/lib/info.c
+index fe759ed..7bc4ea4 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+ oggpack_buffer opb;
+ private_state *b=v->backend_state;
+
+- if(!b||vi->channels<=0){
++ if(!b||vi->channels<=0||vi->channels>256){
+ ret=OV_EFAULT;
+ goto err_out;
+ }
+--
+2.15.1
+
diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm
index 9277f57ad..e9ab06de4 100644
--- a/gnu/packages/xiph.scm
+++ b/gnu/packages/xiph.scm
@@ -79,6 +79,7 @@ periodic timestamps for seeking.")
(define libvorbis
(package
(name "libvorbis")
+ (replacement libvorbis/fixed)
(version "1.3.5")
(source (origin
(method url-fetch)
@@ -102,6 +103,14 @@ polyphonic) audio and music at fixed and variable bitrates from 16 to
"See COPYING in the distribution."))
(home-page "http://xiph.org/vorbis/")))
+(define libvorbis/fixed
+ (package
+ (inherit libvorbis)
+ (source (origin
+ (inherit (package-source libvorbis))
+ (patches (search-patches "libvorbis-CVE-2017-14633.patch"
+ "libvorbis-CVE-2017-14632.patch"))))))
+
(define libtheora
(package
(name "libtheora")
--
2.15.1
L
L
Ludovic Courtès wrote on 11 Jan 2018 22:24
control message for bug #30061
(address . control@debbugs.gnu.org)
87lgh4nl6o.fsf@gnu.org
tags 30061 security
L
L
Ludovic Courtès wrote on 11 Jan 2018 22:25
Re: [bug#30061] [PATCH] gnu: libvorbis: Fix CVE-2017-{14632,14633}.
(name . Leo Famulari)(address . leo@famulari.name)(address . 30061@debbugs.gnu.org)
87h8rsnl4i.fsf@gnu.org
Hi,

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (6 lines)
> * gnu/packages/patches/libvorbis-CVE-2017-14632.patch,
> gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/xiph.scm (libvorbis)[replacement]: New field.
> (libvorbis/fixed): New variable.

LGTM.

On ‘core-updates’, should we perform a rebuild instead of grafting?

Thank you!

Ludo’.
L
L
Leo Famulari wrote on 11 Jan 2018 23:33
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 30061-done@debbugs.gnu.org)
20180111223322.GA12238@jasmine.lan
On Thu, Jan 11, 2018 at 10:25:33PM +0100, Ludovic Courtès wrote:
Toggle quote (12 lines)
> Hi,
>
> Leo Famulari <leo@famulari.name> skribis:
>
> > * gnu/packages/patches/libvorbis-CVE-2017-14632.patch,
> > gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
> > * gnu/packages/xiph.scm (libvorbis)[replacement]: New field.
> > (libvorbis/fixed): New variable.
>
> LGTM.

Pushed as 138c08899ba73049de8afd2b74a8cf6845a1d9e1

Toggle quote (2 lines)
> On ‘core-updates’, should we perform a rebuild instead of grafting?

Yes, I merged master into core-updates and ungrafted libvorbis in
e6ebc7b13225f0eddc404b7d8e136120b962181e
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpX5jIACgkQJkb6MLrK
fwjXeA//QpH4EHthoNVDzlsLhf+xSUKWTh5zTRkRR5hQZPlikKEqJB9gDrMVv71Z
06HY2f9Yz2W8b+vxsBPFo6tYeiVOyUZ3LrK3CbejYNo82LO84NGGJZteakwIL7cz
MftHSZgEPmZSD82KVqfDPL/As3+BsKBmi/U6FE1DnKEdBLtsERgq7ErCD5GdLpnb
94l1uFLONTQymO4FOwafaGbOGCPBUdk1rcnx2mTZgmuo6RgkcblRq719rPk/RXIC
aIab0ovTaM4A3hATXn20yfPVaPylb1xZpU/Pu0Q6P67gX5Ln1X8J9TfaVi60+Oz/
VUF2Hy0OvmVukvmHS4KnhO92ixIDQOgpMnC1pMEhyEVTZMr7B6Ni1eKWav9EAhUz
iDUL9li/jHnqbKQWFW/3zs2lqC0jgSn+1yUxGOTKRWLj7sxC0L7Bdcp+DGH86sU/
kDaMFZ6iFY+HfcXKh/5WcOYJjm4p5Su1QeKKwQpdkJLmIuYUSkmf8pwXYkzZ5486
hR7KOjMimEXH5jOHrQsCAO3EgS83l3K+M6tWx9yORmZvuMDKi6I9+wJ3bh+GKAVF
pHRvSMfP2psrEvuHy15Ecmnsui1HyiohFfE7aJGSPpUqNm9UTKG0PVhv3tK4UwL9
OpW05WDJxqJfo1u9dF4+P1Amm2+M7MkYjShym9lkBvnSKliHn5I=
=thrW
-----END PGP SIGNATURE-----


Closed
?