From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 10 04:08:25 2018 Received: (at submit) by debbugs.gnu.org; 10 Jan 2018 09:08:25 +0000 Received: from localhost ([127.0.0.1]:50265 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZCMu-0006Qd-Uj for submit@debbugs.gnu.org; Wed, 10 Jan 2018 04:08:24 -0500 Received: from eggs.gnu.org ([208.118.235.92]:54764) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZCMr-0006QJ-7F for submit@debbugs.gnu.org; Wed, 10 Jan 2018 04:08:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eZCMh-0006e0-Ho for submit@debbugs.gnu.org; Wed, 10 Jan 2018 04:08:12 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:35173) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eZCMh-0006dq-Dd for submit@debbugs.gnu.org; Wed, 10 Jan 2018 04:08:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45716) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eZCMf-00013I-Ot for guix-patches@gnu.org; Wed, 10 Jan 2018 04:08:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eZCMc-0006cN-TR for guix-patches@gnu.org; Wed, 10 Jan 2018 04:08:05 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:56351) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eZCMc-0006bv-8L for guix-patches@gnu.org; Wed, 10 Jan 2018 04:08:02 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 5BD0620230; Wed, 10 Jan 2018 04:08:01 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Wed, 10 Jan 2018 04:08:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=T3CUxNrCP3+F4srL50mS9od6NKPw7U2k9kHsOQ pRrj4=; b=E68+ulUrn+/6E7rX58XceUADDwWdV2MgrDHMYLpfG2ZZCcvyI3NZQB z0CEF1vfYSeybcbxTHP1D9SJRJJxip9l71vRuWHbliO8XAXNTt8yCXkLLDaLt9ZQ yqEw3Zub1xykhGFups2g+vdzXbmtEvtZ3bAYKMurJGMICWIPt3V1U= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=T3CUxNrCP3+F4srL5 0mS9od6NKPw7U2k9kHsOQpRrj4=; b=Ihl6yaP9jvCRk3qzWagt8lhkUkVYQBK+v OROEhvGa5JVWkdGbjF9OsXudevrAZcL92S2M6/ZdXkLXpXAp7pbLMK2FdTnbuotw pQaYmbl+NGHi1lomE3uPU880nmsP+KPfCexC8MEuCMOI2eGY9pkTL/lEmZTS4Zlm Xpl0INHMHxZkMulYRi7eemiDmY7MpAh32gqHj75b/WBH0gxKP68dg0fTdo1H+fuQ gvxNtFo+7wM4XFwzWJ18Rzw3wmBXjX0eJSpNDhlAw8yMOfRFWfA0S2waMKGCZ2qN WchwZ4qYo45JvWQwdN97u0LrQJfqDSPWiPxz6bii3pFrSO6l2BNYg== X-ME-Sender: Received: from jasmine.lan (unknown [162.208.95.194]) by mail.messagingengine.com (Postfix) with ESMTPA id D7E4424771 for ; Wed, 10 Jan 2018 04:08:00 -0500 (EST) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: libvorbis: Fix CVE-2017-{14632,14633}. Date: Wed, 10 Jan 2018 01:07:39 -0800 Message-Id: <9a94afdf5d9bcc8a61f31acdf346bbab1f44307f.1515575258.git.leo@famulari.name> X-Mailer: git-send-email 2.15.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) * gnu/packages/patches/libvorbis-CVE-2017-14632.patch, gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/xiph.scm (libvorbis)[replacement]: New field. (libvorbis/fixed): New variable. --- gnu/local.mk | 2 + .../patches/libvorbis-CVE-2017-14632.patch | 63 ++++++++++++++++++++++ .../patches/libvorbis-CVE-2017-14633.patch | 43 +++++++++++++++ gnu/packages/xiph.scm | 9 ++++ 4 files changed, 117 insertions(+) create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14632.patch create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14633.patch diff --git a/gnu/local.mk b/gnu/local.mk index 44868d4bb..4b451c7a9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -851,6 +851,8 @@ dist_patch_DATA = \ %D%/packages/patches/libusb-0.1-disable-tests.patch \ %D%/packages/patches/libusb-for-axoloti.patch \ %D%/packages/patches/libvdpau-va-gl-unbundle.patch \ + %D%/packages/patches/libvorbis-CVE-2017-14632.patch \ + %D%/packages/patches/libvorbis-CVE-2017-14633.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \ %D%/packages/patches/libxcb-python-3.5-compat.patch \ %D%/packages/patches/libxml2-CVE-2016-4658.patch \ diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14632.patch b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch new file mode 100644 index 000000000..99debf210 --- /dev/null +++ b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch @@ -0,0 +1,63 @@ +Fix CVE-2017-14632: + +https://gitlab.xiph.org/xiph/vorbis/issues/2328 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632 + +Patch copied from upstream source repository: + +https://gitlab.xiph.org/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d327f + +From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= +Date: Wed, 15 Nov 2017 18:22:59 +0100 +Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb + if not initialized + +If the number of channels is not within the allowed range +we call oggback_writeclear altough it's not initialized yet. + +This fixes + + =23371== Invalid free() / delete / delete[] / realloc() + ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530) + ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2) + ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652) + ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) + ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x10D82A: open_output_file (sox.c:1556) + ==23371== by 0x10D82A: process (sox.c:1753) + ==23371== by 0x10D82A: main (sox.c:3012) + ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd + ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298) + ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785) + ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) + ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x10D82A: open_output_file (sox.c:1556) + ==23371== by 0x10D82A: process (sox.c:1753) + ==23371== by 0x10D82A: main (sox.c:3012) + +as seen when using the testcase from CVE-2017-11333 with +008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was +there before. +--- + lib/info.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/info.c b/lib/info.c +index 7bc4ea4..8d0b2ed 100644 +--- a/lib/info.c ++++ b/lib/info.c +@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v, + private_state *b=v->backend_state; + + if(!b||vi->channels<=0||vi->channels>256){ ++ b = NULL; + ret=OV_EFAULT; + goto err_out; + } +-- +2.15.1 + diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14633.patch b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch new file mode 100644 index 000000000..ec6bf5265 --- /dev/null +++ b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch @@ -0,0 +1,43 @@ +Fix CVE-2017-14633: + +https://gitlab.xiph.org/xiph/vorbis/issues/2329 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633 + +Patch copied from upstream source repository: + +https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993 + +From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= +Date: Tue, 31 Oct 2017 18:32:46 +0100 +Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels + +Otherwise + + for(i=0;ichannels;i++){ + /* the encoder setup assumes that all the modes used by any + specific bitrate tweaking use the same floor */ + int submap=info->chmuxlist[i]; + +overreads later in mapping0_forward since chmuxlist is a fixed array of +256 elements max. +--- + lib/info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/info.c b/lib/info.c +index fe759ed..7bc4ea4 100644 +--- a/lib/info.c ++++ b/lib/info.c +@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v, + oggpack_buffer opb; + private_state *b=v->backend_state; + +- if(!b||vi->channels<=0){ ++ if(!b||vi->channels<=0||vi->channels>256){ + ret=OV_EFAULT; + goto err_out; + } +-- +2.15.1 + diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm index 9277f57ad..e9ab06de4 100644 --- a/gnu/packages/xiph.scm +++ b/gnu/packages/xiph.scm @@ -79,6 +79,7 @@ periodic timestamps for seeking.") (define libvorbis (package (name "libvorbis") + (replacement libvorbis/fixed) (version "1.3.5") (source (origin (method url-fetch) @@ -102,6 +103,14 @@ polyphonic) audio and music at fixed and variable bitrates from 16 to "See COPYING in the distribution.")) (home-page "http://xiph.org/vorbis/"))) +(define libvorbis/fixed + (package + (inherit libvorbis) + (source (origin + (inherit (package-source libvorbis)) + (patches (search-patches "libvorbis-CVE-2017-14633.patch" + "libvorbis-CVE-2017-14632.patch")))))) + (define libtheora (package (name "libtheora") -- 2.15.1