[PATCH] gnu: mpg321: Fix CVE-2019-14247.

  • Done
  • quality assurance status badge
Details
3 participants
  • Kei Kebreau
  • Leo Famulari
  • Léo Le Bouter
Owner
unassigned
Submitted by
Kei Kebreau
Severity
normal

Debbugs page

Kei Kebreau wrote 4 years ago
(address . guix-patches@gnu.org)(name . Kei Kebreau)(address . kkebreau@posteo.net)
20210316160312.16888-1-kkebreau@posteo.net
* gnu/packages/patches/mpg321-CVE-2019-14247.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/mp3.scm (mpg321)[source]: Apply it.
---
gnu/local.mk | 1 +
gnu/packages/mp3.scm | 4 +++-
.../patches/mpg321-CVE-2019-14247.patch | 23 +++++++++++++++++++
3 files changed, 27 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/mpg321-CVE-2019-14247.patch

Toggle diff (58 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index cf8849cf59..abb1e2140d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1404,6 +1404,7 @@ dist_patch_DATA = \
%D%/packages/patches/mit-krb5-hurd.patch \
%D%/packages/patches/mit-krb5-qualify-short-hostnames.patch \
%D%/packages/patches/mpc123-initialize-ao.patch \
+ %D%/packages/patches/mpg321-CVE-2019-14247.patch \
%D%/packages/patches/module-init-tools-moduledir.patch \
%D%/packages/patches/monero-use-system-miniupnpc.patch \
%D%/packages/patches/mono-mdoc-timestamping.patch \
diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm
index 34390d3696..dba3e17558 100644
--- a/gnu/packages/mp3.scm
+++ b/gnu/packages/mp3.scm
@@ -408,7 +408,9 @@ command-line tool as well as a C library, libmpg123.")
version "/mpg321-" version ".tar.gz"))
(sha256
(base32
- "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"))))
+ "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"))
+ (patches
+ (search-patches "mpg321-CVE-2019-14247.patch"))))
(build-system gnu-build-system)
(arguments '(#:configure-flags '("--disable-alsa")))
(inputs
diff --git a/gnu/packages/patches/mpg321-CVE-2019-14247.patch b/gnu/packages/patches/mpg321-CVE-2019-14247.patch
new file mode 100644
index 0000000000..03afaccc67
--- /dev/null
+++ b/gnu/packages/patches/mpg321-CVE-2019-14247.patch
@@ -0,0 +1,23 @@
+This patch was downloaded from https://sourceforge.net/p/mpg321/bugs/51/ and
+fixes CVE-2019-14247.
+
+Description: Handle illegal bitrate value
+Author: Chrysostomos Nanakos <cnanakos@debian.org>
+Bug-Debian: https://bugs.debian.org/870406
+Bug-Debian: https://bugs.debian.org/887057
+
+--- mpg321-0.3.2.orig/mad.c
++++ mpg321-0.3.2/mad.c
+@@ -574,6 +574,12 @@ void scan(void const *ptr, ssize_t len,
+
+ if (!is_vbr)
+ {
++ if (header.bitrate <= 0)
++ {
++ fprintf(stderr, "Illegal bit allocation value\n");
++ return;
++ }
++
+ double time = (len * 8.0) / (header.bitrate); /* time in seconds */
+ double timefrac = (double)time - ((long)(time));
+ long nsamples = 32 * MAD_NSBSAMPLES(&header); /* samples per frame */
--
2.30.1
Leo Famulari wrote 4 years ago
(name . Kei Kebreau)(address . kkebreau@posteo.net)(address . 47194@debbugs.gnu.org)
YFDx3/mJgQY3hqXj@jasmine.lan
On Tue, Mar 16, 2021 at 12:03:12PM -0400, Kei Kebreau wrote:
Toggle quote (4 lines)
> * gnu/packages/patches/mpg321-CVE-2019-14247.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/mp3.scm (mpg321)[source]: Apply it.

Thanks! Please push.
Léo Le Bouter wrote 4 years ago
[PATCH] gnu: mpg321: Fix CVE-2019-14247.
(address . 47194@debbugs.gnu.org)
d9a0c5ec92af286b6b247bc4cbdf33d411ca2287.camel@zaclys.net
LGTM!
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQ9KoACgkQRaix6GvN
EKbM2xAArmX7SJaZbrffoMKgiRnoIn7D00XVMGX9ZBM6GHrrlR+yqx277bNyxstx
Jgr0pjqknb2gpzZS3rRx/YR0+nuenVxbXf+SlSWKxqFGCqhENXxCr4/R324OlgMf
B9PKrrYh2zFbfUUSTLXzdCEsWuRmH4Cm0oO3UzQXlb9yN/fw2URzY9WDbkhbfV+R
xQuwNTKwD4uBd6Cw7pEOcdngXkemt6FQh7H97msNA9Hd1vAyZJwFuC85Cesu7Vsk
D4CcA5n6Jpfx04ZZ14iySkPFc1KL3naIrD529x4K8nuoqJKXql8/SLfhekwwYTvj
+i4xR51O2W/f+Nr/bdYE4YerxYgSs14UGLmaoiII4a5Hfd6xcgI/tUEJukK2wJb/
gQ53MorNexzMBq9WKFOfd/xFeevsk/0EIeo53OIMhpJ656+2yXljP+aGIkasMPVz
7ZCUvNsEvCd3BDSlbkacYhDJQO4SOCB10sDffVxnLX3o1bS/w3u57Y7OTBNENdU7
6AanxUsIwqEBZ3ItivBRBUTuYd6yswoKl2/IbI1hY/mMXHgHn7AO2sS/5OXvYrL9
NTN0uJfcxUmrJPuoCztDNBeZScZoaT7rOZWGKiFuYLyPImOewOy9JAWAcP4+771D
QefOQYTWh0KQmSaW1nEPfoqYx7V3ZNQtt49xlJQqgp+AGF2LH7A=
=Pg8y
-----END PGP SIGNATURE-----


Léo Le Bouter wrote 4 years ago
5f1f710d4020009be998e32f10abef192385c27d.camel@zaclys.net
Pushed as 109f58444beecd1b9b7c502f2a687a6b91c62dc0

Thanks
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQ9ecACgkQRaix6GvN
EKa50g/+MxxSvmk9XEE+vHboJSfnM1WGgsGzHPs8pJ0mj4XT+7+Tfh3eUTuIX/mu
utlxKB08tlcAipG7bqBh198ZeDGOpg+aVXP4ZhC5eIs0rkpglAHuCbcDiQN11ke9
NNfU/pasoU+EpB0IgrKk+hnQi29DHver9gS5OHYDhuCtcy3A6SYSukprX2i7W7i0
dEYxiqGykjTtTeryglZ90VEHTScJ6rJLQowtmkRUVwg7ujwjQWAlC9t7XE0GJHL8
yFB1RFfM+6St0QBe1B94tvUFj6bayqSmNZb/YqoL9fDGx6qtNaXG9QPxuO5QWyBs
HiHqplzahOpDpbGjqHOBKkxb4nyBv9ikuvA244jmrT/hijBRqZj/J9Zxs/qgfP/o
t4Akwl9GGjbIZhymA3c1DGogO+K2/1/EnuDHCJQvJmqUzeJFEl5wXXpW0ziSzyyo
f2gDYMfylzE1vzJKz/Q34O7NELr0KVOL1qdjg7oWQdclyezp6Hss8a4kUogt/+Dz
29WcwVYOvSVLaw1j5RLU26ZfZuIIdzsG6HNHhPSGkbY34XECSdMu/t2SBTCjXkl3
hld8t5h1qNkl+ta+XruClHlcpspHEVzxC47H0TaqByBOo5qMdqiEvWy4M0RoZ5S5
rvBP5z86s4jqpZkisytzoIsUTRB1F29/R5Y8xlcWlZKY7YteAm0=
=6c/e
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 47194@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47194
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help