01/01: gnu: libvorbis: Fix CVE-2017-{14632,14633}.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: libvorbis: Fix CVE-2017-{14632,14633}.

From:	Leo Famulari
Subject:	01/01: gnu: libvorbis: Fix CVE-2017-{14632,14633}.
Date:	Thu, 11 Jan 2018 17:13:49 -0500 (EST)

lfam pushed a commit to branch master
in repository guix.

commit 138c08899ba73049de8afd2b74a8cf6845a1d9e1
Author: Leo Famulari <address@hidden>
Date:   Wed Jan 10 01:04:19 2018 -0800

    gnu: libvorbis: Fix CVE-2017-{14632,14633}.
    
    * gnu/packages/patches/libvorbis-CVE-2017-14632.patch,
    gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Add them.
    * gnu/packages/xiph.scm (libvorbis)[replacement]: New field.
    (libvorbis/fixed): New variable.
---
 gnu/local.mk                                       |  2 +
 .../patches/libvorbis-CVE-2017-14632.patch         | 63 ++++++++++++++++++++++
 .../patches/libvorbis-CVE-2017-14633.patch         | 43 +++++++++++++++
 gnu/packages/xiph.scm                              |  9 ++++
 4 files changed, 117 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index 8c397d9..eec46af 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -851,6 +851,8 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/libusb-0.1-disable-tests.patch          \
   %D%/packages/patches/libusb-for-axoloti.patch                        \
   %D%/packages/patches/libvdpau-va-gl-unbundle.patch           \
+  %D%/packages/patches/libvorbis-CVE-2017-14632.patch          \
+  %D%/packages/patches/libvorbis-CVE-2017-14633.patch          \
   %D%/packages/patches/libvpx-CVE-2016-2818.patch              \
   %D%/packages/patches/libxcb-python-3.5-compat.patch          \
   %D%/packages/patches/libxml2-CVE-2016-4658.patch             \
diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14632.patch 
b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch
new file mode 100644
index 0000000..99debf2
--- /dev/null
+++ b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch
@@ -0,0 +1,63 @@
+Fix CVE-2017-14632:
+
+https://gitlab.xiph.org/xiph/vorbis/issues/2328
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632
+
+Patch copied from upstream source repository:
+
+https://gitlab.xiph.org/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d327f
+
+From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <address@hidden>
+Date: Wed, 15 Nov 2017 18:22:59 +0100
+Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
+ if not initialized
+
+If the number of channels is not within the allowed range
+we call oggback_writeclear altough it's not initialized yet.
+
+This fixes
+
+    =23371== Invalid free() / delete / delete[] / realloc()
+    ==23371==    at 0x4C2CE1B: free (vg_replace_malloc.c:530)
+    ==23371==    by 0x829CA31: oggpack_writeclear (in 
/usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
+    ==23371==    by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
+    ==23371==    by 0x9FBCBCC: ??? (in 
/usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+    ==23371==    by 0x4E524F1: ??? (in 
/usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x4E52CCA: sox_open_write (in 
/usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
+    ==23371==    by 0x10D82A: process (sox.c:1753)
+    ==23371==    by 0x10D82A: main (sox.c:3012)
+    ==23371==  Address 0x68768c8 is 488 bytes inside a block of size 880 
alloc'd
+    ==23371==    at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
+    ==23371==    by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
+    ==23371==    by 0x4E545C2: lsx_realloc (in 
/usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x9FBC9A0: ??? (in 
/usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+    ==23371==    by 0x4E524F1: ??? (in 
/usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x4E52CCA: sox_open_write (in 
/usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
+    ==23371==    by 0x10D82A: process (sox.c:1753)
+    ==23371==    by 0x10D82A: main (sox.c:3012)
+
+as seen when using the testcase from CVE-2017-11333 with
+008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
+there before.
+---
+ lib/info.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/info.c b/lib/info.c
+index 7bc4ea4..8d0b2ed 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+   private_state *b=v->backend_state;
+ 
+   if(!b||vi->channels<=0||vi->channels>256){
++    b = NULL;
+     ret=OV_EFAULT;
+     goto err_out;
+   }
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14633.patch 
b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch
new file mode 100644
index 0000000..ec6bf52
--- /dev/null
+++ b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch
@@ -0,0 +1,43 @@
+Fix CVE-2017-14633:
+
+https://gitlab.xiph.org/xiph/vorbis/issues/2329
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
+
+Patch copied from upstream source repository:
+
+https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993
+
+From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <address@hidden>
+Date: Tue, 31 Oct 2017 18:32:46 +0100
+Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
+
+Otherwise
+
+ for(i=0;i<vi->channels;i++){
+      /* the encoder setup assumes that all the modes used by any
+         specific bitrate tweaking use the same floor */
+      int submap=info->chmuxlist[i];
+
+overreads later in mapping0_forward since chmuxlist is a fixed array of
+256 elements max.
+---
+ lib/info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/info.c b/lib/info.c
+index fe759ed..7bc4ea4 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+   oggpack_buffer opb;
+   private_state *b=v->backend_state;
+ 
+-  if(!b||vi->channels<=0){
++  if(!b||vi->channels<=0||vi->channels>256){
+     ret=OV_EFAULT;
+     goto err_out;
+   }
+-- 
+2.15.1
+
diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm
index 9277f57..e9ab06d 100644
--- a/gnu/packages/xiph.scm
+++ b/gnu/packages/xiph.scm
@@ -79,6 +79,7 @@ periodic timestamps for seeking.")
 (define libvorbis
   (package
    (name "libvorbis")
+   (replacement libvorbis/fixed)
    (version "1.3.5")
    (source (origin
             (method url-fetch)
@@ -102,6 +103,14 @@ polyphonic) audio and music at fixed and variable bitrates 
from 16 to
                                "See COPYING in the distribution."))
    (home-page "http://xiph.org/vorbis/";)))
 
+(define libvorbis/fixed
+  (package
+    (inherit libvorbis)
+    (source (origin
+              (inherit (package-source libvorbis))
+              (patches (search-patches "libvorbis-CVE-2017-14633.patch"
+                                       "libvorbis-CVE-2017-14632.patch"))))))
+
 (define libtheora
   (package
     (name "libtheora")

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (ce57765 -> 138c088), Leo Famulari, 2018/01/11
- 01/01: gnu: libvorbis: Fix CVE-2017-{14632,14633}., Leo Famulari <=

Prev by Date: 02/02: gnu: Add selene.
Next by Date: branch master updated (ce57765 -> 138c088)
Previous by thread: branch master updated (ce57765 -> 138c088)
Next by thread: branch core-updates updated (4610ab7 -> e6ebc7b)
Index(es):
- Date
- Thread