gnu: libvorbis: Fix CVE-2017-{14632,14633}.

* gnu/packages/patches/libvorbis-CVE-2017-14632.patch,
gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xiph.scm (libvorbis)[replacement]: New field.
(libvorbis/fixed): New variable.
This commit is contained in:
Leo Famulari 2018-01-10 01:04:19 -08:00
parent ce577655a3
commit 138c08899b
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
4 changed files with 117 additions and 0 deletions

View File

@ -851,6 +851,8 @@ dist_patch_DATA = \
%D%/packages/patches/libusb-0.1-disable-tests.patch \ %D%/packages/patches/libusb-0.1-disable-tests.patch \
%D%/packages/patches/libusb-for-axoloti.patch \ %D%/packages/patches/libusb-for-axoloti.patch \
%D%/packages/patches/libvdpau-va-gl-unbundle.patch \ %D%/packages/patches/libvdpau-va-gl-unbundle.patch \
%D%/packages/patches/libvorbis-CVE-2017-14632.patch \
%D%/packages/patches/libvorbis-CVE-2017-14633.patch \
%D%/packages/patches/libvpx-CVE-2016-2818.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \
%D%/packages/patches/libxcb-python-3.5-compat.patch \ %D%/packages/patches/libxcb-python-3.5-compat.patch \
%D%/packages/patches/libxml2-CVE-2016-4658.patch \ %D%/packages/patches/libxml2-CVE-2016-4658.patch \

View File

@ -0,0 +1,63 @@
Fix CVE-2017-14632:
https://gitlab.xiph.org/xiph/vorbis/issues/2328
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632
Patch copied from upstream source repository:
https://gitlab.xiph.org/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d327f
From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 15 Nov 2017 18:22:59 +0100
Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
if not initialized
If the number of channels is not within the allowed range
we call oggback_writeclear altough it's not initialized yet.
This fixes
=23371== Invalid free() / delete / delete[] / realloc()
==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
==23371== by 0x10D82A: open_output_file (sox.c:1556)
==23371== by 0x10D82A: process (sox.c:1753)
==23371== by 0x10D82A: main (sox.c:3012)
==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
==23371== by 0x10D82A: open_output_file (sox.c:1556)
==23371== by 0x10D82A: process (sox.c:1753)
==23371== by 0x10D82A: main (sox.c:3012)
as seen when using the testcase from CVE-2017-11333 with
008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
there before.
---
lib/info.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/info.c b/lib/info.c
index 7bc4ea4..8d0b2ed 100644
--- a/lib/info.c
+++ b/lib/info.c
@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
private_state *b=v->backend_state;
if(!b||vi->channels<=0||vi->channels>256){
+ b = NULL;
ret=OV_EFAULT;
goto err_out;
}
--
2.15.1

View File

@ -0,0 +1,43 @@
Fix CVE-2017-14633:
https://gitlab.xiph.org/xiph/vorbis/issues/2329
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
Patch copied from upstream source repository:
https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993
From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
Date: Tue, 31 Oct 2017 18:32:46 +0100
Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
Otherwise
for(i=0;i<vi->channels;i++){
/* the encoder setup assumes that all the modes used by any
specific bitrate tweaking use the same floor */
int submap=info->chmuxlist[i];
overreads later in mapping0_forward since chmuxlist is a fixed array of
256 elements max.
---
lib/info.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/info.c b/lib/info.c
index fe759ed..7bc4ea4 100644
--- a/lib/info.c
+++ b/lib/info.c
@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
oggpack_buffer opb;
private_state *b=v->backend_state;
- if(!b||vi->channels<=0){
+ if(!b||vi->channels<=0||vi->channels>256){
ret=OV_EFAULT;
goto err_out;
}
--
2.15.1

View File

@ -79,6 +79,7 @@ periodic timestamps for seeking.")
(define libvorbis (define libvorbis
(package (package
(name "libvorbis") (name "libvorbis")
(replacement libvorbis/fixed)
(version "1.3.5") (version "1.3.5")
(source (origin (source (origin
(method url-fetch) (method url-fetch)
@ -102,6 +103,14 @@ polyphonic) audio and music at fixed and variable bitrates from 16 to
"See COPYING in the distribution.")) "See COPYING in the distribution."))
(home-page "http://xiph.org/vorbis/"))) (home-page "http://xiph.org/vorbis/")))
(define libvorbis/fixed
(package
(inherit libvorbis)
(source (origin
(inherit (package-source libvorbis))
(patches (search-patches "libvorbis-CVE-2017-14633.patch"
"libvorbis-CVE-2017-14632.patch"))))))
(define libtheora (define libtheora
(package (package
(name "libtheora") (name "libtheora")