user/libid3tag: CVE-2017-11550, change fix for CVE-2008-2109 (#126)

4 files changed, 78 insertions, 18 deletions

diff --git a/user/libid3tag/APKBUILD b/user/libid3tag/APKBUILD
index df96d8b79..0984fc93f 100644
--- a/user/libid3tag/APKBUILD
+++ b/user/libid3tag/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: 
 pkgname=libid3tag
 pkgver=0.15.1b
-pkgrel=9
+pkgrel=10
 pkgdesc="Library for manipulating IDv3 tags in MP3 audio files"
 url="http://www.underbit.com/products/mad/"
 arch="all"
@@ -11,17 +11,24 @@ depends=""
 makedepends="zlib-dev"
 subpackages="$pkgname-dev"
 source="ftp://ftp.mars.org/pub/mpeg/libid3tag-$pkgver.tar.gz
-	CVE-2008-2109.patch
+	CVE-2004-2779.patch
+	CVE-2017-11550.patch
 	"
 
+# secfixes:
+#   0.15.1b-r8:
+#     - CVE-2008-2109
+#   0.15.1b-r10:
+#     - CVE-2004-2779
+#     - CVE-2017-11550
+#     - CVE-2017-11551
+
 prepare() {
-	cd "$builddir"
 	update_config_sub
 	default_prepare
 }
 
 build() {
-	cd "$builddir"
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
@@ -33,12 +40,10 @@ build() {
 }
 
 check() {
-	cd "$builddir"
 	make check
 }
 
 package() {
-	cd "$builddir"
 	make DESTDIR="$pkgdir" install
 	mkdir -p "$pkgdir"/usr/lib/pkgconfig
 	cat > "$pkgdir"/usr/lib/pkgconfig/id3tag.pc <<EOF
@@ -57,4 +62,5 @@ EOF
 }
 
 sha512sums="ade7ce2a43c3646b4c9fdc642095174b9d4938b078b205cd40906d525acd17e87ad76064054a961f391edcba6495441450af2f68be69f116549ca666b069e6d3  libid3tag-0.15.1b.tar.gz
-fc79d44ca9d1435ab5b11d4da6b46d3684827a1384a0156cd88242225f98f3a0668c0d6e6a88159f0c4985fcbdc636777c2f100d7f371eef258a6050d6fde567  CVE-2008-2109.patch"
+4c27e104d45ae34affc1bef8ec613e65c7e4791185d2ef1cb27974ec7025c06c35d30d6278ce7e3107dff959bd55a708246c3c1a9d5ad7b093424cfb93b79f63  CVE-2004-2779.patch
+6627d6e73958309b199a02cd6fa1008a81554151238d8a099dc27e535b8d14f7a9c1ba19894fdf2c927e59c0ca855d50b2f1289f116b45bc41e02d31659d1535  CVE-2017-11550.patch"
diff --git a/user/libid3tag/CVE-2004-2779.patch b/user/libid3tag/CVE-2004-2779.patch
new file mode 100644
index 000000000..b7e1e2280
--- /dev/null
+++ b/user/libid3tag/CVE-2004-2779.patch
@@ -0,0 +1,32 @@
+Lifted from Debian:
+https://sources.debian.org/patches/libid3tag/0.15.1b-14/10_utf16.dpatch/
+
+Also fixes:
+
+CVE-2008-2109 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480187#12
+CVE-2017-11551 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870333#10
+
+Handle bogus UTF16 sequences that have a length that is not
+an even number of 8 bit characters.
+
+--- libid3tag-0.15.1b/utf16.c	2006-01-13 15:26:29.000000000 +0100
++++ libid3tag-0.15.1b/utf16.c	2006-01-13 15:27:19.000000000 +0100
+@@ -282,5 +282,18 @@
+ 
+   free(utf16);
+ 
++  if (end == *ptr && length % 2 != 0)
++  {
++     /* We were called with a bogus length.  It should always
++      * be an even number.  We can deal with this in a few ways:
++      * - Always give an error.
++      * - Try and parse as much as we can and
++      *   - return an error if we're called again when we
++      *     already tried to parse everything we can.
++      *   - tell that we parsed it, which is what we do here.
++      */
++     (*ptr)++;
++  }
++
+   return ucs4;
+ }
diff --git a/user/libid3tag/CVE-2008-2109.patch b/user/libid3tag/CVE-2008-2109.patch
deleted file mode 100644
index 6226d14af..000000000
--- a/user/libid3tag/CVE-2008-2109.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/field.c.orig	2008-05-05 09:49:15.000000000 -0400
-+++ b/field.c	2008-05-05 09:49:25.000000000 -0400
-@@ -291,7 +291,7 @@
- 
-       end = *ptr + length;
- 
--      while (end - *ptr > 0) {
-+      while (end - *ptr > 0 && **ptr != '\0') {
- 	ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
- 	if (ucs4 == 0)
- 	  goto fail;
diff --git a/user/libid3tag/CVE-2017-11550.patch b/user/libid3tag/CVE-2017-11550.patch
new file mode 100644
index 000000000..abf6cbd43
--- /dev/null
+++ b/user/libid3tag/CVE-2017-11550.patch
@@ -0,0 +1,33 @@
+Lifted from Debian:
+https://sources.debian.org/patches/libid3tag/0.15.1b-14/11_unknown_encoding.dpatch/
+
+In case of an unknown/invalid encoding, id3_parse_string() will
+return NULL, but the return value wasn't checked resulting
+in segfault in id3_ucs4_length().  This is the only place
+the return value wasn't checked.
+
+--- libid3tag-0.15.1b/compat.gperf	2004-01-23 09:41:32.000000000 +0000
++++ libid3tag-0.15.1b/compat.gperf	2007-01-14 14:36:53.000000000 +0000
+@@ -236,6 +236,10 @@
+ 
+     encoding = id3_parse_uint(&data, 1);
+     string   = id3_parse_string(&data, end - data, encoding, 0);
++    if (!string)
++    {
++	continue;
++    }
+ 
+     if (id3_ucs4_length(string) < 4) {
+       free(string);
+--- libid3tag-0.15.1b/parse.c	2004-01-23 09:41:32.000000000 +0000
++++ libid3tag-0.15.1b/parse.c	2007-01-14 14:37:34.000000000 +0000
+@@ -165,6 +165,9 @@
+   case ID3_FIELD_TEXTENCODING_UTF_8:
+     ucs4 = id3_utf8_deserialize(ptr, length);
+     break;
++  default:
++  	/* FIXME: Unknown encoding! Print warning? */
++	return NULL;
+   }
+ 
+   if (ucs4 && !full) {