diff options
| -rw-r--r-- | user/libid3tag/APKBUILD | 20 | ||||
| -rw-r--r-- | user/libid3tag/CVE-2004-2779.patch | 32 | ||||
| -rw-r--r-- | user/libid3tag/CVE-2008-2109.patch | 11 | ||||
| -rw-r--r-- | user/libid3tag/CVE-2017-11550.patch | 33 |
4 files changed, 78 insertions, 18 deletions
diff --git a/user/libid3tag/APKBUILD b/user/libid3tag/APKBUILD index df96d8b79..0984fc93f 100644 --- a/user/libid3tag/APKBUILD +++ b/user/libid3tag/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: pkgname=libid3tag pkgver=0.15.1b -pkgrel=9 +pkgrel=10 pkgdesc="Library for manipulating IDv3 tags in MP3 audio files" url="http://www.underbit.com/products/mad/" arch="all" @@ -11,17 +11,24 @@ depends="" makedepends="zlib-dev" subpackages="$pkgname-dev" source="ftp://ftp.mars.org/pub/mpeg/libid3tag-$pkgver.tar.gz - CVE-2008-2109.patch + CVE-2004-2779.patch + CVE-2017-11550.patch " +# secfixes: +# 0.15.1b-r8: +# - CVE-2008-2109 +# 0.15.1b-r10: +# - CVE-2004-2779 +# - CVE-2017-11550 +# - CVE-2017-11551 + prepare() { - cd "$builddir" update_config_sub default_prepare } build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -33,12 +40,10 @@ build() { } check() { - cd "$builddir" make check } package() { - cd "$builddir" make DESTDIR="$pkgdir" install mkdir -p "$pkgdir"/usr/lib/pkgconfig cat > "$pkgdir"/usr/lib/pkgconfig/id3tag.pc <<EOF @@ -57,4 +62,5 @@ EOF } sha512sums="ade7ce2a43c3646b4c9fdc642095174b9d4938b078b205cd40906d525acd17e87ad76064054a961f391edcba6495441450af2f68be69f116549ca666b069e6d3 libid3tag-0.15.1b.tar.gz -fc79d44ca9d1435ab5b11d4da6b46d3684827a1384a0156cd88242225f98f3a0668c0d6e6a88159f0c4985fcbdc636777c2f100d7f371eef258a6050d6fde567 CVE-2008-2109.patch" +4c27e104d45ae34affc1bef8ec613e65c7e4791185d2ef1cb27974ec7025c06c35d30d6278ce7e3107dff959bd55a708246c3c1a9d5ad7b093424cfb93b79f63 CVE-2004-2779.patch +6627d6e73958309b199a02cd6fa1008a81554151238d8a099dc27e535b8d14f7a9c1ba19894fdf2c927e59c0ca855d50b2f1289f116b45bc41e02d31659d1535 CVE-2017-11550.patch" diff --git a/user/libid3tag/CVE-2004-2779.patch b/user/libid3tag/CVE-2004-2779.patch new file mode 100644 index 000000000..b7e1e2280 --- /dev/null +++ b/user/libid3tag/CVE-2004-2779.patch @@ -0,0 +1,32 @@ +Lifted from Debian: +https://sources.debian.org/patches/libid3tag/0.15.1b-14/10_utf16.dpatch/ + +Also fixes: + +CVE-2008-2109 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480187#12 +CVE-2017-11551 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870333#10 + +Handle bogus UTF16 sequences that have a length that is not +an even number of 8 bit characters. + +--- libid3tag-0.15.1b/utf16.c 2006-01-13 15:26:29.000000000 +0100 ++++ libid3tag-0.15.1b/utf16.c 2006-01-13 15:27:19.000000000 +0100 +@@ -282,5 +282,18 @@ + + free(utf16); + ++ if (end == *ptr && length % 2 != 0) ++ { ++ /* We were called with a bogus length. It should always ++ * be an even number. We can deal with this in a few ways: ++ * - Always give an error. ++ * - Try and parse as much as we can and ++ * - return an error if we're called again when we ++ * already tried to parse everything we can. ++ * - tell that we parsed it, which is what we do here. ++ */ ++ (*ptr)++; ++ } ++ + return ucs4; + } diff --git a/user/libid3tag/CVE-2008-2109.patch b/user/libid3tag/CVE-2008-2109.patch deleted file mode 100644 index 6226d14af..000000000 --- a/user/libid3tag/CVE-2008-2109.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/field.c.orig 2008-05-05 09:49:15.000000000 -0400 -+++ b/field.c 2008-05-05 09:49:25.000000000 -0400 -@@ -291,7 +291,7 @@ - - end = *ptr + length; - -- while (end - *ptr > 0) { -+ while (end - *ptr > 0 && **ptr != '\0') { - ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0); - if (ucs4 == 0) - goto fail; diff --git a/user/libid3tag/CVE-2017-11550.patch b/user/libid3tag/CVE-2017-11550.patch new file mode 100644 index 000000000..abf6cbd43 --- /dev/null +++ b/user/libid3tag/CVE-2017-11550.patch @@ -0,0 +1,33 @@ +Lifted from Debian: +https://sources.debian.org/patches/libid3tag/0.15.1b-14/11_unknown_encoding.dpatch/ + +In case of an unknown/invalid encoding, id3_parse_string() will +return NULL, but the return value wasn't checked resulting +in segfault in id3_ucs4_length(). This is the only place +the return value wasn't checked. + +--- libid3tag-0.15.1b/compat.gperf 2004-01-23 09:41:32.000000000 +0000 ++++ libid3tag-0.15.1b/compat.gperf 2007-01-14 14:36:53.000000000 +0000 +@@ -236,6 +236,10 @@ + + encoding = id3_parse_uint(&data, 1); + string = id3_parse_string(&data, end - data, encoding, 0); ++ if (!string) ++ { ++ continue; ++ } + + if (id3_ucs4_length(string) < 4) { + free(string); +--- libid3tag-0.15.1b/parse.c 2004-01-23 09:41:32.000000000 +0000 ++++ libid3tag-0.15.1b/parse.c 2007-01-14 14:37:34.000000000 +0000 +@@ -165,6 +165,9 @@ + case ID3_FIELD_TEXTENCODING_UTF_8: + ucs4 = id3_utf8_deserialize(ptr, length); + break; ++ default: ++ /* FIXME: Unknown encoding! Print warning? */ ++ return NULL; + } + + if (ucs4 && !full) { |