From bfc686181b6c0eaab1750e53c7597518d226941d Mon Sep 17 00:00:00 2001 From: Max Rees Date: Thu, 29 Aug 2019 13:08:34 -0500 Subject: user/libvorbis: new patch for CVE-2018-10392 (#157) Also, use upstream patch for CVE-2017-14160 --- user/libvorbis/APKBUILD | 17 ++++--- user/libvorbis/CVE-2017-14160-and-2018-10393.patch | 27 ++++++++++ user/libvorbis/CVE-2017-14160.patch | 58 ---------------------- user/libvorbis/CVE-2018-10392.patch | 25 ++++++++++ 4 files changed, 62 insertions(+), 65 deletions(-) create mode 100644 user/libvorbis/CVE-2017-14160-and-2018-10393.patch delete mode 100644 user/libvorbis/CVE-2017-14160.patch create mode 100644 user/libvorbis/CVE-2018-10392.patch (limited to 'user/libvorbis') diff --git a/user/libvorbis/APKBUILD b/user/libvorbis/APKBUILD index 2b5b41f4c..73520bf56 100644 --- a/user/libvorbis/APKBUILD +++ b/user/libvorbis/APKBUILD @@ -10,18 +10,21 @@ license="BSD-3-Clause" subpackages="$pkgname-dev $pkgname-doc" makedepends="libogg-dev" source="https://downloads.xiph.org/releases/vorbis/$pkgname-$pkgver.tar.xz - CVE-2017-14160.patch + CVE-2017-14160-and-2018-10393.patch + CVE-2018-10392.patch " # secfixes: +# 1.3.6-r1: +# - CVE-2018-10392 # 1.3.5-r4: -# - CVE-2017-14632 -# - CVE-2017-14633 +# - CVE-2017-14632 +# - CVE-2017-14633 # 1.3.5-r3: -# - CVE-2017-14160 +# - CVE-2017-14160 +# - CVE-2018-10393 build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -33,9 +36,9 @@ build() { } package() { - cd "$builddir" make DESTDIR="$pkgdir" install } sha512sums="a5d990bb88db2501b16f8eaee9f2ecb599cefd7dab2134d16538d8905263a972157c7671867848c2a8a358bf5e5dbc7721205ece001032482f168be7bda4f132 libvorbis-1.3.6.tar.xz -4c2f7be947f2159ae47175cba89950c7b7d357b37a20d54382e4fbecd8c268b148e6cb86cb148945c7b68bbe8b14f466e910b35b80903ab51f1b02cfccf5806e CVE-2017-14160.patch" +332081da5dd8fb28ee70dfbc123e7fcef279317ee977be9da97e97a105e788da452c33097bf597f369fea0e49749f876a93d6af0fa2fa20405acbc57771c89a9 CVE-2017-14160-and-2018-10393.patch +294de5e0c40b64d495df7f53196260be5ffaba11c75fc4a1a54ec0c058eeba4793c1ef685c8cf866195a2972c91a7a896df5f05f478b7f25a564abb3f82f331f CVE-2018-10392.patch" diff --git a/user/libvorbis/CVE-2017-14160-and-2018-10393.patch b/user/libvorbis/CVE-2017-14160-and-2018-10393.patch new file mode 100644 index 000000000..3a7097ec7 --- /dev/null +++ b/user/libvorbis/CVE-2017-14160-and-2018-10393.patch @@ -0,0 +1,27 @@ +From 018ca26dece618457dd13585cad52941193c4a25 Mon Sep 17 00:00:00 2001 +From: Thomas Daede +Date: Wed, 9 May 2018 14:56:59 -0700 +Subject: [PATCH] CVE-2017-14160: fix bounds check on very low sample rates. + +--- + lib/psy.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/psy.c b/lib/psy.c +index 422c6f1..1310123 100644 +--- a/lib/psy.c ++++ b/lib/psy.c +@@ -602,8 +602,9 @@ static void bark_noise_hybridmp(int n,const long *b, + for (i = 0, x = 0.f;; i++, x += 1.f) { + + lo = b[i] >> 16; +- if( lo>=0 ) break; + hi = b[i] & 0xffff; ++ if( lo>=0 ) break; ++ if( hi>=n ) break; + + tN = N[hi] + N[-lo]; + tX = X[hi] - X[-lo]; +-- +2.22.0 + diff --git a/user/libvorbis/CVE-2017-14160.patch b/user/libvorbis/CVE-2017-14160.patch deleted file mode 100644 index 9ad9d18f7..000000000 --- a/user/libvorbis/CVE-2017-14160.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001 -Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git.agx@sigxcpu.org> -From: =?UTF-8?q?Guido=20G=C3=BCnther?= -Date: Wed, 15 Nov 2017 13:12:00 +0100 -Subject: [PATCH] CVE-2017-14160: make sure we don't overflow - ---- - lib/psy.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/lib/psy.c b/lib/psy.c -index 422c6f1e..8bbf6cf3 100644 ---- a/lib/psy.c -+++ b/lib/psy.c -@@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,const long *b, - XY[i] = tXY; - } - -- for (i = 0, x = 0.f;; i++, x += 1.f) { -+ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { - - lo = b[i] >> 16; - if( lo>=0 ) break; -@@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,const long *b, - noise[i] = R - offset; - } - -- for ( ;; i++, x += 1.f) { -+ for ( ; i < n; i++, x += 1.f) { - - lo = b[i] >> 16; - hi = b[i] & 0xffff; - if(hi>=n)break; -- - tN = N[hi] - N[lo]; - tX = X[hi] - X[lo]; - tXX = XX[hi] - XX[lo]; -@@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,const long *b, - - if (fixed <= 0) return; - -- for (i = 0, x = 0.f;; i++, x += 1.f) { -+ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { - hi = i + fixed / 2; - lo = hi - fixed; - if(lo>=0)break; -@@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,const long *b, - - if (R - offset < noise[i]) noise[i] = R - offset; - } -- for ( ;; i++, x += 1.f) { -+ for ( ; i < n; i++, x += 1.f) { - - hi = i + fixed / 2; - lo = hi - fixed; --- -2.15.0 - diff --git a/user/libvorbis/CVE-2018-10392.patch b/user/libvorbis/CVE-2018-10392.patch new file mode 100644 index 000000000..a12038a94 --- /dev/null +++ b/user/libvorbis/CVE-2018-10392.patch @@ -0,0 +1,25 @@ +From 112d3bd0aaacad51305e1464d4b381dabad0e88b Mon Sep 17 00:00:00 2001 +From: Thomas Daede +Date: Thu, 17 May 2018 16:19:19 -0700 +Subject: [PATCH] Sanity check number of channels in setup. + +Fixes #2335. +--- + lib/vorbisenc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/vorbisenc.c b/lib/vorbisenc.c +index 4fc7b62..64a51b5 100644 +--- a/lib/vorbisenc.c ++++ b/lib/vorbisenc.c +@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info *vi){ + highlevel_encode_setup *hi=&ci->hi; + + if(ci==NULL)return(OV_EINVAL); ++ if(vi->channels<1||vi->channels>255)return(OV_EINVAL); + if(!hi->impulse_block_p)i0=1; + + /* too low/high an ATH floater is nonsensical, but doesn't break anything */ +-- +2.22.0 + -- cgit v1.2.3-60-g2f50