summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTanu Kaskinen <tanuk@iki.fi>2018-03-31 05:24:27 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-04-05 14:13:48 (GMT)
commitb12bf1a293f7d477aeb7b309da00f257979a6178 (patch)
tree0ab5d8cb28bbd2f3daa398db8aa023dc0206c192
parent4ec84083df77df017eee5738cff03c8fb4a5a216 (diff)
downloadpoky-b12bf1a293f7d477aeb7b309da00f257979a6178.tar.gz
libvorbis: CVE-2017-14632
Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar issue to Mozilla bug 550184. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632 (From OE-Core rev: 6dcd8bdd5ffebafec5bbb811243f4dbf3a7038b8) (From OE-Core rev: ccbef3848d749228a7947550f7712b872cff319f) Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch62
-rw-r--r--meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb1
2 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch
new file mode 100644
index 0000000..4036b96
--- /dev/null
+++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch
@@ -0,0 +1,62 @@
1From 39704ce16835e5c019bb03f6a94dc1f0677406c5 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
3Date: Wed, 15 Nov 2017 18:22:59 +0100
4Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
5 if not initialized
6
7If the number of channels is not within the allowed range
8we call oggback_writeclear altough it's not initialized yet.
9
10This fixes
11
12 =23371== Invalid free() / delete / delete[] / realloc()
13 ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
14 ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
15 ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
16 ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
17 ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
18 ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
19 ==23371== by 0x10D82A: open_output_file (sox.c:1556)
20 ==23371== by 0x10D82A: process (sox.c:1753)
21 ==23371== by 0x10D82A: main (sox.c:3012)
22 ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
23 ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
24 ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
25 ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
26 ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
27 ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
28 ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
29 ==23371== by 0x10D82A: open_output_file (sox.c:1556)
30 ==23371== by 0x10D82A: process (sox.c:1753)
31 ==23371== by 0x10D82A: main (sox.c:3012)
32
33as seen when using the testcase from CVE-2017-11333 with
34008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
35there before.
36
37Upstream-Status: Backport
38CVE: CVE-2017-14632
39
40Reference to upstream patch:
41https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=c1c2831fc7306d5fbd7bc800324efd12b28d327f
42
43Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
44---
45 lib/info.c | 1 +
46 1 file changed, 1 insertion(+)
47
48diff --git a/lib/info.c b/lib/info.c
49index 81b7557..4d82568 100644
50--- a/lib/info.c
51+++ b/lib/info.c
52@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
53 private_state *b=v->backend_state;
54
55 if(!b||vi->channels<=0||vi->channels>256){
56+ b = NULL;
57 ret=OV_EFAULT;
58 goto err_out;
59 }
60--
612.16.2
62
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
index 75c2038..11e1de7 100644
--- a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
+++ b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
@@ -12,6 +12,7 @@ DEPENDS = "libogg"
12 12
13SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \ 13SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \
14 file://CVE-2017-14633.patch \ 14 file://CVE-2017-14633.patch \
15 file://CVE-2017-14632.patch \
15 " 16 "
16SRC_URI[md5sum] = "28cb28097c07a735d6af56e598e1c90f" 17SRC_URI[md5sum] = "28cb28097c07a735d6af56e598e1c90f"
17SRC_URI[sha256sum] = "54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1" 18SRC_URI[sha256sum] = "54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1"