summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTanu Kaskinen <tanuk@iki.fi>2018-03-31 05:24:28 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-04-05 14:13:48 (GMT)
commitd7897f17b98c0021f8adb9ebeb0d9dd71355b027 (patch)
tree84faa76f8e39ac6487c979652954eb2a635c3eb1
parentb12bf1a293f7d477aeb7b309da00f257979a6178 (diff)
downloadpoky-d7897f17b98c0021f8adb9ebeb0d9dd71355b027.tar.gz
libvorbis: CVE-2018-5146
Prevent out-of-bounds write in codebook decoding. The bug could allow code execution from a specially crafted Ogg Vorbis file. References: https://www.debian.org/security/2018/dsa-4140 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146 (From OE-Core rev: 7d5d262c03745e5c61e1e9c84f108d842d16e5ec) (From OE-Core rev: ccf97c35f6153abc639f01c4940dda5e6e8a3fbe) Signed-off-by: Tanu Kaskinen <tanuk@iki.fi> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch100
-rw-r--r--meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb1
2 files changed, 101 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch
new file mode 100644
index 0000000..6d4052a
--- /dev/null
+++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch
@@ -0,0 +1,100 @@
1From 3a017f591457bf6e80231b563bf83ee583fdbca8 Mon Sep 17 00:00:00 2001
2From: Thomas Daede <daede003@umn.edu>
3Date: Thu, 15 Mar 2018 14:15:31 -0700
4Subject: [PATCH] CVE-2018-5146: Prevent out-of-bounds write in codebook
5 decoding.
6
7Codebooks that are not an exact divisor of the partition size are now
8truncated to fit within the partition.
9
10Upstream-Status: Backport
11CVE: CVE-2018-5146
12
13Reference to upstream patch:
14https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
15
16Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
17---
18 lib/codebook.c | 48 ++++++++++--------------------------------------
19 1 file changed, 10 insertions(+), 38 deletions(-)
20
21diff --git a/lib/codebook.c b/lib/codebook.c
22index 8b766e8..7022fd2 100644
23--- a/lib/codebook.c
24+++ b/lib/codebook.c
25@@ -387,7 +387,7 @@ long vorbis_book_decodevs_add(codebook *book,float *a,oggpack_buffer *b,int n){
26 t[i] = book->valuelist+entry[i]*book->dim;
27 }
28 for(i=0,o=0;i<book->dim;i++,o+=step)
29- for (j=0;j<step;j++)
30+ for (j=0;o+j<n && j<step;j++)
31 a[o+j]+=t[j][i];
32 }
33 return(0);
34@@ -399,41 +399,12 @@ long vorbis_book_decodev_add(codebook *book,float *a,oggpack_buffer *b,int n){
35 int i,j,entry;
36 float *t;
37
38- if(book->dim>8){
39- for(i=0;i<n;){
40- entry = decode_packed_entry_number(book,b);
41- if(entry==-1)return(-1);
42- t = book->valuelist+entry*book->dim;
43- for (j=0;j<book->dim;)
44- a[i++]+=t[j++];
45- }
46- }else{
47- for(i=0;i<n;){
48- entry = decode_packed_entry_number(book,b);
49- if(entry==-1)return(-1);
50- t = book->valuelist+entry*book->dim;
51- j=0;
52- switch((int)book->dim){
53- case 8:
54- a[i++]+=t[j++];
55- case 7:
56- a[i++]+=t[j++];
57- case 6:
58- a[i++]+=t[j++];
59- case 5:
60- a[i++]+=t[j++];
61- case 4:
62- a[i++]+=t[j++];
63- case 3:
64- a[i++]+=t[j++];
65- case 2:
66- a[i++]+=t[j++];
67- case 1:
68- a[i++]+=t[j++];
69- case 0:
70- break;
71- }
72- }
73+ for(i=0;i<n;){
74+ entry = decode_packed_entry_number(book,b);
75+ if(entry==-1)return(-1);
76+ t = book->valuelist+entry*book->dim;
77+ for(j=0;i<n && j<book->dim;)
78+ a[i++]+=t[j++];
79 }
80 }
81 return(0);
82@@ -471,12 +442,13 @@ long vorbis_book_decodevv_add(codebook *book,float **a,long offset,int ch,
83 long i,j,entry;
84 int chptr=0;
85 if(book->used_entries>0){
86- for(i=offset/ch;i<(offset+n)/ch;){
87+ int m=(offset+n)/ch;
88+ for(i=offset/ch;i<m;){
89 entry = decode_packed_entry_number(book,b);
90 if(entry==-1)return(-1);
91 {
92 const float *t = book->valuelist+entry*book->dim;
93- for (j=0;j<book->dim;j++){
94+ for (j=0;i<m && j<book->dim;j++){
95 a[chptr++][i]+=t[j];
96 if(chptr==ch){
97 chptr=0;
98--
992.16.2
100
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
index 11e1de7..bd2321f 100644
--- a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
+++ b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
@@ -13,6 +13,7 @@ DEPENDS = "libogg"
13SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \ 13SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \
14 file://CVE-2017-14633.patch \ 14 file://CVE-2017-14633.patch \
15 file://CVE-2017-14632.patch \ 15 file://CVE-2017-14632.patch \
16 file://CVE-2018-5146.patch \
16 " 17 "
17SRC_URI[md5sum] = "28cb28097c07a735d6af56e598e1c90f" 18SRC_URI[md5sum] = "28cb28097c07a735d6af56e598e1c90f"
18SRC_URI[sha256sum] = "54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1" 19SRC_URI[sha256sum] = "54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1"