diff options
author | Ross Burton <ross.burton@intel.com> | 2019-03-05 16:29:59 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-03-06 10:39:25 +0000 |
commit | 1cbf28ba2c17f32a63da5f0545994e477c1e8c5a (patch) | |
tree | 7802d51e5824a53d90b1f3c500a8ecd4ec5066f0 /meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch | |
parent | 6c1a511e08628f68ebb2c4e78d6d44affb465e24 (diff) | |
download | poky-1cbf28ba2c17f32a63da5f0545994e477c1e8c5a.tar.gz |
libsndfile1: update security patches
Remove CVE-2017-14245-14246.patch, fix rejected upstream as it doesn't solve the
underlying issue.
Instead 0001-a-ulaw-fix-multiple-buffer-overflows-432 also solves CVE-2017-14245
and CVE-2017-14246 properly.
Add patches for CVE-2017-12562 and CVE-2018-19758.
Refresh CVE-2018-13139.patch.
(From OE-Core rev: a5625df8031985e9c60c34068a4a01c36da40eec)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch')
-rw-r--r-- | meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch new file mode 100644 index 0000000000..491dae3114 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch | |||
@@ -0,0 +1,96 @@ | |||
1 | Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in | ||
2 | libsndfile through 1.0.28 allows remote attackers to cause a denial of service | ||
3 | (application crash) or possibly have unspecified other impact. | ||
4 | |||
5 | CVE: CVE-2017-12562 | ||
6 | Upstream-Status: Backport [cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8] | ||
7 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
8 | |||
9 | From b6a9d7e95888ffa77d8c75ce3f03e6c7165587cd Mon Sep 17 00:00:00 2001 | ||
10 | From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de> | ||
11 | Date: Wed, 14 Jun 2017 12:25:40 +0200 | ||
12 | Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings | ||
13 | in binheader | ||
14 | |||
15 | Fixes the following problems: | ||
16 | 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes. | ||
17 | 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the | ||
18 | big switch statement by an amount (16 bytes) which is enough for all cases | ||
19 | where only a single value gets added. Cases 's', 'S', 'p' however | ||
20 | additionally write an arbitrary length block of data and again enlarge the | ||
21 | buffer to the required amount. However, the required space calculation does | ||
22 | not take into account the size of the length field which gets output before | ||
23 | the data. | ||
24 | 3. Buffer size requirement calculation in case 'S' does not account for the | ||
25 | padding byte ("size += (size & 1) ;" happens after the calculation which | ||
26 | uses "size"). | ||
27 | 4. Case 'S' can overrun the header buffer by 1 byte when no padding is | ||
28 | involved | ||
29 | ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while | ||
30 | the buffer is only guaranteed to have "size" space available). | ||
31 | 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte | ||
32 | beyond the space which is guaranteed to be allocated in the header buffer. | ||
33 | 6. Case 's' can overrun the provided source string by 1 byte if padding is | ||
34 | involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;" | ||
35 | where "size" is "strlen (strptr) + 1" (which includes the 0 terminator, | ||
36 | plus optionally another 1 which is padding and not guaranteed to be | ||
37 | readable via the source string pointer). | ||
38 | |||
39 | Closes: https://github.com/erikd/libsndfile/issues/292 | ||
40 | --- | ||
41 | src/common.c | 15 +++++++-------- | ||
42 | 1 file changed, 7 insertions(+), 8 deletions(-) | ||
43 | |||
44 | diff --git a/src/common.c b/src/common.c | ||
45 | index 1a6204ca..6b2a2ee9 100644 | ||
46 | --- a/src/common.c | ||
47 | +++ b/src/common.c | ||
48 | @@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) | ||
49 | /* Write a C string (guaranteed to have a zero terminator). */ | ||
50 | strptr = va_arg (argptr, char *) ; | ||
51 | size = strlen (strptr) + 1 ; | ||
52 | - size += (size & 1) ; | ||
53 | |||
54 | - if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16)) | ||
55 | + if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) | ||
56 | return count ; | ||
57 | |||
58 | if (psf->rwf_endian == SF_ENDIAN_BIG) | ||
59 | - header_put_be_int (psf, size) ; | ||
60 | + header_put_be_int (psf, size + (size & 1)) ; | ||
61 | else | ||
62 | - header_put_le_int (psf, size) ; | ||
63 | + header_put_le_int (psf, size + (size & 1)) ; | ||
64 | memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ; | ||
65 | + size += (size & 1) ; | ||
66 | psf->header.indx += size ; | ||
67 | psf->header.ptr [psf->header.indx - 1] = 0 ; | ||
68 | count += 4 + size ; | ||
69 | @@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) | ||
70 | */ | ||
71 | strptr = va_arg (argptr, char *) ; | ||
72 | size = strlen (strptr) ; | ||
73 | - if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) | ||
74 | + if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) | ||
75 | return count ; | ||
76 | if (psf->rwf_endian == SF_ENDIAN_BIG) | ||
77 | header_put_be_int (psf, size) ; | ||
78 | else | ||
79 | header_put_le_int (psf, size) ; | ||
80 | - memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ; | ||
81 | + memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ; | ||
82 | size += (size & 1) ; | ||
83 | psf->header.indx += size ; | ||
84 | - psf->header.ptr [psf->header.indx] = 0 ; | ||
85 | count += 4 + size ; | ||
86 | break ; | ||
87 | |||
88 | @@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) | ||
89 | size = (size & 1) ? size : size + 1 ; | ||
90 | size = (size > 254) ? 254 : size ; | ||
91 | |||
92 | - if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) | ||
93 | + if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size)) | ||
94 | return count ; | ||
95 | |||
96 | header_put_byte (psf, size) ; | ||