summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libsndfile
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2019-03-05 16:29:59 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-03-06 10:39:25 +0000
commit1cbf28ba2c17f32a63da5f0545994e477c1e8c5a (patch)
tree7802d51e5824a53d90b1f3c500a8ecd4ec5066f0 /meta/recipes-multimedia/libsndfile
parent6c1a511e08628f68ebb2c4e78d6d44affb465e24 (diff)
downloadpoky-1cbf28ba2c17f32a63da5f0545994e477c1e8c5a.tar.gz
libsndfile1: update security patches
Remove CVE-2017-14245-14246.patch, fix rejected upstream as it doesn't solve the underlying issue. Instead 0001-a-ulaw-fix-multiple-buffer-overflows-432 also solves CVE-2017-14245 and CVE-2017-14246 properly. Add patches for CVE-2017-12562 and CVE-2018-19758. Refresh CVE-2018-13139.patch. (From OE-Core rev: a5625df8031985e9c60c34068a4a01c36da40eec) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libsndfile')
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch18
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch96
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch121
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch30
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch34
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb3
6 files changed, 160 insertions, 142 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
index c3f44ca235..a4679cef2a 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch
@@ -1,3 +1,15 @@
1This patch fixes #429 (CVE-2018-19661 CVE-2018-19662) and #344 (CVE-2017-17456
2CVE-2017-17457). As per
3https://github.com/erikd/libsndfile/issues/344#issuecomment-448504425 it also
4fixes #317 (CVE-2017-14245 CVE-2017-14246).
5
6CVE: CVE-2017-14245 CVE-2017-14246
7CVE: CVE-2017-17456 CVE-2017-17457
8CVE: CVE-2018-19661 CVE-2018-19662
9
10Upstream-Status: Backport [8ddc442d539ca775d80cdbc7af17a718634a743f]
11Signed-off-by: Ross Burton <ross.burton@intel.com>
12
1From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001 13From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com> 14From: Changqing Li <changqing.li@windriver.com>
3Date: Mon, 7 Jan 2019 15:55:03 +0800 15Date: Mon, 7 Jan 2019 15:55:03 +0800
@@ -17,12 +29,6 @@ In this case, arbitrarily set the buffer value to 0.
17This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and 29This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
18fixes #344 (CVE-2017-17456 and CVE-2017-17457). 30fixes #344 (CVE-2017-17456 and CVE-2017-17457).
19 31
20Upstream-Status: Backport[https://github.com/erikd/libsndfile/
21commit/585cc28a93be27d6938f276af0011401b9f7c0ca]
22
23CVE: CVE-2017-17456 CVE-2017-17457 CVE-2018-19661 CVE-2018-19662
24
25Signed-off-by: Changqing Li <changqing.li@windriver.com>
26--- 32---
27 src/alaw.c | 9 +++++++-- 33 src/alaw.c | 9 +++++++--
28 src/ulaw.c | 9 +++++++-- 34 src/ulaw.c | 9 +++++++--
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch
new file mode 100644
index 0000000000..491dae3114
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch
@@ -0,0 +1,96 @@
1Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in
2libsndfile through 1.0.28 allows remote attackers to cause a denial of service
3(application crash) or possibly have unspecified other impact.
4
5CVE: CVE-2017-12562
6Upstream-Status: Backport [cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8]
7Signed-off-by: Ross Burton <ross.burton@intel.com>
8
9From b6a9d7e95888ffa77d8c75ce3f03e6c7165587cd Mon Sep 17 00:00:00 2001
10From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de>
11Date: Wed, 14 Jun 2017 12:25:40 +0200
12Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings
13 in binheader
14
15Fixes the following problems:
16 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
17 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
18 big switch statement by an amount (16 bytes) which is enough for all cases
19 where only a single value gets added. Cases 's', 'S', 'p' however
20 additionally write an arbitrary length block of data and again enlarge the
21 buffer to the required amount. However, the required space calculation does
22 not take into account the size of the length field which gets output before
23 the data.
24 3. Buffer size requirement calculation in case 'S' does not account for the
25 padding byte ("size += (size & 1) ;" happens after the calculation which
26 uses "size").
27 4. Case 'S' can overrun the header buffer by 1 byte when no padding is
28 involved
29 ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
30 the buffer is only guaranteed to have "size" space available).
31 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
32 beyond the space which is guaranteed to be allocated in the header buffer.
33 6. Case 's' can overrun the provided source string by 1 byte if padding is
34 involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
35 where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
36 plus optionally another 1 which is padding and not guaranteed to be
37 readable via the source string pointer).
38
39Closes: https://github.com/erikd/libsndfile/issues/292
40---
41 src/common.c | 15 +++++++--------
42 1 file changed, 7 insertions(+), 8 deletions(-)
43
44diff --git a/src/common.c b/src/common.c
45index 1a6204ca..6b2a2ee9 100644
46--- a/src/common.c
47+++ b/src/common.c
48@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
49 /* Write a C string (guaranteed to have a zero terminator). */
50 strptr = va_arg (argptr, char *) ;
51 size = strlen (strptr) + 1 ;
52- size += (size & 1) ;
53
54- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
55+ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
56 return count ;
57
58 if (psf->rwf_endian == SF_ENDIAN_BIG)
59- header_put_be_int (psf, size) ;
60+ header_put_be_int (psf, size + (size & 1)) ;
61 else
62- header_put_le_int (psf, size) ;
63+ header_put_le_int (psf, size + (size & 1)) ;
64 memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
65+ size += (size & 1) ;
66 psf->header.indx += size ;
67 psf->header.ptr [psf->header.indx - 1] = 0 ;
68 count += 4 + size ;
69@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
70 */
71 strptr = va_arg (argptr, char *) ;
72 size = strlen (strptr) ;
73- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
74+ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
75 return count ;
76 if (psf->rwf_endian == SF_ENDIAN_BIG)
77 header_put_be_int (psf, size) ;
78 else
79 header_put_le_int (psf, size) ;
80- memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;
81+ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;
82 size += (size & 1) ;
83 psf->header.indx += size ;
84- psf->header.ptr [psf->header.indx] = 0 ;
85 count += 4 + size ;
86 break ;
87
88@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
89 size = (size & 1) ? size : size + 1 ;
90 size = (size > 254) ? 254 : size ;
91
92- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
93+ if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
94 return count ;
95
96 header_put_byte (psf, size) ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch
deleted file mode 100644
index a17ec21f98..0000000000
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch
+++ /dev/null
@@ -1,121 +0,0 @@
1From 2d54514a4f6437b67829717c05472d2e3300a258 Mon Sep 17 00:00:00 2001
2From: Fabian Greffrath <fabian@greffrath.com>
3Date: Wed, 27 Sep 2017 14:46:17 +0200
4Subject: [PATCH] sfe_copy_data_fp: check value of "max" variable for being
5 normal
6
7and check elements of the data[] array for being finite.
8
9Both checks use functions provided by the <math.h> header as declared
10by the C99 standard.
11
12Fixes #317
13CVE: CVE-2017-14245
14CVE: CVE-2017-14246
15
16Upstream-Status: Backport [https://github.com/fabiangreffrath/libsndfile/commit/2d54514a4f6437b67829717c05472d2e3300a258]
17
18Signed-off-by: Fabian Greffrath <fabian@greffrath.com>
19Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
20---
21 programs/common.c | 20 ++++++++++++++++----
22 programs/common.h | 2 +-
23 programs/sndfile-convert.c | 6 +++++-
24 3 files changed, 22 insertions(+), 6 deletions(-)
25
26diff --git a/programs/common.c b/programs/common.c
27index a21e62c..a249a58 100644
28--- a/programs/common.c
29+++ b/programs/common.c
30@@ -36,6 +36,7 @@
31 #include <string.h>
32 #include <ctype.h>
33 #include <stdint.h>
34+#include <math.h>
35
36 #include <sndfile.h>
37
38@@ -45,7 +46,7 @@
39
40 #define MIN(x, y) ((x) < (y) ? (x) : (y))
41
42-void
43+int
44 sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize)
45 { static double data [BUFFER_LEN], max ;
46 int frames, readcount, k ;
47@@ -54,6 +55,8 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize
48 readcount = frames ;
49
50 sf_command (infile, SFC_CALC_SIGNAL_MAX, &max, sizeof (max)) ;
51+ if (!isnormal (max)) /* neither zero, subnormal, infinite, nor NaN */
52+ return 1 ;
53
54 if (!normalize && max < 1.0)
55 { while (readcount > 0)
56@@ -67,12 +70,16 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize
57 while (readcount > 0)
58 { readcount = sf_readf_double (infile, data, frames) ;
59 for (k = 0 ; k < readcount * channels ; k++)
60- data [k] /= max ;
61+ { data [k] /= max ;
62+
63+ if (!isfinite (data [k])) /* infinite or NaN */
64+ return 1;
65+ }
66 sf_writef_double (outfile, data, readcount) ;
67 } ;
68 } ;
69
70- return ;
71+ return 0 ;
72 } /* sfe_copy_data_fp */
73
74 void
75@@ -252,7 +259,12 @@ sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * in
76
77 /* If the input file is not the same as the output file, copy the data. */
78 if ((infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT))
79- sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) ;
80+ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) != 0)
81+ { printf ("Error : Not able to decode input file '%s'\n", filenames [0]) ;
82+ error_code = 1 ;
83+ goto cleanup_exit ;
84+ } ;
85+ }
86 else
87 sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
88 } ;
89diff --git a/programs/common.h b/programs/common.h
90index eda2d7d..986277e 100644
91--- a/programs/common.h
92+++ b/programs/common.h
93@@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_BROADCAST_INFO_2K ;
94
95 void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ;
96
97-void sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
98+int sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
99
100 void sfe_copy_data_int (SNDFILE *outfile, SNDFILE *infile, int channels) ;
101
102diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c
103index dff7f79..e6de593 100644
104--- a/programs/sndfile-convert.c
105+++ b/programs/sndfile-convert.c
106@@ -335,7 +335,11 @@ main (int argc, char * argv [])
107 || (outfileminor == SF_FORMAT_DOUBLE) || (outfileminor == SF_FORMAT_FLOAT)
108 || (infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT)
109 || (infileminor == SF_FORMAT_VORBIS) || (outfileminor == SF_FORMAT_VORBIS))
110- sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) ;
111+ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) != 0)
112+ { printf ("Error : Not able to decode input file %s.\n", infilename) ;
113+ return 1 ;
114+ } ;
115+ }
116 else
117 sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
118
119--
1202.7.4
121
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch
index 4ae3674df1..707373d414 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch
@@ -1,23 +1,25 @@
1From 5473aeef7875e54bd0f786fbdd259a35aaee875c Mon Sep 17 00:00:00 2001 1CVE: CVE-2018-13139
2From: Changqing Li <changqing.li@windriver.com> 2Upstream-Status: Backport [9dc989eb89cd697e19897afa616d6ab0debe4822]
3Date: Wed, 10 Oct 2018 08:59:30 +0800 3Signed-off-by: Ross Burton <ross.burton@intel.com>
4Subject: [PATCH] libsndfile1: patch for CVE-2018-13139
5 4
6Upstream-Status: Backport [https://github.com/bwarden/libsndfile/ 5From 9dc989eb89cd697e19897afa616d6ab0debe4822 Mon Sep 17 00:00:00 2001
7commit/df18323c622b54221ee7ace74b177cdcccc152d7] 6From: "Brett T. Warden" <brett.t.warden@intel.com>
7Date: Tue, 28 Aug 2018 12:01:17 -0700
8Subject: [PATCH] Check MAX_CHANNELS in sndfile-deinterleave
8 9
9CVE: CVE-2018-13139 10Allocated buffer has space for only 16 channels. Verify that input file
11meets this limit.
10 12
11Signed-off-by: Changqing Li <changqing.li@windriver.com> 13Fixes #397
12--- 14---
13 programs/sndfile-deinterleave.c | 6 ++++++ 15 programs/sndfile-deinterleave.c | 7 +++++++
14 1 file changed, 6 insertions(+) 16 1 file changed, 7 insertions(+)
15 17
16diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c 18diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c
17index e27593e..721bee7 100644 19index e27593e2..cb497e1f 100644
18--- a/programs/sndfile-deinterleave.c 20--- a/programs/sndfile-deinterleave.c
19+++ b/programs/sndfile-deinterleave.c 21+++ b/programs/sndfile-deinterleave.c
20@@ -89,6 +89,12 @@ main (int argc, char **argv) 22@@ -89,6 +89,13 @@ main (int argc, char **argv)
21 exit (1) ; 23 exit (1) ;
22 } ; 24 } ;
23 25
@@ -27,9 +29,9 @@ index e27593e..721bee7 100644
27+ exit (1) ; 29+ exit (1) ;
28+ } ; 30+ } ;
29+ 31+
32+
30 state.channels = sfinfo.channels ; 33 state.channels = sfinfo.channels ;
31 sfinfo.channels = 1 ; 34 sfinfo.channels = 1 ;
32 35
33-- 36--
342.7.4 372.11.0
35
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch
new file mode 100644
index 0000000000..c3586f9dfc
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch
@@ -0,0 +1,34 @@
1There is a heap-based buffer over-read at wav.c in wav_write_header in
2libsndfile 1.0.28 that will cause a denial of service.
3
4CVE: CVE-2018-19758
5Upstream-Status: Backport [42132c543358cee9f7c3e9e9b15bb6c1063a608e]
6Signed-off-by: Ross Burton <ross.burton@intel.com>
7
8From c12173b0197dd0c5cfa2cd27977e982d2ae59486 Mon Sep 17 00:00:00 2001
9From: Erik de Castro Lopo <erikd@mega-nerd.com>
10Date: Tue, 1 Jan 2019 20:11:46 +1100
11Subject: [PATCH] src/wav.c: Fix heap read overflow
12
13This is CVE-2018-19758.
14
15Closes: https://github.com/erikd/libsndfile/issues/435
16---
17 src/wav.c | 2 ++
18 1 file changed, 2 insertions(+)
19
20diff --git a/src/wav.c b/src/wav.c
21index e8405b55..6fb94ae8 100644
22--- a/src/wav.c
23+++ b/src/wav.c
24@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
25 psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
26 psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
27
28+ /* Loop count is signed 16 bit number so we limit it range to something sensible. */
29+ psf->instrument->loop_count &= 0x7fff ;
30 for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
31 { int type ;
32
33--
342.11.0
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index 9700f4a6e7..eb2c719d8d 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -10,11 +10,12 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
10 file://CVE-2017-8361-8365.patch \ 10 file://CVE-2017-8361-8365.patch \
11 file://CVE-2017-8362.patch \ 11 file://CVE-2017-8362.patch \
12 file://CVE-2017-8363.patch \ 12 file://CVE-2017-8363.patch \
13 file://CVE-2017-14245-14246.patch \
14 file://CVE-2017-14634.patch \ 13 file://CVE-2017-14634.patch \
15 file://CVE-2018-13139.patch \ 14 file://CVE-2018-13139.patch \
16 file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \ 15 file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
17 file://CVE-2018-19432.patch \ 16 file://CVE-2018-19432.patch \
17 file://CVE-2017-12562.patch \
18 file://CVE-2018-19758.patch \
18 " 19 "
19 20
20SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" 21SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"