libvorbis: 3 CVE fixes

CVE-2017-14160, CVE-2018-10393 (same as 14160), and CVE-2018-10392. These fixes should be in libvorbis 1.3.7. (From OE-Core rev: 45ff20f325a51fe0ed12d58160c08e04781ce341) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joe Slater <joe.slater@windriver.com> 2018-08-15 16:13:26 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-16 22:40:28 +0100
commit: 7204e57262c5dffe3e2c9a2e59c3f2e9e4e35514 (patch)
tree: cfa2bed13d1fdfdf08f6ca5c370c4a01d25a5a69 /meta/recipes-multimedia/libvorbis
parent: c8ac784b8fa34c5ef3366cc1248988a1dbc85039 (diff)
download: poky-7204e57262c5dffe3e2c9a2e59c3f2e9e4e35514.tar.gz
3 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14160.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14160.patch
new file mode 100644
index 0000000000..b7603c3b13
--- /dev/null
+++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14160.patch
@@ -0,0 +1,34 @@
+From 018ca26dece618457dd13585cad52941193c4a25 Mon Sep 17 00:00:00 2001
+From: Thomas Daede <daede003@umn.edu>
+Date: Wed, 9 May 2018 14:56:59 -0700
+Subject: [PATCH] CVE-2017-14160: fix bounds check on very low sample rates.
+---
+CVE: CVE-2017-14160 CVE-2018-10393
+Upstream-Status: Backport [gitlab.com/Xiph.Org/Vorbis/Commits/018ca26d...]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+---
+ lib/psy.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/lib/psy.c b/lib/psy.c
+index 422c6f1..1310123 100644
+--- a/lib/psy.c
+++ b/lib/psy.c
+@@ -602,8 +602,9 @@ static void bark_noise_hybridmp(int n,const long *b,
+   for (i = 0, x = 0.f;; i++, x += 1.f) {
+ 
+     lo = b[i] >> 16;
+-    if( lo>=0 ) break;
+     hi = b[i] & 0xffff;
+    if( lo>=0 ) break;
+    if( hi>=n ) break;
+ 
+     tN = N[hi] + N[-lo];
+     tX = X[hi] - X[-lo];
+-- 
+1.7.9.5
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-10392.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-10392.patch
new file mode 100644
index 0000000000..b7936b4b4d
--- /dev/null
+++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-10392.patch
@@ -0,0 +1,34 @@
+From 112d3bd0aaacad51305e1464d4b381dabad0e88b Mon Sep 17 00:00:00 2001
+From: Thomas Daede <daede003@umn.edu>
+Date: Thu, 17 May 2018 16:19:19 -0700
+Subject: [PATCH] Sanity check number of channels in setup.
+Fixes #2335.
+---
+CVE: CVE-2018-10392
+Upstream-Status: Backport [gitlab.com/Xiph.Org/Vorbis/Commits/112d3bd...]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ lib/vorbisenc.c |    1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/lib/vorbisenc.c b/lib/vorbisenc.c
+index 4fc7b62..64a51b5 100644
+--- a/lib/vorbisenc.c
+++ b/lib/vorbisenc.c
+@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info *vi){
+   highlevel_encode_setup *hi=&ci->hi;
+ 
+   if(ci==NULL)return(OV_EINVAL);
+  if(vi->channels<1||vi->channels>255)return(OV_EINVAL);
+   if(!hi->impulse_block_p)i0=1;
+ 
+   /* too low/high an ATH floater is nonsensical, but doesn't break anything */
+-- 
+1.7.9.5
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.6.bb b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.6.bb
index bd46451612..cbda6dc2fc 100644
--- a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.6.bb
+++ b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.6.bb
@@ -12,6 +12,8 @@ DEPENDS = "libogg"
 SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \
           file://0001-configure-Check-for-clang.patch \
+           file://CVE-2018-10392.patch \
+           file://CVE-2017-14160.patch \
          "
 SRC_URI[md5sum] = "b7d1692f275c73e7833ed1cc2697cd65"
 SRC_URI[sha256sum] = "af00bb5a784e7c9e69f56823de4637c350643deedaf333d0fa86ecdba6fcb415"
author	Joe Slater <joe.slater@windriver.com>	2018-08-15 16:13:26 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-16 22:40:28 +0100
commit	7204e57262c5dffe3e2c9a2e59c3f2e9e4e35514 (patch)
tree	cfa2bed13d1fdfdf08f6ca5c370c4a01d25a5a69 /meta/recipes-multimedia/libvorbis
parent	c8ac784b8fa34c5ef3366cc1248988a1dbc85039 (diff)
download	poky-7204e57262c5dffe3e2c9a2e59c3f2e9e4e35514.tar.gz

diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14160.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14160.patch new file mode 100644 index 0000000000..b7603c3b13 --- /dev/null +++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14160.patch
@@ -0,0 +1,34 @@
		1	From 018ca26dece618457dd13585cad52941193c4a25 Mon Sep 17 00:00:00 2001
		2	From: Thomas Daede <daede003@umn.edu>
		3	Date: Wed, 9 May 2018 14:56:59 -0700
		4	Subject: [PATCH] CVE-2017-14160: fix bounds check on very low sample rates.
		5
		6	---
		7	CVE: CVE-2017-14160 CVE-2018-10393
		8
		9	Upstream-Status: Backport [gitlab.com/Xiph.Org/Vorbis/Commits/018ca26d...]
		10
		11	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		12	---
		13	---
		14	lib/psy.c \| 3 ++-
		15	1 file changed, 2 insertions(+), 1 deletion(-)
		16
		17	diff --git a/lib/psy.c b/lib/psy.c
		18	index 422c6f1..1310123 100644
		19	--- a/lib/psy.c
		20	+++ b/lib/psy.c
		21	@@ -602,8 +602,9 @@ static void bark_noise_hybridmp(int n,const long *b,
		22	for (i = 0, x = 0.f;; i++, x += 1.f) {
		23
		24	lo = b[i] >> 16;
		25	- if( lo>=0 ) break;
		26	hi = b[i] & 0xffff;
		27	+ if( lo>=0 ) break;
		28	+ if( hi>=n ) break;
		29
		30	tN = N[hi] + N[-lo];
		31	tX = X[hi] - X[-lo];
		32	--
		33	1.7.9.5
		34


diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-10392.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-10392.patch new file mode 100644 index 0000000000..b7936b4b4d --- /dev/null +++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-10392.patch
@@ -0,0 +1,34 @@
		1	From 112d3bd0aaacad51305e1464d4b381dabad0e88b Mon Sep 17 00:00:00 2001
		2	From: Thomas Daede <daede003@umn.edu>
		3	Date: Thu, 17 May 2018 16:19:19 -0700
		4	Subject: [PATCH] Sanity check number of channels in setup.
		5
		6	Fixes #2335.
		7
		8	---
		9	CVE: CVE-2018-10392
		10
		11	Upstream-Status: Backport [gitlab.com/Xiph.Org/Vorbis/Commits/112d3bd...]
		12
		13	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		14	---
		15
		16	lib/vorbisenc.c \| 1 +
		17	1 file changed, 1 insertion(+)
		18
		19
		20	diff --git a/lib/vorbisenc.c b/lib/vorbisenc.c
		21	index 4fc7b62..64a51b5 100644
		22	--- a/lib/vorbisenc.c
		23	+++ b/lib/vorbisenc.c
		24	@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info *vi){
		25	highlevel_encode_setup *hi=&ci->hi;
		26
		27	if(ci==NULL)return(OV_EINVAL);
		28	+ if(vi->channels<1\|\|vi->channels>255)return(OV_EINVAL);
		29	if(!hi->impulse_block_p)i0=1;
		30
		31	/* too low/high an ATH floater is nonsensical, but doesn't break anything */
		32	--
		33	1.7.9.5
		34


diff --git a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.6.bb b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.6.bb index bd46451612..cbda6dc2fc 100644 --- a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.6.bb +++ b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.6.bb
@@ -12,6 +12,8 @@ DEPENDS = "libogg"
12		12
13	SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \	13	SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \
14	file://0001-configure-Check-for-clang.patch \	14	file://0001-configure-Check-for-clang.patch \
		15	file://CVE-2018-10392.patch \
		16	file://CVE-2017-14160.patch \
15	"	17	"
16	SRC_URI[md5sum] = "b7d1692f275c73e7833ed1cc2697cd65"	18	SRC_URI[md5sum] = "b7d1692f275c73e7833ed1cc2697cd65"
17	SRC_URI[sha256sum] = "af00bb5a784e7c9e69f56823de4637c350643deedaf333d0fa86ecdba6fcb415"	19	SRC_URI[sha256sum] = "af00bb5a784e7c9e69f56823de4637c350643deedaf333d0fa86ecdba6fcb415"