libid3tag: handle unknown encodings (CVE-2017-11550)

(From OE-Core rev: 5090afc1b07e62f70ebcf63a7abb75b8552f0a52) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2019-07-16 13:47:39 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-17 09:36:35 +0100
commit: ab5a665612622f1106b37d1610ce5126aeabcb4c (patch)
tree: 165e1aa54d31fffdddceaef1c51e31fefb4addb1 /meta
parent: 545858e6a0cc31794c5ad78f515716fb5d1ff757 (diff)
download: poky-ab5a665612622f1106b37d1610ce5126aeabcb4c.tar.gz
2 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch b/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch
new file mode 100644
index 0000000000..f0867b5f01
--- /dev/null
+++ b/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch
@@ -0,0 +1,39 @@
+In case of an unknown/invalid encoding, id3_parse_string() will
+return NULL, but the return value wasn't checked resulting
+in segfault in id3_ucs4_length().  This is the only place
+the return value wasn't checked.
+Patch taken from Debian:
+https://sources.debian.org/patches/libid3tag/0.15.1b-14/11_unknown_encoding.dpatch/
+CVE: CVE-2017-11550
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+diff -urNad libid3tag-0.15.1b~/compat.gperf libid3tag-0.15.1b/compat.gperf
+--- libid3tag-0.15.1b~/compat.gperf     2004-01-23 09:41:32.000000000 +0000
+++ libid3tag-0.15.1b/compat.gperf      2007-01-14 14:36:53.000000000 +0000
+@@ -236,6 +236,10 @@
+ 
+     encoding = id3_parse_uint(&data, 1);
+     string   = id3_parse_string(&data, end - data, encoding, 0);
+    if (!string)
+    {
+       continue;
+    }
+ 
+     if (id3_ucs4_length(string) < 4) {
+       free(string);
+diff -urNad libid3tag-0.15.1b~/parse.c libid3tag-0.15.1b/parse.c
+--- libid3tag-0.15.1b~/parse.c  2004-01-23 09:41:32.000000000 +0000
+++ libid3tag-0.15.1b/parse.c   2007-01-14 14:37:34.000000000 +0000
+@@ -165,6 +165,9 @@
+   case ID3_FIELD_TEXTENCODING_UTF_8:
+     ucs4 = id3_utf8_deserialize(ptr, length);
+     break;
+  default:
+       /* FIXME: Unknown encoding! Print warning? */
+       return NULL;
+   }
+ 
+   if (ucs4 && !full) {
diff --git a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
index 43edd3fe6a..0312a610c0 100644
--- a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
+++ b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
@@ -14,6 +14,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mad/libid3tag-${PV}.tar.gz \
           file://obsolete_automake_macros.patch \
           file://0001-Fix-gperf-3.1-incompatibility.patch \
           file://10_utf16.patch \
+           file://unknown-encoding.patch \
           "
 UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/"
 UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P<pver>.*)/$"
author	Ross Burton <ross.burton@intel.com>	2019-07-16 13:47:39 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-17 09:36:35 +0100
commit	ab5a665612622f1106b37d1610ce5126aeabcb4c (patch)
tree	165e1aa54d31fffdddceaef1c51e31fefb4addb1 /meta
parent	545858e6a0cc31794c5ad78f515716fb5d1ff757 (diff)
download	poky-ab5a665612622f1106b37d1610ce5126aeabcb4c.tar.gz

diff --git a/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch b/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch new file mode 100644 index 0000000000..f0867b5f01 --- /dev/null +++ b/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch
@@ -0,0 +1,39 @@
		1	In case of an unknown/invalid encoding, id3_parse_string() will
		2	return NULL, but the return value wasn't checked resulting
		3	in segfault in id3_ucs4_length(). This is the only place
		4	the return value wasn't checked.
		5
		6	Patch taken from Debian:
		7	https://sources.debian.org/patches/libid3tag/0.15.1b-14/11_unknown_encoding.dpatch/
		8
		9	CVE: CVE-2017-11550
		10	Upstream-Status: Pending
		11	Signed-off-by: Ross Burton <ross.burton@intel.com>
		12
		13	diff -urNad libid3tag-0.15.1b~/compat.gperf libid3tag-0.15.1b/compat.gperf
		14	--- libid3tag-0.15.1b~/compat.gperf 2004-01-23 09:41:32.000000000 +0000
		15	+++ libid3tag-0.15.1b/compat.gperf 2007-01-14 14:36:53.000000000 +0000
		16	@@ -236,6 +236,10 @@
		17
		18	encoding = id3_parse_uint(&data, 1);
		19	string = id3_parse_string(&data, end - data, encoding, 0);
		20	+ if (!string)
		21	+ {
		22	+ continue;
		23	+ }
		24
		25	if (id3_ucs4_length(string) < 4) {
		26	free(string);
		27	diff -urNad libid3tag-0.15.1b~/parse.c libid3tag-0.15.1b/parse.c
		28	--- libid3tag-0.15.1b~/parse.c 2004-01-23 09:41:32.000000000 +0000
		29	+++ libid3tag-0.15.1b/parse.c 2007-01-14 14:37:34.000000000 +0000
		30	@@ -165,6 +165,9 @@
		31	case ID3_FIELD_TEXTENCODING_UTF_8:
		32	ucs4 = id3_utf8_deserialize(ptr, length);
		33	break;
		34	+ default:
		35	+ /* FIXME: Unknown encoding! Print warning? */
		36	+ return NULL;
		37	}
		38
		39	if (ucs4 && !full) {


diff --git a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb index 43edd3fe6a..0312a610c0 100644 --- a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb +++ b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
@@ -14,6 +14,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mad/libid3tag-${PV}.tar.gz \
14	file://obsolete_automake_macros.patch \	14	file://obsolete_automake_macros.patch \
15	file://0001-Fix-gperf-3.1-incompatibility.patch \	15	file://0001-Fix-gperf-3.1-incompatibility.patch \
16	file://10_utf16.patch \	16	file://10_utf16.patch \
		17	file://unknown-encoding.patch \
17	"	18	"
18	UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/"	19	UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/"
19	UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P<pver>.*)/$"	20	UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P<pver>.*)/$"