vorbis-tools: Fix CVE-2023-43361

Upstream-commits: https://gitlab.xiph.org/xiph/vorbis-tools/-/commit/68c5a33685f5b86e7f18f239ceb8861484fee552 & https://gitlab.xiph.org/xiph/vorbis-tools/-/commit/5bb47f58582c15c2413564b741d1d95e7b566aa8 Drop md5sum Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-10-17 13:12:40 +0530
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-10-17 10:51:27 +0200
commit: aecae8eb0797de29fa4607cbabde03843b40cc15 (patch)
tree: 04b50359f2130da5a3c20db2e911215a3b3708d8
parent: 199ca4579ca924ee8c09d95083c842da3a6590c0 (diff)
download: meta-openembedded-aecae8eb0797de29fa4607cbabde03843b40cc15.tar.gz
3 files changed, 87 insertions, 1 deletions
diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-Added-missing-include-utf8.h-to-codec_skeleton.c.patch b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-Added-missing-include-utf8.h-to-codec_skeleton.c.patch
new file mode 100644
index 0000000000..db7d142543
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-Added-missing-include-utf8.h-to-codec_skeleton.c.patch
@@ -0,0 +1,28 @@
+From 68c5a33685f5b86e7f18f239ceb8861484fee552 Mon Sep 17 00:00:00 2001
+From: Petter Reinholdtsen <pere@debian.org>
+Date: Sun, 6 Apr 2025 07:53:53 +0200
+Subject: [PATCH] Added missing include "utf8.h" to codec_skeleton.c.
+Patch from Sebastian Ramacher <sramacher@debian.org> and Debian.
+Upstream-Status: Backport [https://gitlab.xiph.org/xiph/vorbis-tools/-/commit/68c5a33685f5b86e7f18f239ceb8861484fee552]
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ ogginfo/codec_skeleton.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/ogginfo/codec_skeleton.c b/ogginfo/codec_skeleton.c
+index a27f8da..0709860 100644
+--- a/ogginfo/codec_skeleton.c
+++ b/ogginfo/codec_skeleton.c
+@@ -25,6 +25,7 @@
+ #include <ogg/ogg.h>
+ 
+ #include "i18n.h"
+#include "utf8.h"
+ 
+ #include "private.h"
+ 
+-- 
+GitLab
diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch
new file mode 100644
index 0000000000..69286907fa
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch
@@ -0,0 +1,57 @@
+From 5bb47f58582c15c2413564b741d1d95e7b566aa8 Mon Sep 17 00:00:00 2001
+From: Ralph Giles <giles@thaumas.net>
+Date: Sun, 17 Sep 2023 11:49:12 -0700
+Subject: [PATCH] oggenc: Don't assume the output path ends in a file name.
+oggenc attempts to create any specified directories in the output
+file path if they don't exist. The parser was assuming there was
+a final filename after the last directory separator, and so would
+try to read off the end of the argument if it was a bare directory
+such as `./` or `outdir/`. It also did not handle more than one
+consecutive separator. This corrects both issues.
+Thanks to Frank-Z7 (Zeng Yunxiang) at Huazhong University of Science
+and Technology (cse.hust.edu.cn) for the report.
+Fixes CVE-2023-43361.
+Upstream-Status: Backport [https://gitlab.xiph.org/xiph/vorbis-tools/-/commit/5bb47f58582c15c2413564b741d1d95e7b566aa8]
+CVE: CVE-2023-43361
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ oggenc/platform.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+diff --git a/oggenc/platform.c b/oggenc/platform.c
+index 6d9f4ef..d50ad99 100644
+--- a/oggenc/platform.c
+++ b/oggenc/platform.c
+@@ -136,18 +136,22 @@ int create_directories(char *fn, int isutf8)
+ {
+     char *end, *start;
+     struct stat statbuf;
+-    char *segment = malloc(strlen(fn)+1);
+    const size_t fn_len = strlen(fn);
+    char *segment = malloc(fn_len+1);
+ #ifdef _WIN32
+     wchar_t seg[MAX_PATH+1];
+ #endif
+ 
+     start = fn;
+ #ifdef _WIN32
+-    if(strlen(fn) >= 3 && isalpha(fn[0]) && fn[1]==':')
+    // Strip drive prefix
+    if(fn_len >= 3 && isalpha(fn[0]) && fn[1]==':') {
+         start = start+2;
+    }
+ #endif
+ 
+-    while((end = strpbrk(start+1, PATH_SEPS)) != NULL)
+    // Loop through path segments, creating directories if necessary
+    while((end = strpbrk(start + strspn(start, PATH_SEPS), PATH_SEPS)) != NULL)
+     {
+         int rv;
+         memcpy(segment, fn, end-fn);
+-- 
+GitLab
diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb
index 290162127f..33a212de8e 100644
--- a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb
+++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb
@@ -12,9 +12,10 @@ DEPENDS = "libogg libvorbis"
 SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.gz \
           file://gettext.patch \
+           file://0001-Added-missing-include-utf8.h-to-codec_skeleton.c.patch \
+           file://CVE-2023-43361.patch \
          "
-SRC_URI[md5sum] = "998fca293bd4e4bdc2b96fb70f952f4e"
 SRC_URI[sha256sum] = "db7774ec2bf2c939b139452183669be84fda5774d6400fc57fde37f77624f0b0"
 inherit autotools pkgconfig gettext
author	Vijay Anusuri <vanusuri@mvista.com>	2025-10-17 13:12:40 +0530
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-10-17 10:51:27 +0200
commit	aecae8eb0797de29fa4607cbabde03843b40cc15 (patch)
tree	04b50359f2130da5a3c20db2e911215a3b3708d8
parent	199ca4579ca924ee8c09d95083c842da3a6590c0 (diff)
download	meta-openembedded-aecae8eb0797de29fa4607cbabde03843b40cc15.tar.gz

diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-Added-missing-include-utf8.h-to-codec_skeleton.c.patch b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-Added-missing-include-utf8.h-to-codec_skeleton.c.patch new file mode 100644 index 0000000000..db7d142543 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-Added-missing-include-utf8.h-to-codec_skeleton.c.patch
@@ -0,0 +1,28 @@
		1	From 68c5a33685f5b86e7f18f239ceb8861484fee552 Mon Sep 17 00:00:00 2001
		2	From: Petter Reinholdtsen <pere@debian.org>
		3	Date: Sun, 6 Apr 2025 07:53:53 +0200
		4	Subject: [PATCH] Added missing include "utf8.h" to codec_skeleton.c.
		5
		6	Patch from Sebastian Ramacher <sramacher@debian.org> and Debian.
		7
		8	Upstream-Status: Backport [https://gitlab.xiph.org/xiph/vorbis-tools/-/commit/68c5a33685f5b86e7f18f239ceb8861484fee552]
		9	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		10	---
		11	ogginfo/codec_skeleton.c \| 1 +
		12	1 file changed, 1 insertion(+)
		13
		14	diff --git a/ogginfo/codec_skeleton.c b/ogginfo/codec_skeleton.c
		15	index a27f8da..0709860 100644
		16	--- a/ogginfo/codec_skeleton.c
		17	+++ b/ogginfo/codec_skeleton.c
		18	@@ -25,6 +25,7 @@
		19	#include <ogg/ogg.h>
		20
		21	#include "i18n.h"
		22	+#include "utf8.h"
		23
		24	#include "private.h"
		25
		26	--
		27	GitLab
		28


diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch new file mode 100644 index 0000000000..69286907fa --- /dev/null +++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch
@@ -0,0 +1,57 @@
		1	From 5bb47f58582c15c2413564b741d1d95e7b566aa8 Mon Sep 17 00:00:00 2001
		2	From: Ralph Giles <giles@thaumas.net>
		3	Date: Sun, 17 Sep 2023 11:49:12 -0700
		4	Subject: [PATCH] oggenc: Don't assume the output path ends in a file name.
		5
		6	oggenc attempts to create any specified directories in the output
		7	file path if they don't exist. The parser was assuming there was
		8	a final filename after the last directory separator, and so would
		9	try to read off the end of the argument if it was a bare directory
		10	such as `./` or `outdir/`. It also did not handle more than one
		11	consecutive separator. This corrects both issues.
		12
		13	Thanks to Frank-Z7 (Zeng Yunxiang) at Huazhong University of Science
		14	and Technology (cse.hust.edu.cn) for the report.
		15
		16	Fixes CVE-2023-43361.
		17
		18	Upstream-Status: Backport [https://gitlab.xiph.org/xiph/vorbis-tools/-/commit/5bb47f58582c15c2413564b741d1d95e7b566aa8]
		19	CVE: CVE-2023-43361
		20	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		21	---
		22	oggenc/platform.c \| 10 +++++++---
		23	1 file changed, 7 insertions(+), 3 deletions(-)
		24
		25	diff --git a/oggenc/platform.c b/oggenc/platform.c
		26	index 6d9f4ef..d50ad99 100644
		27	--- a/oggenc/platform.c
		28	+++ b/oggenc/platform.c
		29	@@ -136,18 +136,22 @@ int create_directories(char *fn, int isutf8)
		30	{
		31	char end, start;
		32	struct stat statbuf;
		33	- char *segment = malloc(strlen(fn)+1);
		34	+ const size_t fn_len = strlen(fn);
		35	+ char *segment = malloc(fn_len+1);
		36	#ifdef _WIN32
		37	wchar_t seg[MAX_PATH+1];
		38	#endif
		39
		40	start = fn;
		41	#ifdef _WIN32
		42	- if(strlen(fn) >= 3 && isalpha(fn[0]) && fn[1]==':')
		43	+ // Strip drive prefix
		44	+ if(fn_len >= 3 && isalpha(fn[0]) && fn[1]==':') {
		45	start = start+2;
		46	+ }
		47	#endif
		48
		49	- while((end = strpbrk(start+1, PATH_SEPS)) != NULL)
		50	+ // Loop through path segments, creating directories if necessary
		51	+ while((end = strpbrk(start + strspn(start, PATH_SEPS), PATH_SEPS)) != NULL)
		52	{
		53	int rv;
		54	memcpy(segment, fn, end-fn);
		55	--
		56	GitLab
		57


diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb index 290162127f..33a212de8e 100644 --- a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb +++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb
@@ -12,9 +12,10 @@ DEPENDS = "libogg libvorbis"
12		12
13	SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.gz \	13	SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.gz \
14	file://gettext.patch \	14	file://gettext.patch \
		15	file://0001-Added-missing-include-utf8.h-to-codec_skeleton.c.patch \
		16	file://CVE-2023-43361.patch \
15	"	17	"
16		18
17	SRC_URI[md5sum] = "998fca293bd4e4bdc2b96fb70f952f4e"
18	SRC_URI[sha256sum] = "db7774ec2bf2c939b139452183669be84fda5774d6400fc57fde37f77624f0b0"	19	SRC_URI[sha256sum] = "db7774ec2bf2c939b139452183669be84fda5774d6400fc57fde37f77624f0b0"
19		20
20	inherit autotools pkgconfig gettext	21	inherit autotools pkgconfig gettext