taglib: fix CVE-2023-47466

TagLib before 2.0 allows a segmentation violation and application crash during tag writing via a crafted WAV file in which an id3 chunk is the only valid chunk. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-47466 Upstream patch: https://github.com/taglib/taglib/commit/dfa33bec0806cbb45785accb8cc6c2048a7d40cf (From OE-Core rev: bcf0102e0e9ecf55106eafcc4c2ad8b2e7ad762b) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Jiaying Song <jiaying.song.cn@windriver.com> 2025-06-04 14:59:05 +0800
committer: Steve Sakoman <steve@sakoman.com> 2025-06-13 08:42:35 -0700
commit: 179c5dc17f5f5c57fdbac7b9f9f2a425a3917730 (patch)
tree: 461d6ce988ca9ae0bd4cb6d5f7dc0856d92da464 /meta
parent: 9a368c7b9244f834a53aeca08acd879c6e800727 (diff)
download: poky-179c5dc17f5f5c57fdbac7b9f9f2a425a3917730.tar.gz
2 files changed, 41 insertions, 1 deletions
diff --git a/meta/recipes-support/taglib/files/CVE-2023-47466.patch b/meta/recipes-support/taglib/files/CVE-2023-47466.patch
new file mode 100644
index 0000000000..8ea8793e0a
--- /dev/null
+++ b/meta/recipes-support/taglib/files/CVE-2023-47466.patch
@@ -0,0 +1,38 @@
+From 41c1c2b3609fc542e357cc80185d90a9a6fccc1a Mon Sep 17 00:00:00 2001
+From: Urs Fleisch <ufleisch@users.sourceforge.net>
+Date: Sun, 5 Nov 2023 14:40:18 +0100
+Subject: [PATCH] Fix crash with invalid WAV files (#1163) (#1164)
+With specially crafted WAV files having the "id3 " chunk as the
+only valid chunk, when trying to write the tags, the existing
+"id3 " chunk is removed, and then vector::front() is called on
+the now empty chunks vector.
+Now it is checked if the vector is empty to avoid the crash.
+CVE: CVE-2023-47466
+Upstream-Status: Backport
+[https://github.com/taglib/taglib/commit/dfa33bec0806cbb45785accb8cc6c2048a7d40cf]
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ taglib/riff/rifffile.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/taglib/riff/rifffile.cpp b/taglib/riff/rifffile.cpp
+index 005551f..f615e6c 100644
+--- a/taglib/riff/rifffile.cpp
+++ b/taglib/riff/rifffile.cpp
+@@ -361,6 +361,9 @@ void RIFF::File::writeChunk(const ByteVector &name, const ByteVector &data,
+ 
+ void RIFF::File::updateGlobalSize()
+ {
+  if(d->chunks.empty())
+    return;
+
+   const Chunk first = d->chunks.front();
+   const Chunk last  = d->chunks.back();
+   d->size = last.offset + last.size + last.padding - first.offset + 12;
+-- 
+2.34.1
diff --git a/meta/recipes-support/taglib/taglib_1.12.bb b/meta/recipes-support/taglib/taglib_1.12.bb
index 47ad8aacb6..51e03888b4 100644
--- a/meta/recipes-support/taglib/taglib_1.12.bb
+++ b/meta/recipes-support/taglib/taglib_1.12.bb
@@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c \
 DEPENDS = "zlib"
-SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz"
+SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz \
+           file://CVE-2023-47466.patch \
+          "
 SRC_URI[md5sum] = "4313ed2671234e029b7af8f97c84e9af"
 SRC_URI[sha256sum] = "7fccd07669a523b07a15bd24c8da1bbb92206cb19e9366c3692af3d79253b703"
author	Jiaying Song <jiaying.song.cn@windriver.com>	2025-06-04 14:59:05 +0800
committer	Steve Sakoman <steve@sakoman.com>	2025-06-13 08:42:35 -0700
commit	179c5dc17f5f5c57fdbac7b9f9f2a425a3917730 (patch)
tree	461d6ce988ca9ae0bd4cb6d5f7dc0856d92da464 /meta
parent	9a368c7b9244f834a53aeca08acd879c6e800727 (diff)
download	poky-179c5dc17f5f5c57fdbac7b9f9f2a425a3917730.tar.gz

diff --git a/meta/recipes-support/taglib/files/CVE-2023-47466.patch b/meta/recipes-support/taglib/files/CVE-2023-47466.patch new file mode 100644 index 0000000000..8ea8793e0a --- /dev/null +++ b/meta/recipes-support/taglib/files/CVE-2023-47466.patch
@@ -0,0 +1,38 @@
		1	From 41c1c2b3609fc542e357cc80185d90a9a6fccc1a Mon Sep 17 00:00:00 2001
		2	From: Urs Fleisch <ufleisch@users.sourceforge.net>
		3	Date: Sun, 5 Nov 2023 14:40:18 +0100
		4	Subject: [PATCH] Fix crash with invalid WAV files (#1163) (#1164)
		5
		6	With specially crafted WAV files having the "id3 " chunk as the
		7	only valid chunk, when trying to write the tags, the existing
		8	"id3 " chunk is removed, and then vector::front() is called on
		9	the now empty chunks vector.
		10	Now it is checked if the vector is empty to avoid the crash.
		11
		12	CVE: CVE-2023-47466
		13
		14	Upstream-Status: Backport
		15	[https://github.com/taglib/taglib/commit/dfa33bec0806cbb45785accb8cc6c2048a7d40cf]
		16
		17	Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
		18	---
		19	taglib/riff/rifffile.cpp \| 3 +++
		20	1 file changed, 3 insertions(+)
		21
		22	diff --git a/taglib/riff/rifffile.cpp b/taglib/riff/rifffile.cpp
		23	index 005551f..f615e6c 100644
		24	--- a/taglib/riff/rifffile.cpp
		25	+++ b/taglib/riff/rifffile.cpp
		26	@@ -361,6 +361,9 @@ void RIFF::File::writeChunk(const ByteVector &name, const ByteVector &data,
		27
		28	void RIFF::File::updateGlobalSize()
		29	{
		30	+ if(d->chunks.empty())
		31	+ return;
		32	+
		33	const Chunk first = d->chunks.front();
		34	const Chunk last = d->chunks.back();
		35	d->size = last.offset + last.size + last.padding - first.offset + 12;
		36	--
		37	2.34.1
		38


diff --git a/meta/recipes-support/taglib/taglib_1.12.bb b/meta/recipes-support/taglib/taglib_1.12.bb index 47ad8aacb6..51e03888b4 100644 --- a/meta/recipes-support/taglib/taglib_1.12.bb +++ b/meta/recipes-support/taglib/taglib_1.12.bb
@@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c \
9		9
10	DEPENDS = "zlib"	10	DEPENDS = "zlib"
11		11
12	SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz"	12	SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz \
		13	file://CVE-2023-47466.patch \
		14	"
13		15
14	SRC_URI[md5sum] = "4313ed2671234e029b7af8f97c84e9af"	16	SRC_URI[md5sum] = "4313ed2671234e029b7af8f97c84e9af"
15	SRC_URI[sha256sum] = "7fccd07669a523b07a15bd24c8da1bbb92206cb19e9366c3692af3d79253b703"	17	SRC_URI[sha256sum] = "7fccd07669a523b07a15bd24c8da1bbb92206cb19e9366c3692af3d79253b703"