From 373a9fd4db00f6dae8379cfd0d6aadc7251dc595 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 22 Aug 2018 13:07:42 -0400 Subject: gnu: soundtouch: Fix CVE-2018-{1000223,14044,14045}. * gnu/packages/patches/soundtouch-CVE-2018-14044-14045.patch, gnu/packages/patches/soundtouch-CVE-2018-1000223.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/audio.scm (soundtouch)[source]: Use them. --- .../patches/soundtouch-CVE-2018-1000223.patch | 143 +++++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 gnu/packages/patches/soundtouch-CVE-2018-1000223.patch (limited to 'gnu/packages/patches/soundtouch-CVE-2018-1000223.patch') diff --git a/gnu/packages/patches/soundtouch-CVE-2018-1000223.patch b/gnu/packages/patches/soundtouch-CVE-2018-1000223.patch new file mode 100644 index 0000000000..961a183565 --- /dev/null +++ b/gnu/packages/patches/soundtouch-CVE-2018-1000223.patch @@ -0,0 +1,143 @@ +Fix CVE-2018-1000223: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000223 +https://gitlab.com/soundtouch/soundtouch/issues/6 + +Patches copied from upstream source repository: + +https://gitlab.com/soundtouch/soundtouch/commit/9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e +https://gitlab.com/soundtouch/soundtouch/commit/e0240689056e4182fffdc2a16aa6e3425a15e275 +https://gitlab.com/soundtouch/soundtouch/commit/46531e5b92dd80dd9a7947463d6224fc7cb21967 + +From 9e02d9b04fda6c1f44336ff00bb5af1e2ffc039e Mon Sep 17 00:00:00 2001 +From: oparviainen +Date: Sun, 12 Aug 2018 20:24:37 +0300 +Subject: [PATCH] Added minimum size check for WAV header block lengh values + +--- + source/SoundStretch/WavFile.cpp | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp +index 7e7ade2..68818c9 100644 +--- a/source/SoundStretch/WavFile.cpp ++++ b/source/SoundStretch/WavFile.cpp +@@ -530,7 +530,11 @@ int WavInFile::readHeaderBlock() + // read length of the format field + if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1; + // swap byte order if necessary +- _swap32(nLen); // int format_len; ++ _swap32(nLen); ++ ++ // verify that header length isn't smaller than expected ++ if (nLen < sizeof(header.format) - 8) return -1; ++ + header.format.format_len = nLen; + + // calculate how much length differs from expected +@@ -572,6 +576,10 @@ int WavInFile::readHeaderBlock() + if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1; + // swap byte order if necessary + _swap32(nLen); // int fact_len; ++ ++ // verify that fact length isn't smaller than expected ++ if (nLen < sizeof(header.fact) - 8) return -1; ++ + header.fact.fact_len = nLen; + + // calculate how much length differs from expected +-- +2.18.0 + +From e0240689056e4182fffdc2a16aa6e3425a15e275 Mon Sep 17 00:00:00 2001 +From: oparviainen +Date: Mon, 13 Aug 2018 19:16:16 +0300 +Subject: [PATCH] Fixed WavFile header/fact not-too-small check + +--- + source/SoundStretch/WavFile.cpp | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp +index 4af7a4c..3421bca 100644 +--- a/source/SoundStretch/WavFile.cpp ++++ b/source/SoundStretch/WavFile.cpp +@@ -518,13 +518,13 @@ int WavInFile::readHeaderBlock() + // swap byte order if necessary + _swap32(nLen); + +- // verify that header length isn't smaller than expected +- if (nLen < sizeof(header.format) - 8) return -1; ++ // calculate how much length differs from expected ++ nDump = nLen - ((int)sizeof(header.format) - 8); + +- header.format.format_len = nLen; ++ // verify that header length isn't smaller than expected structure ++ if (nDump < 0) return -1; + +- // calculate how much length differs from expected +- nDump = nLen - ((int)sizeof(header.format) - 8); ++ header.format.format_len = nLen; + + // if format_len is larger than expected, read only as much data as we've space for + if (nDump > 0) +@@ -561,16 +561,16 @@ int WavInFile::readHeaderBlock() + // read length of the fact field + if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1; + // swap byte order if necessary +- _swap32(nLen); // int fact_len; +- +- // verify that fact length isn't smaller than expected +- if (nLen < sizeof(header.fact) - 8) return -1; +- +- header.fact.fact_len = nLen; ++ _swap32(nLen); + + // calculate how much length differs from expected + nDump = nLen - ((int)sizeof(header.fact) - 8); + ++ // verify that fact length isn't smaller than expected structure ++ if (nDump < 0) return -1; ++ ++ header.fact.fact_len = nLen; ++ + // if format_len is larger than expected, read only as much data as we've space for + if (nDump > 0) + { +-- +2.18.0 + +From 46531e5b92dd80dd9a7947463d6224fc7cb21967 Mon Sep 17 00:00:00 2001 +From: olli +Date: Mon, 13 Aug 2018 19:42:58 +0300 +Subject: [PATCH] Improved WavFile header/fact not-too-small check + +--- + source/SoundStretch/WavFile.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source/SoundStretch/WavFile.cpp b/source/SoundStretch/WavFile.cpp +index 3421bca..9d90b8a 100644 +--- a/source/SoundStretch/WavFile.cpp ++++ b/source/SoundStretch/WavFile.cpp +@@ -522,7 +522,7 @@ int WavInFile::readHeaderBlock() + nDump = nLen - ((int)sizeof(header.format) - 8); + + // verify that header length isn't smaller than expected structure +- if (nDump < 0) return -1; ++ if ((nLen < 0) || (nDump < 0)) return -1; + + header.format.format_len = nLen; + +@@ -567,7 +567,7 @@ int WavInFile::readHeaderBlock() + nDump = nLen - ((int)sizeof(header.fact) - 8); + + // verify that fact length isn't smaller than expected structure +- if (nDump < 0) return -1; ++ if ((nLen < 0) || (nDump < 0)) return -1; + + header.fact.fact_len = nLen; + +-- +2.18.0 + -- cgit v1.2.3