Accepting request 263120 from multimedia:libs

1

OBS-URL: https://build.opensuse.org/request/show/263120
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/flac?expand=0&rev=46

flac-fix-CVE-2014-8962.patch

@@ -0,0 +1,35 @@
+From 5b3033a2b355068c11fe637e14ac742d273f076e Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Tue, 18 Nov 2014 07:20:25 -0800
+Subject: [PATCH] src/libFLAC/stream_decoder.c : Fix buffer read overflow.
+
+This is CVE-2014-8962.
+
+Reported-by: Michele Spagnuolo,
+             Google Security Team <mikispag@google.com>
+---
+ src/libFLAC/stream_decoder.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/src/libFLAC/stream_decoder.c
++++ b/src/libFLAC/stream_decoder.c
+@@ -71,7 +71,7 @@ FLAC_API int FLAC_API_SUPPORTS_OGG_FLAC
+  *
+  ***********************************************************************/
+ 
+-static FLAC__byte ID3V2_TAG_[3] = { 'I', 'D', '3' };
++static const FLAC__byte ID3V2_TAG_[3] = { 'I', 'D', '3' };
+ 
+ /***********************************************************************
+  *
+@@ -1381,6 +1381,10 @@ FLAC__bool find_metadata_(FLAC__StreamDe
+ 			id = 0;
+ 			continue;
+ 		}
++
++		if(id >= 3)
++			return false;
++
+ 		if(x == ID3V2_TAG_[id]) {
+ 			id++;
+ 			i = 0;

flac-fix-CVE-2014-9028.patch

@@ -0,0 +1,29 @@
+From fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Wed, 19 Nov 2014 19:35:59 -0800
+Subject: [PATCH] src/libFACL/stream_decoder.c : Fail safely to avoid a heap overflow.
+
+A file provided by the reporters caused the stream decoder to write to
+un-allocated heap space resulting in a segfault. The solution is to
+error out (by returning false from read_residual_partitioned_rice_())
+instead of trying to continue to decode.
+
+Fixes: CVE-2014-9028
+Reported-by: Michele Spagnuolo,
+             Google Security Team <mikispag@google.com>
+---
+ src/libFLAC/stream_decoder.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/libFLAC/stream_decoder.c
++++ b/src/libFLAC/stream_decoder.c
+@@ -2725,7 +2725,8 @@ FLAC__bool read_residual_partitioned_ric
+ 		if(decoder->private_->frame.header.blocksize < predictor_order) {
+ 			send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC);
+ 			decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC;
+-			return true;
++			/* We have received a potentially malicious bt stream. All we can do is error out to avoid a heap overflow. */
++			return false;
+ 		}
+ 	}
+ 	else {

flac.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Nov 26 09:56:05 CET 2014 - tiwai@suse.de
+
+- A couple of security fixes:
+  * flac-fix-CVE-2014-8962.patch:
+    arbitrary code execution by a stack overflow (CVE-2014-8692,
+    bnc#906831)
+  * flac-fix-CVE-2014-9028.patch:
+    Heap overflow via specially crafted .flac files (CVE-2014-9028,
+    bnc#907016)
+
 -------------------------------------------------------------------
 Mon Jul  1 02:13:39 UTC 2013 - jengelh@inai.de
 

flac.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package flac
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,8 @@ Patch1:         flac-ocloexec.patch
 Patch2:         0001-Allow-use-of-openSSL.patch  
 Patch3:         flac-fix-pkgconfig.patch
 Patch5:         0001-getopt_long-not-broken-here.patch
+Patch6:         flac-fix-CVE-2014-8962.patch
+Patch7:         flac-fix-CVE-2014-9028.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  autoconf >= 2.60
 BuildRequires:  automake >= 1.11
@@ -88,6 +90,8 @@ FLAC library.
 %patch2 -p1
 %patch3 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
 
 %build
 touch config.rpath