diff --git a/flac-fix-CVE-2014-8962.patch b/flac-fix-CVE-2014-8962.patch new file mode 100644 index 0000000..ad5b252 --- /dev/null +++ b/flac-fix-CVE-2014-8962.patch @@ -0,0 +1,35 @@ +From 5b3033a2b355068c11fe637e14ac742d273f076e Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo +Date: Tue, 18 Nov 2014 07:20:25 -0800 +Subject: [PATCH] src/libFLAC/stream_decoder.c : Fix buffer read overflow. + +This is CVE-2014-8962. + +Reported-by: Michele Spagnuolo, + Google Security Team +--- + src/libFLAC/stream_decoder.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/src/libFLAC/stream_decoder.c ++++ b/src/libFLAC/stream_decoder.c +@@ -71,7 +71,7 @@ FLAC_API int FLAC_API_SUPPORTS_OGG_FLAC + * + ***********************************************************************/ + +-static FLAC__byte ID3V2_TAG_[3] = { 'I', 'D', '3' }; ++static const FLAC__byte ID3V2_TAG_[3] = { 'I', 'D', '3' }; + + /*********************************************************************** + * +@@ -1381,6 +1381,10 @@ FLAC__bool find_metadata_(FLAC__StreamDe + id = 0; + continue; + } ++ ++ if(id >= 3) ++ return false; ++ + if(x == ID3V2_TAG_[id]) { + id++; + i = 0; diff --git a/flac-fix-CVE-2014-9028.patch b/flac-fix-CVE-2014-9028.patch new file mode 100644 index 0000000..19a885e --- /dev/null +++ b/flac-fix-CVE-2014-9028.patch @@ -0,0 +1,29 @@ +From fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo +Date: Wed, 19 Nov 2014 19:35:59 -0800 +Subject: [PATCH] src/libFACL/stream_decoder.c : Fail safely to avoid a heap overflow. + +A file provided by the reporters caused the stream decoder to write to +un-allocated heap space resulting in a segfault. The solution is to +error out (by returning false from read_residual_partitioned_rice_()) +instead of trying to continue to decode. + +Fixes: CVE-2014-9028 +Reported-by: Michele Spagnuolo, + Google Security Team +--- + src/libFLAC/stream_decoder.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/libFLAC/stream_decoder.c ++++ b/src/libFLAC/stream_decoder.c +@@ -2725,7 +2725,8 @@ FLAC__bool read_residual_partitioned_ric + if(decoder->private_->frame.header.blocksize < predictor_order) { + send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC); + decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC; +- return true; ++ /* We have received a potentially malicious bt stream. All we can do is error out to avoid a heap overflow. */ ++ return false; + } + } + else { diff --git a/flac.changes b/flac.changes index 9b34d86..db7fe8c 100644 --- a/flac.changes +++ b/flac.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Wed Nov 26 09:56:05 CET 2014 - tiwai@suse.de + +- A couple of security fixes: + * flac-fix-CVE-2014-8962.patch: + arbitrary code execution by a stack overflow (CVE-2014-8692, + bnc#906831) + * flac-fix-CVE-2014-9028.patch: + Heap overflow via specially crafted .flac files (CVE-2014-9028, + bnc#907016) + ------------------------------------------------------------------- Mon Jul 1 02:13:39 UTC 2013 - jengelh@inai.de diff --git a/flac.spec b/flac.spec index f969757..155cfdc 100644 --- a/flac.spec +++ b/flac.spec @@ -1,7 +1,7 @@ # # spec file for package flac # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,6 +32,8 @@ Patch1: flac-ocloexec.patch Patch2: 0001-Allow-use-of-openSSL.patch Patch3: flac-fix-pkgconfig.patch Patch5: 0001-getopt_long-not-broken-here.patch +Patch6: flac-fix-CVE-2014-8962.patch +Patch7: flac-fix-CVE-2014-9028.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf >= 2.60 BuildRequires: automake >= 1.11 @@ -88,6 +90,8 @@ FLAC library. %patch2 -p1 %patch3 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build touch config.rpath