Accepting request 578699 from multimedia:libs

OBS-URL: https://build.opensuse.org/request/show/578699 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libid3tag?expand=0&rev=25
2018-02-22 13:58:36 +00:00 · 2018-02-22 13:58:36 +00:00 · 43abf2e8b5
commit 43abf2e8b5
parent 6e1dbba09a 8395e40781
5 changed files with 104 additions and 25 deletions
--- a/libid3tag-0.15.1b-fix_overflow.patch
+++ b/libid3tag-0.15.1b-fix_overflow.patch
@ -1,19 +0,0 @@
-*** field.c	2003-04-19 09:14:33.000000000 +0900
--- field-patched.c	2008-01-13 16:08:22.000000000 +0900
-***************
-*** 291,297 ****
-
-        end = *ptr + length;
-
-!       while (end - *ptr > 0) {
-  	ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
-  	if (ucs4 == 0)
-  	  goto fail;
--- 291,297 ----
-
-        end = *ptr + length;
-
-!       while (end - *ptr > 0 && **ptr != '\0') {
-  	ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
-  	if (ucs4 == 0)
-  	  goto fail;
--- a/libid3tag-unknown-encoding.patch
+++ b/libid3tag-unknown-encoding.patch
@ -0,0 +1,42 @@
+References: https://sources.debian.org/src/libid3tag/0.15.1b-13/debian/patches/11_unknown_encoding.dpatch/
+From: Karol Babioch <kbabioch@suse.com>
+Date: Wed Feb 21 13:23:47 CET 2018
+Upstream: dead
+Subject: Fix unknown encoding when parsing ID3 tags
+
+Fixes the handling of unknown encodings when parsing ID3 tags. (CVE-2017-11550 bsc#1081962 CVE-2008-2109 bsc#387731)
+
+---
+ compat.gperf |    3 +++
+ parse.c      |    4 ++++
+ 2 files changed, 7 insertions(+)
+
+Index: libid3tag-0.15.1b/compat.gperf
+===================================================================
+--- libid3tag-0.15.1b.orig/compat.gperf
+++ libid3tag-0.15.1b/compat.gperf
+@@ -241,6 +241,9 @@ int id3_compat_fixup(struct id3_tag *tag
+     encoding = id3_parse_uint(&data, 1);
+     string   = id3_parse_string(&data, end - data, encoding, 0);
+ 
+    if (!string)
+	continue;
+
+     if (id3_ucs4_length(string) < 4) {
+       free(string);
+       continue;
+Index: libid3tag-0.15.1b/parse.c
+===================================================================
+--- libid3tag-0.15.1b.orig/parse.c
+++ libid3tag-0.15.1b/parse.c
+@@ -165,6 +165,10 @@ id3_ucs4_t *id3_parse_string(id3_byte_t
+   case ID3_FIELD_TEXTENCODING_UTF_8:
+     ucs4 = id3_utf8_deserialize(ptr, length);
+     break;
+
+  default:
+    /* FIXME: Unknown encoding! Print warning? */
+    return NULL;
+   }
+ 
+   if (ucs4 && !full) {
--- a/libid3tag-utf16.patch
+++ b/libid3tag-utf16.patch
@ -0,0 +1,38 @@
+From: Karol Babioch <kbabioch@suse.com>
+Date: Tue Feb 20 17:52:15 CET 2018
+Upstream: dead
+References: https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch/
+Subject: Fixes utf16 handling in case of an odd number of bytes
+
+Fixes id3_utf16_deserialize() in utf16.c, which previously misparsed ID3v2 tags
+encoded in UTF-16 with an odd number of bytes, triggering an endless loop
+allocating memory until OOM leading to DoS. (CVE-2004-2779 bsc#1081959
+CVE-2017-11551 bsc#1081961)
+
+---
+ utf16.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+Index: libid3tag-0.15.1b/utf16.c
+===================================================================
+--- libid3tag-0.15.1b.orig/utf16.c
+++ libid3tag-0.15.1b/utf16.c
+@@ -282,5 +282,18 @@ id3_ucs4_t *id3_utf16_deserialize(id3_by
+ 
+   free(utf16);
+ 
+  if (end == *ptr && length % 2 != 0)
+  {
+     /* We were called with a bogus length.  It should always
+      * be an even number.  We can deal with this in a few ways:
+      * - Always give an error.
+      * - Try and parse as much as we can and
+      *   - return an error if we're called again when we
+      *     already tried to parse everything we can.
+      *   - tell that we parsed it, which is what we do here.
+      */
+     (*ptr)++;
+  }
+
+   return ucs4;
+ }
--- a/libid3tag.changes
+++ b/libid3tag.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed Feb 21 10:59:28 UTC 2018 - kbabioch@suse.com
+
+- Added libid3tag-utf16.patch: Fixed id3_utf16_deserialize() in utf16.c,
+  which previously misparsed ID3v2 tags encoded in UTF-16 with an odd
+  number of bytes, triggering an endless loop allocating memory until
+  OOM leading to DoS. (CVE-2004-2779 bsc#1081959 CVE-2017-11551
+  bsc#1081961)
+
+- Added libid3tag-unknown-encoding.patch: Fixed the handling of unknown
+  encodings when parsing ID3 tags. (CVE-2017-11550 bsc#1081962
+  CVE-2008-2109 bsc#387731)
+
+- Removed libid3tag-0.15.1b-fix_overflow.patch, since it is handled
+  differently by libid3tag-utf16.patch already.
+
 -------------------------------------------------------------------
 Wed Oct 11 08:15:53 UTC 2017 - lnussel@suse.de

--- a/libid3tag.spec
+++ b/libid3tag.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libid3tag
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -31,10 +31,11 @@ Patch1:         libid3tag-gperf.dif
 Patch2:         libid3tag-0.15.1b-mb.diff
 Patch3:         libid3tag-automake-fix.dif
 Patch4:         libid3tag-optflags.patch
-Patch5:         libid3tag-0.15.1b-fix_overflow.patch
-Patch6:         libid3tag-visibility.patch
+Patch5:         libid3tag-visibility.patch
 # PATCH-FIX-UPSTREAM fix-build-with-gperf-3.1.diff alarrosa@suse.com -- Fix build with gperf 3.1
-Patch7:         fix-build-with-gperf-3.1.diff
+Patch6:         fix-build-with-gperf-3.1.diff
+Patch7:         libid3tag-utf16.patch
+Patch8:         libid3tag-unknown-encoding.patch
 BuildRequires:  gperf
 BuildRequires:  libtool
 BuildRequires:  pkg-config
@ -74,10 +75,11 @@ develop applications with libid3tag.
 %patch3
 %patch4
 %patch5
-%patch6
 %if 0%{?suse_version} > 1320
-%patch7 -p1
+%patch6 -p1
 %endif
+%patch7 -p1
+%patch8 -p1

 %build
 autoreconf -fiv