From 8395e407819417c5ce0f472f1cd99370604cab6ee162a51df90c857b55312f88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Wed, 21 Feb 2018 13:18:47 +0000
Subject: [PATCH] Accepting request 578693 from
 home:kbabioch:branches:multimedia:libs

- Added libid3tag-utf16.patch: Fixed id3_utf16_deserialize() in utf16.c,
  which previously misparsed ID3v2 tags encoded in UTF-16 with an odd
  number of bytes, triggering an endless loop allocating memory until
  OOM leading to DoS. (CVE-2004-2779 bsc#1081959 CVE-2017-11551
  bsc#1081961)
- Added libid3tag-unknown-encoding.patch: Fixed the handling of unknown
  encodings when parsing ID3 tags. (CVE-2017-11550 bsc#1081962
  CVE-2008-2109 bsc#387731)
- Removed libid3tag-0.15.1b-fix_overflow.patch, since it is handled
  differently by libid3tag-utf16.patch already.

OBS-URL: https://build.opensuse.org/request/show/578693
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libid3tag?expand=0&rev=18
---
 libid3tag-0.15.1b-fix_overflow.patch | 19 -------------
 libid3tag-unknown-encoding.patch     | 42 ++++++++++++++++++++++++++++
 libid3tag-utf16.patch                | 38 +++++++++++++++++++++++++
 libid3tag.changes                    | 16 +++++++++++
 libid3tag.spec                       | 14 ++++++----
 5 files changed, 104 insertions(+), 25 deletions(-)
 delete mode 100644 libid3tag-0.15.1b-fix_overflow.patch
 create mode 100644 libid3tag-unknown-encoding.patch
 create mode 100644 libid3tag-utf16.patch

diff --git a/libid3tag-0.15.1b-fix_overflow.patch b/libid3tag-0.15.1b-fix_overflow.patch
deleted file mode 100644
index 4a89d4e..0000000
--- a/libid3tag-0.15.1b-fix_overflow.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-*** field.c	2003-04-19 09:14:33.000000000 +0900
---- field-patched.c	2008-01-13 16:08:22.000000000 +0900
-***************
-*** 291,297 ****
-
-        end = *ptr + length;
-
-!       while (end - *ptr > 0) {
-  	ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
-  	if (ucs4 == 0)
-  	  goto fail;
---- 291,297 ----
-
-        end = *ptr + length;
-
-!       while (end - *ptr > 0 && **ptr != '\0') {
-  	ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
-  	if (ucs4 == 0)
-  	  goto fail;
diff --git a/libid3tag-unknown-encoding.patch b/libid3tag-unknown-encoding.patch
new file mode 100644
index 0000000..e66c546
--- /dev/null
+++ b/libid3tag-unknown-encoding.patch
@@ -0,0 +1,42 @@
+References: https://sources.debian.org/src/libid3tag/0.15.1b-13/debian/patches/11_unknown_encoding.dpatch/
+From: Karol Babioch <kbabioch@suse.com>
+Date: Wed Feb 21 13:23:47 CET 2018
+Upstream: dead
+Subject: Fix unknown encoding when parsing ID3 tags
+
+Fixes the handling of unknown encodings when parsing ID3 tags. (CVE-2017-11550 bsc#1081962 CVE-2008-2109 bsc#387731)
+
+---
+ compat.gperf |    3 +++
+ parse.c      |    4 ++++
+ 2 files changed, 7 insertions(+)
+
+Index: libid3tag-0.15.1b/compat.gperf
+===================================================================
+--- libid3tag-0.15.1b.orig/compat.gperf
++++ libid3tag-0.15.1b/compat.gperf
+@@ -241,6 +241,9 @@ int id3_compat_fixup(struct id3_tag *tag
+     encoding = id3_parse_uint(&data, 1);
+     string   = id3_parse_string(&data, end - data, encoding, 0);
+ 
++    if (!string)
++	continue;
++
+     if (id3_ucs4_length(string) < 4) {
+       free(string);
+       continue;
+Index: libid3tag-0.15.1b/parse.c
+===================================================================
+--- libid3tag-0.15.1b.orig/parse.c
++++ libid3tag-0.15.1b/parse.c
+@@ -165,6 +165,10 @@ id3_ucs4_t *id3_parse_string(id3_byte_t
+   case ID3_FIELD_TEXTENCODING_UTF_8:
+     ucs4 = id3_utf8_deserialize(ptr, length);
+     break;
++
++  default:
++    /* FIXME: Unknown encoding! Print warning? */
++    return NULL;
+   }
+ 
+   if (ucs4 && !full) {
diff --git a/libid3tag-utf16.patch b/libid3tag-utf16.patch
new file mode 100644
index 0000000..b7f3f4d
--- /dev/null
+++ b/libid3tag-utf16.patch
@@ -0,0 +1,38 @@
+From: Karol Babioch <kbabioch@suse.com>
+Date: Tue Feb 20 17:52:15 CET 2018
+Upstream: dead
+References: https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch/
+Subject: Fixes utf16 handling in case of an odd number of bytes
+
+Fixes id3_utf16_deserialize() in utf16.c, which previously misparsed ID3v2 tags
+encoded in UTF-16 with an odd number of bytes, triggering an endless loop
+allocating memory until OOM leading to DoS. (CVE-2004-2779 bsc#1081959
+CVE-2017-11551 bsc#1081961)
+
+---
+ utf16.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+Index: libid3tag-0.15.1b/utf16.c
+===================================================================
+--- libid3tag-0.15.1b.orig/utf16.c
++++ libid3tag-0.15.1b/utf16.c
+@@ -282,5 +282,18 @@ id3_ucs4_t *id3_utf16_deserialize(id3_by
+ 
+   free(utf16);
+ 
++  if (end == *ptr && length % 2 != 0)
++  {
++     /* We were called with a bogus length.  It should always
++      * be an even number.  We can deal with this in a few ways:
++      * - Always give an error.
++      * - Try and parse as much as we can and
++      *   - return an error if we're called again when we
++      *     already tried to parse everything we can.
++      *   - tell that we parsed it, which is what we do here.
++      */
++     (*ptr)++;
++  }
++
+   return ucs4;
+ }
diff --git a/libid3tag.changes b/libid3tag.changes
index 90052ac..341f3a1 100644
--- a/libid3tag.changes
+++ b/libid3tag.changes
@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed Feb 21 10:59:28 UTC 2018 - kbabioch@suse.com
+
+- Added libid3tag-utf16.patch: Fixed id3_utf16_deserialize() in utf16.c,
+  which previously misparsed ID3v2 tags encoded in UTF-16 with an odd
+  number of bytes, triggering an endless loop allocating memory until
+  OOM leading to DoS. (CVE-2004-2779 bsc#1081959 CVE-2017-11551
+  bsc#1081961)
+
+- Added libid3tag-unknown-encoding.patch: Fixed the handling of unknown
+  encodings when parsing ID3 tags. (CVE-2017-11550 bsc#1081962
+  CVE-2008-2109 bsc#387731)
+
+- Removed libid3tag-0.15.1b-fix_overflow.patch, since it is handled
+  differently by libid3tag-utf16.patch already.
+
 -------------------------------------------------------------------
 Wed Oct 11 08:15:53 UTC 2017 - lnussel@suse.de
 
diff --git a/libid3tag.spec b/libid3tag.spec
index 3b07407..347d117 100644
--- a/libid3tag.spec
+++ b/libid3tag.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libid3tag
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -31,10 +31,11 @@ Patch1:         libid3tag-gperf.dif
 Patch2:         libid3tag-0.15.1b-mb.diff
 Patch3:         libid3tag-automake-fix.dif
 Patch4:         libid3tag-optflags.patch
-Patch5:         libid3tag-0.15.1b-fix_overflow.patch
-Patch6:         libid3tag-visibility.patch
+Patch5:         libid3tag-visibility.patch
 # PATCH-FIX-UPSTREAM fix-build-with-gperf-3.1.diff alarrosa@suse.com -- Fix build with gperf 3.1
-Patch7:         fix-build-with-gperf-3.1.diff
+Patch6:         fix-build-with-gperf-3.1.diff
+Patch7:         libid3tag-utf16.patch
+Patch8:         libid3tag-unknown-encoding.patch
 BuildRequires:  gperf
 BuildRequires:  libtool
 BuildRequires:  pkg-config
@@ -74,10 +75,11 @@ develop applications with libid3tag.
 %patch3
 %patch4
 %patch5
-%patch6
 %if 0%{?suse_version} > 1320
-%patch7 -p1
+%patch6 -p1
 %endif
+%patch7 -p1
+%patch8 -p1
 
 %build
 autoreconf -fiv