diff --git a/0001-libMirage-CSO-filter-validate-part-size.patch b/0001-libMirage-CSO-filter-validate-part-size.patch new file mode 100644 index 0000000..92102bd --- /dev/null +++ b/0001-libMirage-CSO-filter-validate-part-size.patch @@ -0,0 +1,38 @@ +From 0e9292c9aa34bf545f43f7efe5f0b94faba94962 Mon Sep 17 00:00:00 2001 +From: Rok Mandeljc +Date: Sun, 25 Aug 2019 14:53:58 +0200 +Subject: [PATCH 1/2] libMirage: CSO filter: validate part size + +Part size must be always either smaller than the declared block +size (compressed block) or equal to it (raw block). If not, return +error - because we allocate our I/O buffer based on the block size. + +Fixes SF bug #119, which is triggered by part size ending up being +larger than the block size. Thanks to Andrea Fioraldi for report +and thorough analysis of the issue. +--- + libmirage/filters/filter-cso/filter-stream.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/libmirage/filters/filter-cso/filter-stream.c b/libmirage/filters/filter-cso/filter-stream.c +index 5f2f5e25..d43aa54a 100644 +--- a/libmirage/filters/filter-cso/filter-stream.c ++++ b/libmirage/filters/filter-cso/filter-stream.c +@@ -120,6 +120,14 @@ static gboolean mirage_filter_stream_cso_read_index (MirageFilterStreamCso *self + CSO_Part *prev_part = &self->priv->parts[i-1]; + + prev_part->comp_size = cur_part->offset - prev_part->offset; ++ ++ /* Part size must be either smaller than header->block_size ++ (compressed block ) or equal to it (raw block) */ ++ if (prev_part->comp_size > header->block_size) { ++ MIRAGE_DEBUG(self, MIRAGE_DEBUG_WARNING, "%s: invalid part/index entry: part data length (%" G_GINT64_MODIFIER "d) exceeds declared block size (%d)!\n", __debug__, prev_part->comp_size, header->block_size); ++ g_set_error(error, MIRAGE_ERROR, MIRAGE_ERROR_STREAM_ERROR, Q_("Invalid CSO file!")); ++ return FALSE; ++ } + } + } + +-- +2.22.1 + diff --git a/0002-libMirage-CSO-filter-replaced-a-g_assert-with-error-.patch b/0002-libMirage-CSO-filter-replaced-a-g_assert-with-error-.patch new file mode 100644 index 0000000..7f2f5bc --- /dev/null +++ b/0002-libMirage-CSO-filter-replaced-a-g_assert-with-error-.patch @@ -0,0 +1,37 @@ +From f6adcd08beffd9dac2c4a86852ba0bda06870f4f Mon Sep 17 00:00:00 2001 +From: Rok Mandeljc +Date: Sun, 25 Aug 2019 15:11:23 +0200 +Subject: [PATCH 2/2] libMirage: CSO filter: replaced a g_assert() with error + return + +--- + libmirage/filters/filter-cso/filter-stream.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/libmirage/filters/filter-cso/filter-stream.c b/libmirage/filters/filter-cso/filter-stream.c +index d43aa54a..065dc40c 100644 +--- a/libmirage/filters/filter-cso/filter-stream.c ++++ b/libmirage/filters/filter-cso/filter-stream.c +@@ -70,12 +70,17 @@ static gboolean mirage_filter_stream_cso_read_index (MirageFilterStreamCso *self + + MIRAGE_DEBUG(self, MIRAGE_DEBUG_PARSER, "%s: reading part index\n", __debug__); + ++ if (header->total_bytes % header->block_size) { ++ MIRAGE_DEBUG(self, MIRAGE_DEBUG_WARNING, "%s: original stream size (%" G_GUINT64_FORMAT ") is not a multiple of block size (%d)!\n", __debug__, header->total_bytes, header->block_size); ++ g_set_error(error, MIRAGE_ERROR, MIRAGE_ERROR_STREAM_ERROR, Q_("Invalid CSO file!")); ++ return FALSE; ++ } ++ + self->priv->num_parts = header->total_bytes / header->block_size; + self->priv->num_indices = self->priv->num_parts + 1; /* Contains EOF offset */ +- g_assert(header->total_bytes % header->block_size == 0); + + MIRAGE_DEBUG(self, MIRAGE_DEBUG_PARSER, "%s: number of parts: %d\n", __debug__, self->priv->num_parts); +- MIRAGE_DEBUG(self, MIRAGE_DEBUG_PARSER, "%s: original stream size: %" G_GINT64_MODIFIER "d\n", __debug__, header->total_bytes); ++ MIRAGE_DEBUG(self, MIRAGE_DEBUG_PARSER, "%s: original stream size: 0x%" G_GINT64_MODIFIER "X (%" G_GUINT64_FORMAT ")\n", __debug__, header->total_bytes, header->total_bytes); + + /* At least one part must be present */ + if (!self->priv->num_parts) { +-- +2.22.1 + diff --git a/libmirage.changes b/libmirage.changes index af11f60..4bde7eb 100644 --- a/libmirage.changes +++ b/libmirage.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Aug 26 08:28:33 UTC 2019 - Jan Engelhardt + +- Drop SLE11 recipes from specfile, the build is disabled anyway. +- Add 0001-libMirage-CSO-filter-validate-part-size.patch, + 0002-libMirage-CSO-filter-replaced-a-g_assert-with-error-.patch + [boo#1148087, CVE-2019-15540] + ------------------------------------------------------------------- Mon Jul 1 13:34:01 UTC 2019 - Aaron Stern diff --git a/libmirage.spec b/libmirage.spec index ffbc713..402d2b1 100644 --- a/libmirage.spec +++ b/libmirage.spec @@ -27,22 +27,12 @@ Release: 0 URL: http://cdemu.sf.net/about/libmirage/ #Git-Clone: git://git.code.sf.net/p/cdemu/code -Source: http://downloads.sf.net/cdemu/%name-%version.tar.bz2 +Source: https://downloads.sf.net/cdemu/%name-%version.tar.bz2 +Patch1: 0001-libMirage-CSO-filter-validate-part-size.patch +Patch2: 0002-libMirage-CSO-filter-replaced-a-g_assert-with-error-.patch BuildRequires: cmake >= 2.8.5 BuildRequires: intltool >= 0.21 BuildRequires: pkg-config >= 0.16 -%if 0%{?sles_version} && 0%{?suse_version} == 1110 -# SLES 11 is still supported -# Dependencies list in an old style -BuildRequires: glib2-devel >= 2.28 -BuildRequires: gtk-doc >= 1.4 -BuildRequires: libbz2-devel >= 1.0.0 -BuildRequires: libsamplerate-devel >= 0.1.0 -BuildRequires: libsndfile-devel >= 1.0.0 -BuildRequires: shared-mime-info -BuildRequires: xz-devel >= 5.0.0 -BuildRequires: zlib-devel >= 1.2.4 -%else BuildRequires: pkgconfig(bzip2) >= 1.0.0 BuildRequires: pkgconfig(gio-2.0) >= 2.38 BuildRequires: pkgconfig(glib-2.0) >= 2.38 @@ -55,9 +45,7 @@ BuildRequires: pkgconfig(samplerate) >= 0.1.0 BuildRequires: pkgconfig(shared-mime-info) BuildRequires: pkgconfig(sndfile) >= 1.0.0 BuildRequires: pkgconfig(zlib) >= 1.2.4 -%endif Recommends: %name-lang -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description A CD-ROM image access library part of the cdemu suite. @@ -123,9 +111,7 @@ Summary: MIME type definitions and documentation for libmirage Group: Development/Libraries/C and C++ Requires(post): shared-mime-info Requires(postun): shared-mime-info -%if 0%{?suse_version} >= 1130 BuildArch: noarch -%endif %description data libmirage provides uniform access to the data stored in different @@ -135,7 +121,7 @@ file. This package contains the MIME type definitions and documentation. %package -n typelib-1_0-libmirage-%pname -Summary: The libmirage CD-ROM image access library – introspection bindings +Summary: Introspection bindings for the libmirage CD-ROM image access library Group: System/Libraries %description -n typelib-1_0-libmirage-%pname @@ -146,7 +132,7 @@ file. This package provides the GObject Introspection bindings for libmirage. %prep -%setup -q +%autosetup -p2 %build %cmake -DCMAKE_MODULE_LINKER_FLAGS="" @@ -160,46 +146,30 @@ make %{?_smp_mflags} %postun -n %lname -p /sbin/ldconfig %post data -%if 0%{?sles_version} && 0%{?suse_version} == 1110 -/usr/bin/update-mime-database %{_datadir}/mime >/dev/null || : -%else %mime_database_post -%endif %postun data -%if 0%{?sles_version} && 0%{?suse_version} == 1110 -/usr/bin/update-mime-database %{_datadir}/mime >/dev/null || : -%else %mime_database_postun -%endif %files -n %lname -%defattr(-,root,root) %_libdir/libmirage.so.11* %files %pname -%defattr(-,root,root) %_libdir/libmirage-3*/ %files data -%defattr(-,root,root) %_datadir/gtk-doc/ %_datadir/mime/packages/* %files devel -%defattr(-,root,root) %_includedir/libmirage-3*/ %_libdir/libmirage.so %_libdir/pkgconfig/libmirage.pc -%if 0%{?suse_version} > 1110 %_datadir/gir-1.0 %files lang -f %name.lang -%defattr(-,root,root) %files -n typelib-1_0-libmirage-%pname -%defattr(-,root,root) %_libdir/girepository-1.0 -%endif %changelog