Accepting request 342561 from home:tiwai:branches:multimedia:libs

- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-7805, bsc#953516) libsndfile-src-common.c-Fix-a-header-parsing-bug.patch libsndfile-fix-header-read-CVE-2015-7805.patch - VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-8075, bsc#953519) libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch - Fix the build with SLE11-SP3 due to AM_SILENT_RULE macro OBS-URL: https://build.opensuse.org/request/show/342561 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libsndfile?expand=0&rev=48
2015-11-05 13:58:36 +00:00 · 2015-11-05 13:58:36 +00:00 · 1d554d55a6
commit 1d554d55a6
parent df7aaec981
5 changed files with 137 additions and 0 deletions
--- a/libsndfile-fix-header-read-CVE-2015-7805.patch
+++ b/libsndfile-fix-header-read-CVE-2015-7805.patch
@ -0,0 +1,19 @@
+---
+ src/common.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/src/common.c
+++ b/src/common.c
+@@ -800,9 +800,10 @@ header_read (SF_PRIVATE *psf, void *ptr,
+ 	if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header))
+ 	{	int most ;
+ 
+-		most = SIGNED_SIZEOF (psf->header) - psf->headindex ;
+		most = SIGNED_SIZEOF (psf->header) - psf->headend ;
+ 		psf_fread (psf->header + psf->headend, 1, most, psf) ;
+-		memcpy (ptr, psf->header + psf->headend, most) ;
+		most = SIGNED_SIZEOF (psf->header) - psf->headindex ;
+		memcpy (ptr, psf->header + psf->headindex, most) ;
+ 		psf->headend = psf->headindex += most ;
+ 		psf_fread ((char *) ptr + most, bytes - most, 1, psf) ;
+ 		return bytes ;
--- a/libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch
+++ b/libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch
@ -0,0 +1,15 @@
+---
+ src/common.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/common.c
+++ b/src/common.c
+@@ -1332,7 +1332,7 @@ psf_strlcpy_crlf (char *dest, const char
+ 	char * destend = dest + destmax - 2 ;
+ 	const char * srcend = src + srcmax ;
+ 
+-	while (dest < destend && src < srcend)
+	while (*src && dest < destend && src < srcend)
+ 	{	if ((src [0] == '\r' && src [1] == '\n') || (src [0] == '\n' && src [1] == '\r'))
+ 		{	*dest++ = '\r' ;
+ 			*dest++ = '\n' ;
--- a/libsndfile-src-common.c-Fix-a-header-parsing-bug.patch
+++ b/libsndfile-src-common.c-Fix-a-header-parsing-bug.patch
@ -0,0 +1,81 @@
+From d2a87385c1ca1d72918e9a2875d24f202a5093e8 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Sat, 7 Feb 2015 15:45:10 +1100
+Subject: [PATCH] src/common.c : Fix a header parsing bug.
+
+When the file header is bigger that SF_HEADER_LEN, the code would seek
+instead of reading causing file parse errors.
+
+The current header parsing and writing code *badly* needs a re-write.
+---
+ src/common.c |   25 ++++++++++---------------
+ 1 file changed, 10 insertions(+), 15 deletions(-)
+
+--- a/src/common.c
+++ b/src/common.c
+@@ -795,21 +795,16 @@ header_read (SF_PRIVATE *psf, void *ptr,
+ {	int count = 0 ;
+ 
+ 	if (psf->headindex >= SIGNED_SIZEOF (psf->header))
+-	{	memset (ptr, 0, SIGNED_SIZEOF (psf->header) - psf->headindex) ;
+-
+-		/* This is the best that we can do. */
+-		psf_fseek (psf, bytes, SEEK_CUR) ;
+-		return bytes ;
+-		} ;
+		return psf_fread (ptr, 1, bytes, psf) ;
+ 
+ 	if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header))
+ 	{	int most ;
+ 
+ 		most = SIGNED_SIZEOF (psf->header) - psf->headindex ;
+ 		psf_fread (psf->header + psf->headend, 1, most, psf) ;
+-		memset ((char *) ptr + most, 0, bytes - most) ;
+-
+-		psf_fseek (psf, bytes - most, SEEK_CUR) ;
+		memcpy (ptr, psf->header + psf->headend, most) ;
+		psf->headend = psf->headindex += most ;
+		psf_fread ((char *) ptr + most, bytes - most, 1, psf) ;
+ 		return bytes ;
+ 		} ;
+ 
+@@ -817,7 +812,7 @@ header_read (SF_PRIVATE *psf, void *ptr,
+ 	{	count = psf_fread (psf->header + psf->headend, 1, bytes - (psf->headend - psf->headindex), psf) ;
+ 		if (count != bytes - (int) (psf->headend - psf->headindex))
+ 		{	psf_log_printf (psf, "Error : psf_fread returned short count.\n") ;
+-			return 0 ;
+			return count ;
+ 			} ;
+ 		psf->headend += count ;
+ 		} ;
+@@ -831,7 +826,6 @@ header_read (SF_PRIVATE *psf, void *ptr,
+ static void
+ header_seek (SF_PRIVATE *psf, sf_count_t position, int whence)
+ {
+-
+ 	switch (whence)
+ 	{	case SEEK_SET :
+ 			if (position > SIGNED_SIZEOF (psf->header))
+@@ -880,8 +874,7 @@ header_seek (SF_PRIVATE *psf, sf_count_t
+ 
+ static int
+ header_gets (SF_PRIVATE *psf, char *ptr, int bufsize)
+-{
+-	int		k ;
+{	int		k ;
+ 
+ 	for (k = 0 ; k < bufsize - 1 ; k++)
+ 	{	if (psf->headindex < psf->headend)
+@@ -1068,8 +1061,10 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ 			case 'j' :
+ 					/* Get the seek position first. */
+ 					count = va_arg (argptr, size_t) ;
+-					header_seek (psf, count, SEEK_CUR) ;
+-					byte_count += count ;
+					if (count)
+					{	header_seek (psf, count, SEEK_CUR) ;
+						byte_count += count ;
+						} ;
+ 					break ;
+ 
+ 			default :
--- a/libsndfile.changes
+++ b/libsndfile.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Nov  4 16:43:39 CET 2015 - tiwai@suse.de
+
+- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-7805, bsc#953516)
+  libsndfile-src-common.c-Fix-a-header-parsing-bug.patch
+  libsndfile-fix-header-read-CVE-2015-7805.patch
+- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-8075, bsc#953519)
+  libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch
+- Fix the build with SLE11-SP3 due to AM_SILENT_RULE macro
+
 -------------------------------------------------------------------
 Wed Nov  4 11:38:16 CET 2015 - tiwai@suse.de

--- a/libsndfile.spec
+++ b/libsndfile.spec
@ -39,6 +39,12 @@ Patch3:         sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch
 Patch4:         sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch
 # PATCH-FIX-UPSTREAM CVE-2014-9756 bsc#953521
 Patch5:         libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch
+# PATCH-FIX-UPSTREAM CVE-2015-7805 bsc#953516
+Patch6:         libsndfile-src-common.c-Fix-a-header-parsing-bug.patch
+# PATCH-FIX-SUSE CVE-2015-7805 bsc#953516
+Patch7:         libsndfile-fix-header-read-CVE-2015-7805.patch
+# PATCH-FIX-SUSE CVE-2015-8075 bsc#953519
+Patch8:         libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch
 BuildRequires:  alsa-devel
 BuildRequires:  flac-devel
 BuildRequires:  gcc-c++
@ -90,9 +96,15 @@ libsndfile library.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1

 %build
 %define warn_flags -W -Wall -Wstrict-prototypes -Wpointer-arith -Wno-unused-parameter
+%if %suse_version < 1200
+sed -i -e'/^AM_SILENT_RULES/d' configure.ac
+%endif
 autoreconf --force --install
 CFLAGS="%{optflags} %{warn_flags}"
 export CFLAGS