Accepting request 558536 from home:tiwai:branches:multimedia:libs

- Fix VUL-0: out-of-bounds array read vulnerability exists in
  function mapping0_forward() (CVE-2017-14633, bsc#1059811):
  0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
- Fix VUL-0: Remote Code Execution upon freeing uninitialized
  memory in function vorbis_analysis_headerout(CVE-2017-14632,
  bsc#1059809):
  0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch

OBS-URL: https://build.opensuse.org/request/show/558536
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libvorbis?expand=0&rev=53

0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch

@@ -0,0 +1,29 @@
+From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Tue, 31 Oct 2017 18:32:46 +0100
+Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
+
+Otherwise
+
+ for(i=0;i<vi->channels;i++){
+      /* the encoder setup assumes that all the modes used by any
+         specific bitrate tweaking use the same floor */
+      int submap=info->chmuxlist[i];
+
+overreads later in mapping0_forward since chmuxlist is a fixed array of
+256 elements max.
+---
+ lib/info.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -583,7 +583,7 @@ int vorbis_analysis_headerout(vorbis_dsp
+   oggpack_buffer opb;
+   private_state *b=v->backend_state;
+ 
+-  if(!b||vi->channels<=0){
++  if(!b||vi->channels<=0||vi->channels>256){
+     ret=OV_EFAULT;
+     goto err_out;
+   }

0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch

@@ -0,0 +1,49 @@
+From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 15 Nov 2017 18:22:59 +0100
+Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
+ if not initialized
+
+If the number of channels is not within the allowed range
+we call oggback_writeclear altough it's not initialized yet.
+
+This fixes
+
+    =23371== Invalid free() / delete / delete[] / realloc()
+    ==23371==    at 0x4C2CE1B: free (vg_replace_malloc.c:530)
+    ==23371==    by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
+    ==23371==    by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
+    ==23371==    by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
+    ==23371==    by 0x10D82A: process (sox.c:1753)
+    ==23371==    by 0x10D82A: main (sox.c:3012)
+    ==23371==  Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
+    ==23371==    at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
+    ==23371==    by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
+    ==23371==    by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
+    ==23371==    by 0x10D82A: process (sox.c:1753)
+    ==23371==    by 0x10D82A: main (sox.c:3012)
+
+as seen when using the testcase from CVE-2017-11333 with
+008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
+there before.
+---
+ lib/info.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp
+   private_state *b=v->backend_state;
+ 
+   if(!b||vi->channels<=0||vi->channels>256){
++    b = NULL;
+     ret=OV_EFAULT;
+     goto err_out;
+   }

libvorbis.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Dec 19 14:32:18 CET 2017 - tiwai@suse.de
+
+- Fix VUL-0: out-of-bounds array read vulnerability exists in
+  function mapping0_forward() (CVE-2017-14633, bsc#1059811):
+  0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
+- Fix VUL-0: Remote Code Execution upon freeing uninitialized
+  memory in function vorbis_analysis_headerout(CVE-2017-14632,
+  bsc#1059809):
+  0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
+
 -------------------------------------------------------------------
 Tue Nov 29 12:14:08 UTC 2016 - aloisio@gmx.com
 

libvorbis.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libvorbis
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,8 @@ Patch2:         libvorbis-m4.dif
 # PATCH-FIX-UPSTREAM libvorbis-pkgconfig.patch https://trac.xiph.org/ticket/1759 reddwarf@opensuse.org -- Use Requires/Libs.private to avoid overlinking
 Patch11:        vorbis-fix-linking.patch
 Patch12:        vorbis-ocloexec.patch
+Patch21:        0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
+Patch22:        0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
 BuildRequires:  fdupes
 BuildRequires:  libogg-devel
 BuildRequires:  libtool
@@ -53,9 +55,9 @@ libmatroska (matroska) can also be used.
 
 %package -n libvorbis0
 Summary:        The Vorbis General Audio Compression Codec
-Group:          System/Libraries
 #
 # libvorbis was last used in openSUSE 11.3
+Group:          System/Libraries
 Provides:       %{name} = 1.3.2
 Obsoletes:      %{name} < 1.3.2
 # bug437293 (SLES10 -> SLES11 upgrade path)
@@ -133,6 +135,8 @@ if [ "%{_lib}" == "lib64" ]; then
 fi
 %patch11 -p1
 %patch12
+%patch21 -p1
+%patch22 -p1
 
 %build
 # Fix optimization level