OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvorbis?expand=0&rev=9

2008-06-03 14:25:47 +00:00 · 2008-06-03 14:25:47 +00:00 · c1fb2c9bc9
commit c1fb2c9bc9
parent 9a4dbb1003
5 changed files with 76 additions and 1 deletions
--- a/libvorbis-r14598-r14600-CVE-2008-1420.diff
+++ b/libvorbis-r14598-r14600-CVE-2008-1420.diff
@ -0,0 +1,30 @@
+Index: /trunk/vorbis/lib/res0.c
+===================================================================
+--- /trunk/vorbis/lib/res0.c (revision 13578)
+++ /trunk/vorbis/lib/res0.c (revision 14598)
+@@ -224,4 +224,18 @@
+     if(info->booklist[j]>=ci->books)goto errout;
+ 
+  /* verify the phrasebook is not specifying an impossible or
+     inconsistent partitioning scheme. */
+  {
+    int entries = ci->book_param[info->groupbook]->entries;
+    int dim = ci->book_param[info->groupbook]->dim;
+    int partvals = 1;
+    while(dim>0){
+      partvals *= info->partitions;
+      if(partvals > entries) goto errout;
+      dim--;
+    }
+    if(partvals != entries) goto errout;
+  }
+
+   return(info);
+  errout:
+@@ -264,5 +278,5 @@
+   }
+ 
+-  look->partvals=rint(pow((float)look->parts,(float)dim));
+  look->partvals=look->phrasebook->entries;
+   look->stages=maxstage;
+   look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap));
--- a/libvorbis-r14602-CVE-2008-1419.diff
+++ b/libvorbis-r14602-CVE-2008-1419.diff
@ -0,0 +1,11 @@
+Index: /trunk/vorbis/lib/codebook.c
+===================================================================
+--- /trunk/vorbis/lib/codebook.c (revision 13293)
+++ /trunk/vorbis/lib/codebook.c (revision 14602)
+@@ -226,5 +226,5 @@
+       switch(s->maptype){
+       case 1:
+-	quantvals=_book_maptype1_quantvals(s);
+	quantvals=(s->dim==0?0:_book_maptype1_quantvals(s));
+ 	break;
+       case 2:
--- a/libvorbis-r14604-CVE-2008-1423.diff
+++ b/libvorbis-r14604-CVE-2008-1423.diff
@ -0,0 +1,11 @@
+Index: /trunk/vorbis/lib/codebook.c
+===================================================================
+--- /trunk/vorbis/lib/codebook.c (revision 14602)
+++ /trunk/vorbis/lib/codebook.c (revision 14604)
+@@ -159,4 +159,6 @@
+   s->entries=oggpack_read(opb,24);
+   if(s->entries==-1)goto _eofout;
+
+  if(_ilog(s->dim)+_ilog(s->entries)>24)goto _eofout;
+ 
+   /* codeword ordering.... length ordered or unordered? */
--- a/libvorbis.changes
+++ b/libvorbis.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed May 14 16:41:31 CEST 2008 - tiwai@suse.de
+
+- VUL-0: Multiple vulnerabilities in libogg and libvorbis
+  (bnc#372246)
+  * CVE-2008-1419 vorbis: zero-dim codebooks can cause crash,
+    infinite loop or heap overflow
+  * CVE-2008-1420 vorbis: integer overflow in partvals computation
+  * CVE-2008-1423 vorbis: integer oveflow caused by huge codebooks
+
 -------------------------------------------------------------------
 Mon Apr 28 12:56:34 CEST 2008 - tiwai@suse.de

--- a/libvorbis.spec
+++ b/libvorbis.spec
@ -15,7 +15,7 @@ Name:           libvorbis
 BuildRequires:  libogg-devel pkgconfig
 Summary:        The Vorbis General Audio Compression Codec
 Version:        1.2.0
-Release:        44
+Release:        52
 Group:          System/Libraries
 License:        BSD 3-Clause
 Url:            http://www.vorbis.com/
@ -27,6 +27,9 @@ Patch6:         libvorbis-%{version}-warning-fixes.diff
 Patch7:         libvorbis-cflags.diff
 Patch9:         libvorbis-doc-fixes.diff
 Patch10:        libvorbis-pkgconfig.patch
+Patch11:        libvorbis-r14598-r14600-CVE-2008-1420.diff
+Patch12:        libvorbis-r14602-CVE-2008-1419.diff
+Patch13:        libvorbis-r14604-CVE-2008-1423.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -86,6 +89,9 @@ Authors:
 %patch7
 %patch9
 %patch10
+%patch11 -p3
+%patch12 -p3
+%patch13 -p3
 if [ "%_lib" == "lib64" ]; then
 %patch1
 fi
@ -131,6 +137,13 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 %doc %{_docdir}/%{name}

 %changelog
+* Wed May 14 2008 tiwai@suse.de
+- VUL-0: Multiple vulnerabilities in libogg and libvorbis
+  (bnc#372246)
+  * CVE-2008-1419 vorbis: zero-dim codebooks can cause crash,
+  infinite loop or heap overflow
+  * CVE-2008-1420 vorbis: integer overflow in partvals computation
+  * CVE-2008-1423 vorbis: integer oveflow caused by huge codebooks
 * Mon Apr 28 2008 tiwai@suse.de
 - fixed dependency in *.pc files (bnc#384153)
 - removed old run_ldconfig