pool/libvorbis
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 588024 from home:tiwai:branches:multimedia:libs

Browse Source 
- Update to version 1.3.6:
  * Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
  * Fix CVE-2017-14632 - free() on unitialized data
  * Fix CVE-2017-14633 - out-of-bounds read
  * Fix bitrate metadata parsing.
  * Fix out-of-bounds read in codebook parsing.
  * Fix residue vector size in Vorbis I spec.
  * Appveyor support
  * Travis CI support
  * Add secondary CMake build system.
  * Build system fixes
- Build documents with doxygen, and many tex stuff;
  this requires to disable parallel builds partially
- Move COPYING to license directory
- Drop obsoleted patches:
  vorbis-fix-linking.patch
  0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
  0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
  libvorbis-CVE-2018-5146.patch

OBS-URL: https://build.opensuse.org/request/show/588024
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libvorbis?expand=0&rev=56
This commit is contained in:
Takashi Iwai 2018-03-16 22:13:48 +00:00 committed by Git OBS Bridge
parent 475b820979
commit d1ae3d83a0
8 changed files with 57 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
View File

@ -1,29 +0,0 @@
From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
Date: Tue, 31 Oct 2017 18:32:46 +0100
Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
Otherwise
for(i=0;i<vi->channels;i++){
/* the encoder setup assumes that all the modes used by any
specific bitrate tweaking use the same floor */
int submap=info->chmuxlist[i];
overreads later in mapping0_forward since chmuxlist is a fixed array of
256 elements max.
---
lib/info.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/info.c
+++ b/lib/info.c
@@ -583,7 +583,7 @@ int vorbis_analysis_headerout(vorbis_dsp
oggpack_buffer opb;
private_state *b=v->backend_state;
- if(!b||vi->channels<=0){
+ if(!b||vi->channels<=0||vi->channels>256){
ret=OV_EFAULT;
goto err_out;
}

49
0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
View File

@ -1,49 +0,0 @@
From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 15 Nov 2017 18:22:59 +0100
Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
if not initialized
If the number of channels is not within the allowed range
we call oggback_writeclear altough it's not initialized yet.
This fixes
=23371== Invalid free() / delete / delete[] / realloc()
==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
==23371== by 0x10D82A: open_output_file (sox.c:1556)
==23371== by 0x10D82A: process (sox.c:1753)
==23371== by 0x10D82A: main (sox.c:3012)
==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
==23371== by 0x10D82A: open_output_file (sox.c:1556)
==23371== by 0x10D82A: process (sox.c:1753)
==23371== by 0x10D82A: main (sox.c:3012)
as seen when using the testcase from CVE-2017-11333 with
008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
there before.
---
lib/info.c | 1 +
1 file changed, 1 insertion(+)
--- a/lib/info.c
+++ b/lib/info.c
@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp
private_state *b=v->backend_state;
if(!b||vi->channels<=0||vi->channels>256){
+ b = NULL;
ret=OV_EFAULT;
goto err_out;
}

3
libvorbis-1.3.5.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1
size 1193144

3
libvorbis-1.3.6.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:af00bb5a784e7c9e69f56823de4637c350643deedaf333d0fa86ecdba6fcb415
size 1195388

90
libvorbis-CVE-2018-5146.patch
View File

@ -1,90 +0,0 @@
Fix out of bounds memory write while processing Vorbis audio data
Taken from firefox fix patch (CVE-2018-5146, bsc#1085687)
# HG changeset patch
# User Monty Montgomery <monty@xiph.org>
# Date 1521151925 14400
# Node ID 494e5d5278ba6f5fdda9a2bb9ac7ca772653ee4a
# Parent f2eb8ad26a29ec9715a1994b982cbe35a3ba3a12
Bug 1446062 - Vorbis fix. r=jmspeex, a=lizzard
---
lib/codebook.c | 48 ++++++++++--------------------------------------
1 file changed, 10 insertions(+), 38 deletions(-)
--- a/lib/codebook.c
+++ b/lib/codebook.c
@@ -387,7 +387,7 @@ long vorbis_book_decodevs_add(codebook *
t[i] = book->valuelist+entry[i]*book->dim;
}
for(i=0,o=0;i<book->dim;i++,o+=step)
- for (j=0;j<step;j++)
+ for (j=0;o+j<n && j<step;j++)
a[o+j]+=t[j][i];
}
return(0);
@@ -399,41 +399,12 @@ long vorbis_book_decodev_add(codebook *b
int i,j,entry;
float *t;
- if(book->dim>8){
- for(i=0;i<n;){
- entry = decode_packed_entry_number(book,b);
- if(entry==-1)return(-1);
- t = book->valuelist+entry*book->dim;
- for (j=0;j<book->dim;)
- a[i++]+=t[j++];
- }
- }else{
- for(i=0;i<n;){
- entry = decode_packed_entry_number(book,b);
- if(entry==-1)return(-1);
- t = book->valuelist+entry*book->dim;
- j=0;
- switch((int)book->dim){
- case 8:
- a[i++]+=t[j++];
- case 7:
- a[i++]+=t[j++];
- case 6:
- a[i++]+=t[j++];
- case 5:
- a[i++]+=t[j++];
- case 4:
- a[i++]+=t[j++];
- case 3:
- a[i++]+=t[j++];
- case 2:
- a[i++]+=t[j++];
- case 1:
- a[i++]+=t[j++];
- case 0:
- break;
- }
- }
+ for(i=0;i<n;){
+ entry = decode_packed_entry_number(book,b);
+ if(entry==-1)return(-1);
+ t = book->valuelist+entry*book->dim;
+ for(j=0;i<n && j<book->dim;)
+ a[i++]+=t[j++];
}
}
return(0);
@@ -471,12 +442,13 @@ long vorbis_book_decodevv_add(codebook *
long i,j,entry;
int chptr=0;
if(book->used_entries>0){
- for(i=offset/ch;i<(offset+n)/ch;){
+ int m=(offset+n)/ch;
+ for(i=offset/ch;i<m;){
entry = decode_packed_entry_number(book,b);
if(entry==-1)return(-1);
{
const float *t = book->valuelist+entry*book->dim;
- for (j=0;j<book->dim;j++){
+ for (j=0;i<m && j<book->dim;j++){
a[chptr++][i]+=t[j];
if(chptr==ch){
chptr=0;

23
libvorbis.changes
View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Fri Mar 16 22:12:35 CET 2018 - tiwai@suse.de
- Update to version 1.3.6:
* Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
* Fix CVE-2017-14632 - free() on unitialized data
* Fix CVE-2017-14633 - out-of-bounds read
* Fix bitrate metadata parsing.
* Fix out-of-bounds read in codebook parsing.
* Fix residue vector size in Vorbis I spec.
* Appveyor support
* Travis CI support
* Add secondary CMake build system.
* Build system fixes
- Build documents with doxygen, and many tex stuff;
this requires to disable parallel builds partially
- Move COPYING to license directory
- Drop obsoleted patches:
vorbis-fix-linking.patch
0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
libvorbis-CVE-2018-5146.patch
-------------------------------------------------------------------
Fri Mar 16 20:02:45 CET 2018 - tiwai@suse.de

48
libvorbis.spec
View File

@ -16,8 +16,14 @@
#
%if 0%{?suse_version} > 1320
%define build_docs 1
%else
%define build_docs 0
%endif
Name: libvorbis
Version: 1.3.5
Version: 1.3.6
Release: 0
Summary: The Vorbis General Audio Compression Codec
License: BSD-3-Clause
@ -27,19 +33,27 @@ Source: http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar
Source1: baselibs.conf
Patch1: libvorbis-lib64.dif
Patch2: libvorbis-m4.dif
# URL http://www.geocities.jp/aoyoume/aotuv/
# 'Patch5: libvorbis-%%{version}-aotuv-b5.7.diff'
# PATCH-FIX-UPSTREAM libvorbis-pkgconfig.patch https://trac.xiph.org/ticket/1759 reddwarf@opensuse.org -- Use Requires/Libs.private to avoid overlinking
Patch11: vorbis-fix-linking.patch
Patch12: vorbis-ocloexec.patch
Patch21: 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
Patch22: 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
Patch31: libvorbis-CVE-2018-5146.patch
BuildRequires: fdupes
BuildRequires: libogg-devel
BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: xz
%if %build_docs
BuildRequires: doxygen
BuildRequires: texlive-babel-english
BuildRequires: texlive-latex
BuildRequires: texlive-tex4ht
BuildRequires: tex(a4wide.sty)
BuildRequires: tex(capt-of.sty)
BuildRequires: tex(csquotes.sty)
BuildRequires: tex(enumitem.sty)
BuildRequires: tex(fancyvrb.sty)
BuildRequires: tex(grffile.sty)
BuildRequires: tex(parskip.sty)
BuildRequires: tex(ulem.sty)
BuildRequires: tex(underscore.sty)
%endif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# bug437293 (SLES10 -> SLES11 upgrade path)
%ifarch ppc64
@ -119,9 +133,7 @@ to compile and develop applications that use libvorbis.
%package doc
Summary: Documentation of Ogg/Vorbis library
Group: Documentation/Other
%if 0%{?suse_version} >= 1120
BuildArch: noarch
%endif
%description doc
This package contains documents for Ogg/Vorbis library, including the
@ -134,11 +146,7 @@ API reference.
if [ "%{_lib}" == "lib64" ]; then
%patch1
fi
%patch11 -p1
%patch12
%patch21 -p1
%patch22 -p1
%patch31 -p1
%build
# Fix optimization level
@ -146,15 +154,20 @@ sed -i s,-O20,-O3,g configure.ac
autoreconf -fiv
%configure \
%if %build_docs
--enable-docs \
%endif
--disable-examples \
--disable-static
# parallel-build of docs may fail, so build docs at first
make -C doc
# do parallel-build the rest
make %{?_smp_mflags}
%install
make DESTDIR=%{buildroot} install %{?_smp_mflags}
make DESTDIR=%{buildroot} install
mkdir -p %{buildroot}%{_docdir}/%{name}
mv %{buildroot}%{_datadir}/doc/libvorbis-* %{buildroot}%{_docdir}/%{name}
install -c -m 0644 doc/Vorbis_I_spec.* %{buildroot}%{_docdir}/%{name}
# remove unneeded files
find %{buildroot} -type f -name "*.la" -delete -print
find %{buildroot}%{_docdir}/ -empty -delete
@ -189,7 +202,8 @@ make %{?_smp_mflags} check
%files devel
%defattr(-,root,root)
%doc COPYING AUTHORS README *.txt
%doc AUTHORS
%license COPYING
%{_datadir}/aclocal/*.m4
%{_includedir}/vorbis
%{_libdir}/lib*.so

33
vorbis-fix-linking.patch
View File

@ -1,33 +0,0 @@
---
Makefile.am | 4 ++--
configure.ac | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
Index: libvorbis-1.3.5/Makefile.am
===================================================================
--- libvorbis-1.3.5.orig/Makefile.am
+++ libvorbis-1.3.5/Makefile.am
@@ -1,8 +1,8 @@
## Process this file with automake to produce Makefile.in
#AUTOMAKE_OPTIONS = 1.7 foreign dist-zip dist-bzip2
-AUTOMAKE_OPTIONS = foreign 1.11 dist-zip dist-xz
-
+AUTOMAKE_OPTIONS = foreign 1.10 dist-zip
+ACLOCAL_AMFLAGS = -I m4
SUBDIRS = m4 include vq lib test doc
if BUILD_EXAMPLES
Index: libvorbis-1.3.5/configure.ac
===================================================================
--- libvorbis-1.3.5.orig/configure.ac
+++ libvorbis-1.3.5/configure.ac
@@ -8,7 +8,7 @@ dnl ------------------------------------
AC_INIT([libvorbis],[1.3.5],[vorbis-dev@xiph.org])
AC_CONFIG_SRCDIR([lib/mdct.c])
-
+AC_CONFIG_MACRO_DIR([m4])
AC_CANONICAL_TARGET([])
AM_INIT_AUTOMAKE