diff --git a/vlc-CVE-2019-13602_1.patch b/vlc-CVE-2019-13602_1.patch new file mode 100644 index 0000000..5ca1f1e --- /dev/null +++ b/vlc-CVE-2019-13602_1.patch @@ -0,0 +1,35 @@ +From b2b157076d9e94df34502dd8df0787deb940e938 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?R=C3=A9mi=20Denis-Courmont?= +Date: Thu, 27 Jun 2019 23:19:38 +0300 +Subject: [PATCH] mp4: fix integer underflow + +Reported-by: Hyeon-Ju Lee +--- + modules/demux/mp4/mp4.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/modules/demux/mp4/mp4.c b/modules/demux/mp4/mp4.c +index 540aa836c2..77b46de1c3 100644 +--- a/modules/demux/mp4/mp4.c ++++ b/modules/demux/mp4/mp4.c +@@ -510,11 +510,11 @@ static block_t * MP4_EIA608_Convert( block_t * p_block ) + block_t *p_newblock; + + /* always need at least 10 bytes (atom size+header+1pair)*/ +- if ( i_remaining < 10 || +- !(i_bytes = GetDWBE(p_block->p_buffer)) || +- (i_bytes > i_remaining) || +- memcmp("cdat", &p_block->p_buffer[4], 4) || +- !(p_newblock = block_Alloc( i_remaining * 3 - 8 )) ) ++ i_bytes = GetDWBE(p_block->p_buffer); ++ ++ if (10 < i_bytes || i_bytes < i_remaining || ++ memcmp("cdat", &p_block->p_buffer[4], 4) || ++ (p_newblock = block_Alloc(i_remaining * 3 - 8)) == NULL) + { + p_block->i_buffer = 0; + return p_block; +-- +2.11.0 + + diff --git a/vlc-CVE-2019-13602_2.patch b/vlc-CVE-2019-13602_2.patch new file mode 100644 index 0000000..6f4903c --- /dev/null +++ b/vlc-CVE-2019-13602_2.patch @@ -0,0 +1,33 @@ +From 8e8e0d72447f8378244f5b4a3dcde036dbeb1491 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?R=C3=A9mi=20Denis-Courmont?= +Date: Thu, 27 Jun 2019 23:19:38 +0300 +Subject: [PATCH] mp4: fix integer underflow + +Reported-by: Hyeon-Ju Lee +--- + modules/demux/mp4/mp4.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/modules/demux/mp4/mp4.c b/modules/demux/mp4/mp4.c +index 77b46de1c3..83f36db1a7 100644 +--- a/modules/demux/mp4/mp4.c ++++ b/modules/demux/mp4/mp4.c +@@ -536,10 +536,10 @@ static block_t * MP4_EIA608_Convert( block_t * p_block ) + } while( i_bytes >= 2 ); + + /* cdt2 is optional */ +- if ( i_remaining >= 10 && +- (i_bytes = GetDWBE(p_read)) && +- (i_bytes <= i_remaining) && +- !memcmp("cdt2", &p_read[4], 4) ) ++ i_bytes = GetDWBE(p_read); ++ ++ if (10 <= i_bytes && i_bytes <= i_remaining && ++ !memcmp("cdt2", &p_read[4], 4)) + { + p_read += 8; + i_bytes -= 8; +-- +2.11.0 + + diff --git a/vlc-CVE-2019-13962.patch b/vlc-CVE-2019-13962.patch new file mode 100644 index 0000000..14c667e --- /dev/null +++ b/vlc-CVE-2019-13962.patch @@ -0,0 +1,38 @@ +From 2b4f9d0b0e0861f262c90e9b9b94e7d53b864509 Mon Sep 17 00:00:00 2001 +From: Francois Cartegnie +Date: Mon, 20 May 2019 14:27:39 +0200 +Subject: [PATCH] codec: avcodec: fix broken check before copy (fix #22240) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +copy parameters are the picture ones + +regression by c988b8d58b01ef6d628e3051774a2032dd7f6b7d + +(cherry picked from commit 603ecaf0f3fdf3b0a83cd2c773e05ac347b2149a) +Signed-off-by: Hugo Beauzée-Luyssen +--- + modules/codec/avcodec/video.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/modules/codec/avcodec/video.c b/modules/codec/avcodec/video.c +index 097e7cb11a..c5899fd736 100644 +--- a/modules/codec/avcodec/video.c ++++ b/modules/codec/avcodec/video.c +@@ -364,8 +364,9 @@ static int lavc_CopyPicture(decoder_t *dec, picture_t *pic, AVFrame *frame) + sys->p_context->pix_fmt, (name != NULL) ? name : "unknown"); + return VLC_EGENERIC; + } else if (fourcc != pic->format.i_chroma +- || frame->width > (int) pic->format.i_width +- || frame->height > (int) pic->format.i_height) ++ /* ensure we never read more than dst lines/pixels from src */ ++ || frame->width != (int) pic->format.i_visible_width ++ || frame->height < (int) pic->format.i_visible_height) + { + msg_Warn(dec, "dropping frame because the vout changed"); + return VLC_EGENERIC; +-- +2.11.0 + + diff --git a/vlc.changes b/vlc.changes index ed2d478..4fccf96 100644 --- a/vlc.changes +++ b/vlc.changes @@ -1,7 +1,24 @@ +------------------------------------------------------------------- +Sun Aug 4 01:44:44 UTC 2019 - Stefan Brüns + +- Disable SDL_image (SDL 1.2) based codec. It is only a wrapper around some + image loading libraries (libpng, libjpeg, ...) which are either wrapped + by vlc itself (libpng_plugin.so) or via libavcodec (libavcodec_plugin.so). + +------------------------------------------------------------------- +Wed Jul 31 07:51:02 UTC 2019 - Dominique Leuenberger + +- Add vlc-CVE-2019-13602_1.patch and vlc-CVE-2019-13602_2.patch: + fix integer underflow in mp4 demuxer (CVE-2019-13602, + boo#1141522). +- Add vlc-CVE-2019-13962.patch: codec: avcodec: fix broken check + before copy (CVE-2019-13962, boo#1142161). + ------------------------------------------------------------------- Fri Jun 14 17:14:13 UTC 2019 - Dominique Leuenberger -- Update to version 3.0.7.1: +- Update to version 3.0.7.1 (CVE-2019-5439, CVE-2019-5459, + CVE-2019-5460, CVE-2019-12874, boo#1138933, boo#1143549, boo#1138354, boo#1143547) + Access: Update libbluray to 1.1.2. + Video Output: * Fix hardware acceleration with some AMD drivers @@ -109,7 +126,7 @@ Thu Jan 3 18:38:26 UTC 2019 - Stefan Brüns ------------------------------------------------------------------- Sat Dec 29 02:42:11 UTC 2018 - sean@suspend.net -- Update to version 3.0.5: +- Update to version 3.0.5 (CVE-2018-19857, boo#1118586): + Access: * Improve RTSP playback * BluRay fixes and improvements, notably for menus and seeking diff --git a/vlc.spec b/vlc.spec index 6311a9d..ef4bef6 100644 --- a/vlc.spec +++ b/vlc.spec @@ -51,6 +51,12 @@ Patch1: vlc-allow-deprecated-fribidi.patch Patch2: vlc-lua-5.3.patch # PATCH-FIX-UPSTREAM fix-build-with-fdk-2.0.patch -- Fix building vlc with libfdk-aac v2 Patch3: fix-build-with-fdk-2.0.patch +# PATCH-FIX-UPSTREAM vlc-CVE-2019-13962.patch -- Fix An Integer Underflow in MP4_EIA608_Convert() +Patch4: vlc-CVE-2019-13962.patch +# PATCH-FIX-UPSTREAM vlc-CVE-2019-13602_1.patch -- mp4: fix integer underflow +Patch5: vlc-CVE-2019-13602_1.patch +# PATCH-FIX-UPSTREAM vlc-CVE-2019-13602_2.patch -- mp4: fix integer underflow +Patch6: vlc-CVE-2019-13602_2.patch # PATCH-FEATURE-OPENSUSE vlc-projectM-qt5.patch -- Build against projectM-qt5; openSUSE provides projectM as -qt and -qt5 variant Patch100: vlc-projectM-qt5.patch # PATCH-FIX-UPSTREAM 0001-Fix-leaking-AvahiServiceResolver-in-the-error-paths.patch -- Fix some memleaks @@ -58,7 +64,6 @@ Patch101: 0001-Fix-leaking-AvahiServiceResolver-in-the-error-paths.patch # PATCH-FIX-UPSTREAM 0002-Add-Avahi-implementation-for-chromecast-renderer-dis.patch -- Use Avahi for discovery, microdns is not available Patch102: 0002-Add-Avahi-implementation-for-chromecast-renderer-dis.patch BuildRequires: Mesa-devel -BuildRequires: SDL-devel >= 1.2.10 BuildRequires: aalib-devel BuildRequires: alsa-devel >= 1.0.24 BuildRequires: avahi-devel >= 0.6 @@ -192,7 +197,6 @@ BuildRequires: pkgconfig(Qt5X11Extras) BuildRequires: pkgconfig(xi) %endif %if 0%{?is_opensuse} -BuildRequires: pkgconfig(SDL_image) >= 1.2.10 BuildRequires: pkgconfig(libupnp) BuildRequires: pkgconfig(opencv) > 2.0 %ifarch %{ix86} x86_64 @@ -380,6 +384,9 @@ default when `vlc` is invoked from an X session. %patch0 -p1 %patch1 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 %if 0%{?suse_version} > 1320 && 0%{?suse_version} < 1550 %patch100 -p1 %endif @@ -589,9 +596,6 @@ done %{_libdir}/vlc/plugins/audio_output/libpulse_plugin.so %{_libdir}/vlc/plugins/codec/libavcodec_plugin.so %{_libdir}/vlc/plugins/codec/liblibass_plugin.so -%if 0%{?is_opensuse} -%{_libdir}/vlc/plugins/codec/libsdl_image_plugin.so -%endif %{_libdir}/vlc/plugins/control/libxcb_hotkeys_plugin.so %{_libdir}/vlc/plugins/demux/libavformat_plugin.so %{_libdir}/vlc/plugins/gui/libskins2_plugin.so