diff --git a/vlc-CVE-2014-9625.patch b/vlc-CVE-2014-9625.patch new file mode 100644 index 0000000..6d993c5 --- /dev/null +++ b/vlc-CVE-2014-9625.patch @@ -0,0 +1,253 @@ +From b915dc931fe886add566f208650e0ab225acbe3a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= +Date: Wed, 30 Jul 2014 19:05:43 +0300 +Subject: [PATCH 18/39] avformat: initialize probe data (fixes #11851) + +(cherry picked from commit 49bd1c657d960ba107d9db8752f716139a938eee) +--- + modules/demux/avformat/demux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/demux/avformat/demux.c b/modules/demux/avformat/demux.c +index 3bb1266..902ef01 100644 +--- a/modules/demux/avformat/demux.c ++++ b/modules/demux/avformat/demux.c +@@ -106,7 +106,7 @@ int OpenDemux( vlc_object_t *p_this ) + { + demux_t *p_demux = (demux_t*)p_this; + demux_sys_t *p_sys; +- AVProbeData pd; ++ AVProbeData pd = { }; + AVInputFormat *fmt = NULL; + unsigned int i; + int64_t i_start_time = -1; +-- +2.2.1 + +From 74996ceefd63adf07e28ea80198200d74a164c9d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= +Date: Sat, 30 Aug 2014 16:41:53 +0300 +Subject: [PATCH 27/39] decomp: fix heap overflow (fixes #12052) + +--- + modules/stream_filter/decomp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/stream_filter/decomp.c b/modules/stream_filter/decomp.c +index 5a12e87..16a4901 100644 +--- a/modules/stream_filter/decomp.c ++++ b/modules/stream_filter/decomp.c +@@ -207,7 +207,7 @@ static int Read (stream_t *stream, void *buf, unsigned int buflen) + p_sys->offset += length; + + if (buflen > 0) +- length += Read (stream, ((char *)buf) + length, buflen - length); ++ length += Read (stream, buf, buflen); + return length; + } + assert ((buf != NULL) || (buflen == 0)); +-- +2.2.1 + +From 9ddfcbb6e5222871de9b2047c939cf1da1fdbe7b Mon Sep 17 00:00:00 2001 +From: Fabian Yamaguchi +Date: Sat, 6 Dec 2014 13:12:38 +0100 +Subject: [PATCH 34/39] misc: update: fix buffer overflow in updater + +On 32 bit builds, parsing of update status files with a size of +4294967295 or more lead to an integer truncation in a call to malloc +and a subsequent buffer overflow. This happened prior to checking the +files' signature. The commit fixes this by disallowing overly large +status files (above 65k in practice) + +Signed-off-by: Jean-Baptiste Kempf +(cherry picked from commit fbe2837bc80f155c001781041a54c58b5524fc14) +Signed-off-by: Jean-Baptiste Kempf +--- + src/misc/update.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/misc/update.c b/src/misc/update.c +index 600e900..32e8701 100644 +--- a/src/misc/update.c ++++ b/src/misc/update.c +@@ -193,6 +193,13 @@ static bool GetUpdateFile( update_t *p_update ) + } + + const int64_t i_read = stream_Size( p_stream ); ++ ++ if( i_read < 0 || i_read >= UINT16_MAX) ++ { ++ msg_Err(p_update->p_libvlc, "Status file too large"); ++ goto error; ++ } ++ + psz_update_data = malloc( i_read + 1 ); /* terminating '\0' */ + if( !psz_update_data ) + goto error; +-- +2.2.1 + +From a99d9cc2fede1a18140b43ffb59cde37cef7478d Mon Sep 17 00:00:00 2001 +From: Fabian Yamaguchi +Date: Fri, 5 Dec 2014 15:18:22 +0100 +Subject: [PATCH 35/39] codec: schroedinger: fix potential buffer overflow. + +The variable len is a raw 32 bit value read using GetDWBE. If this +value is larger than UINT32_MAX - sizeof(eos), this will cause an +integer overflow in the subsequent call to malloc, and finally a +buffer overflow when calling memcpy. We fix this by checking len +accordingly. + +Signed-off-by: Jean-Baptiste Kempf +(cherry picked from commit 9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5) +Signed-off-by: Jean-Baptiste Kempf +--- + modules/codec/schroedinger.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/modules/codec/schroedinger.c b/modules/codec/schroedinger.c +index 0c5a7e7..93b72e1 100644 +--- a/modules/codec/schroedinger.c ++++ b/modules/codec/schroedinger.c +@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic ) + * is appended to the sequence header to allow guard + * against poor streaming servers */ + /* XXX, should this be done using the packetizer ? */ ++ ++ if( len > UINT32_MAX - sizeof( eos ) ) ++ return NULL; ++ + p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) ); + if( !p_enc->fmt_out.p_extra ) + return NULL; +-- +2.2.1 + +From 4e6137bbcd3d74630aa6f0e8b8b5b8aa0c19647d Mon Sep 17 00:00:00 2001 +From: Fabian Yamaguchi +Date: Fri, 5 Dec 2014 15:37:05 +0100 +Subject: [PATCH 36/39] codec: dmo: avoid null-pointer dereference. + +Check the return value of malloc to avoid a null-pointer dereference. + +Signed-off-by: Jean-Baptiste Kempf +(cherry picked from commit 229c385a79d48e41687fae8b4dfeaeef9c8c3eb7) +Signed-off-by: Jean-Baptiste Kempf +--- + modules/codec/dmo/dmo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/modules/codec/dmo/dmo.c b/modules/codec/dmo/dmo.c +index 6595f70..dd1fbbc 100644 +--- a/modules/codec/dmo/dmo.c ++++ b/modules/codec/dmo/dmo.c +@@ -1310,6 +1310,9 @@ static int EncoderSetAudioType( encoder_t *p_enc, IMediaObject *p_dmo ) + msg_Dbg( p_enc, "found cbSize: %i", p_wf->cbSize ); + p_enc->fmt_out.i_extra = p_wf->cbSize; + p_enc->fmt_out.p_extra = malloc( p_enc->fmt_out.i_extra ); ++ if( p_enc->fmt_out.p_extra == NULL) ++ return VLC_EGENERIC; ++ + memcpy( p_enc->fmt_out.p_extra, &p_wf[1], p_enc->fmt_out.i_extra ); + } + +-- +2.2.1 + +From 8eab5c92136ffc60873c41c06e7a6a9266e8af7c Mon Sep 17 00:00:00 2001 +From: Fabian Yamaguchi +Date: Fri, 5 Dec 2014 13:52:42 +0100 +Subject: [PATCH 37/39] demux: mp4: fix buffer overflow in parsing of string + boxes. + +We ensure that pbox->i_size is never smaller than 8 to avoid an +integer underflow in the third argument of the subsequent call to +memcpy. We also make sure no truncation occurs when passing values +derived from the 64 bit integer p_box->i_size to arguments of malloc +and memcpy that may be 32 bit integers on 32 bit platforms. + +Signed-off-by: Jean-Baptiste Kempf +(cherry picked from commit 2e7c7091a61aa5d07e7997b393d821e91f593c39) +Signed-off-by: Jean-Baptiste Kempf + +Conflicts: + modules/demux/mp4/libmp4.c +--- + modules/demux/mp4/libmp4.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c +index 3abb940..ba6dcb9 100644 +--- a/modules/demux/mp4/libmp4.c ++++ b/modules/demux/mp4/libmp4.c +@@ -2596,6 +2596,9 @@ static int MP4_ReadBox_name( stream_t *p_stream, MP4_Box_t *p_box ) + { + MP4_READBOX_ENTER( MP4_Box_data_name_t ); + ++ if( p_box->i_size < 8 || p_box->i_size > SIZE_MAX ) ++ MP4_READBOX_EXIT( 0 ); ++ + p_box->data.p_name->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */ + if( p_box->data.p_name->psz_text == NULL ) + MP4_READBOX_EXIT( 0 ); +-- +2.2.1 + +From 41c52fbf434d6fc59e1a5e90118b8c924ea6f50d Mon Sep 17 00:00:00 2001 +From: Fabian Yamaguchi +Date: Fri, 5 Dec 2014 13:58:24 +0100 +Subject: [PATCH 38/39] stream_out: rtp: don't use VLA for user controlled data + +It should fix a possible invalid memory access + +When streaming ogg-files via rtp, an ogg-file can trigger an invalid +write access using an overly long 'configuration' string. + +The original code attemps to allocate space to hold the string on the stack +and hence, cannot verify if allocation succeeds. Instead, we now allocate the +buffer on the heap and return if allocation fails. + +In detail, rtp_packetize_xiph_config allocates a buffer on the stack at (1) where +the size depends on the local variable 'len'. The variable 'len' is +calculated at (0) to be the length of a string contained in a specially +crafted Ogg Vorbis file, and therefore, it is attacker-controlled. + +Signed-off-by: Jean-Baptiste Kempf +(cherry picked from commit 204291467724867b79735c0ee3aeb0dbc2200f97) +Signed-off-by: Jean-Baptiste Kempf + +Conflicts: + modules/stream_out/rtpfmt.c +--- + modules/stream_out/rtpfmt.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/modules/stream_out/rtpfmt.c b/modules/stream_out/rtpfmt.c +index 7b71588..f19f41b 100644 +--- a/modules/stream_out/rtpfmt.c ++++ b/modules/stream_out/rtpfmt.c +@@ -540,7 +540,11 @@ int rtp_packetize_xiph_config( sout_stream_id_t *id, const char *fmtp, + char *end = strchr(start, ';'); + assert(end != NULL); + size_t len = end - start; +- char b64[len + 1]; ++ ++ char *b64 = malloc(len + 1); ++ if(!b64) ++ return VLC_EGENERIC; ++ + memcpy(b64, start, len); + b64[len] = '\0'; + +@@ -550,6 +554,7 @@ int rtp_packetize_xiph_config( sout_stream_id_t *id, const char *fmtp, + int i_data; + + i_data = vlc_b64_decode_binary(&p_orig, b64); ++ free(b64); + if (i_data == 0) + return VLC_EGENERIC; + assert(i_data > 9); +-- +2.2.1 + diff --git a/vlc.changes b/vlc.changes index 69a7fbd..91d3ec3 100644 --- a/vlc.changes +++ b/vlc.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jan 22 15:03:10 UTC 2015 - dimstar@opensuse.org + +- Add vlc-CVE-2014-9625.patch: Fix various buffer overflows and + null ptr dereferencing (boo#914268, CVE-2014-9625). + ------------------------------------------------------------------- Sun Nov 9 16:06:10 UTC 2014 - seife+obs@b1-systems.com diff --git a/vlc.spec b/vlc.spec index 497c099..552f813 100644 --- a/vlc.spec +++ b/vlc.spec @@ -1,7 +1,7 @@ # # spec file for package vlc # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2012 Dominique Leuenberger, Amsterdam, The Netherlands # # All modifications and additions to the file contributed by third parties @@ -43,6 +43,8 @@ Url: http://www.videolan.org/ Source: http://download.videolan.org/%{name}/%{version}/%{name}-%{version}.tar.xz # PATCH-FIX-OPENSUSE vlc-2.1.5-fix-skins2-default-skin-creation.patch -- see description in patch header Patch1: vlc-2.1.5-fix-skins2-default-skin-creation.patch +# PATCH-FIX-UPSTREAM vlc-CVE-2014-9625.patch boo#914268 CVE-2014-9625 dimstar@opensuse.org -- Fix various buffer overflows and null ptr deref +Patch2: vlc-CVE-2014-9625.patch Patch3: 0001-no-return-in-non-void.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: Mesa-devel @@ -300,7 +302,9 @@ for gnome-vfs2. %prep %setup -q %patch1 -p1 +%patch2 -p1 %patch3 -p1 +# We do not rely on contrib but make use of system libraries rm -rf contrib # fix builddate info # Remove build time references so build-compare can do its work