Accepting request 506702 from multimedia:libs

1

OBS-URL: https://build.opensuse.org/request/show/506702
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libquicktime?expand=0&rev=53

libquicktime-1.2.4-multiple_vulnerabilities.patch

@@ -0,0 +1,62 @@
+Index: libquicktime/src/atom.c
+===================================================================
+--- libquicktime.orig/src/atom.c
++++ libquicktime/src/atom.c
+@@ -131,6 +131,9 @@ int quicktime_atom_read_header(quicktime
+ 			atom->size = read_size64(header);
+ 			atom->end = atom->start + atom->size;
+ 		}
++/* Avoid broken files */
++	if(atom->end > file->total_length)
++	  result = 1;
+ 	}
+ 
+ 
+Index: libquicktime/src/lqt_quicktime.c
+===================================================================
+--- libquicktime.orig/src/lqt_quicktime.c
++++ libquicktime/src/lqt_quicktime.c
+@@ -993,8 +993,8 @@ int quicktime_read_info(quicktime_t *fil
+                 quicktime_set_position(file, start_position);
+                 free(temp);
+ 
+-                quicktime_read_moov(file, &file->moov, &leaf_atom);
+-                got_header = 1;
++                if(!quicktime_read_moov(file, &file->moov, &leaf_atom))
++                  got_header = 1;
+                 }
+               else
+                 if(((leaf_atom.type[0] | leaf_atom.type[1] | leaf_atom.type[2] | leaf_atom.type[3]) == 0) &&
+Index: libquicktime/src/moov.c
+===================================================================
+--- libquicktime.orig/src/moov.c
++++ libquicktime/src/moov.c
+@@ -218,7 +218,8 @@ int quicktime_read_moov(quicktime_t *fil
+ 		if(quicktime_atom_is(&leaf_atom, "trak"))
+ 		{
+ 			quicktime_trak_t *trak = quicktime_add_trak(file);
+-			quicktime_read_trak(file, trak, &leaf_atom);
++			if(quicktime_read_trak(file, trak, &leaf_atom))
++                          return 1;
+ 		}
+ 		else
+ 		if(quicktime_atom_is(&leaf_atom, "udta"))
+Index: libquicktime/src/trak.c
+===================================================================
+--- libquicktime.orig/src/trak.c
++++ libquicktime/src/trak.c
+@@ -272,6 +272,14 @@ int quicktime_read_trak(quicktime_t *fil
+     else quicktime_atom_skip(file, &leaf_atom);
+     } while(quicktime_position(file) < trak_atom->end);
+ 
++  /* Do some sanity checks to prevent later crashes */
++  if(trak->mdia.minf.is_video || trak->mdia.minf.is_video)
++    {
++    if(!trak->mdia.minf.stbl.stsc.table ||
++       !trak->mdia.minf.stbl.stco.table)
++      return 1;
++    }
++
+ #if 1 
+   if(trak->mdia.minf.is_video &&
+      quicktime_match_32(trak->mdia.minf.stbl.stsd.table[0].format, "drac"))

libquicktime.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Jun 23 21:58:19 UTC 2017 - kstreitova@suse.com
+
+- add libquicktime-1.2.4-multiple_vulnerabilities.patch to fix the
+  following security issues:
+  * CVE-2017-9122 [bsc#1044077]
+  * CVE-2017-9123 [bsc#1044009]
+  * CVE-2017-9124 [bsc#1044008]
+  * CVE-2017-9125 [bsc#1044122]
+  * CVE-2017-9126 [bsc#1044006]
+  * CVE-2017-9127 [bsc#1044002]
+  * CVE-2017-9128 [bsc#1044000] 
+
 -------------------------------------------------------------------
 Sat Feb 25 21:11:11 UTC 2017 - zaitor@opensuse.org
 

libquicktime.spec

@@ -39,6 +39,8 @@ Patch0:         libquicktime-ffmpeg3.patch
 Patch1:         libquicktime-faad2.patch
 # PATCH-FIX-UPSTREAM bsc#1022805 CVE-2016-2399 kstreitova@suse.com -- fix integer overflow in the quicktime_read_pascal function
 Patch2:         libquicktime-1.2.4-integer_overflow.patch
+# PATCH-FIX-UPSTREAM kstreitova@suse.com -- fix multiple vulnerabilities (from CVE-2017-9122 to CVE-2017-9128)
+Patch3:         libquicktime-1.2.4-multiple_vulnerabilities.patch
 BuildRequires:  alsa-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -130,6 +132,7 @@ Tools for reading/writing quicktime movie files.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 sed -i 's/-DGTK_DISABLE_DEPRECATED//g' configure.ac