Bug#1091885: bookworm-pu: package audiofile/0.3.6-5+deb12u1

Wed, 01 Jan 2025 13:51:41 -0800 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: audiof...@packages.debian.org, debian-multimedia@lists.debian.org
Control: affects -1 + src:audiofile
User: release.debian....@packages.debian.org
Usertags: pu

Fixes two minor security issues not worth a DSA,
debdiff below.

Cheers,
        Moritz

diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog
--- audiofile-0.3.6/debian/changelog    2019-04-05 16:13:16.000000000 +0200
+++ audiofile-0.3.6/debian/changelog    2025-01-01 17:42:41.000000000 +0100
@@ -1,3 +1,10 @@
+audiofile (0.3.6-5+deb12u1) bookworm; urgency=medium
+
+  * CVE-2022-24599 (Closes: #1008017)
+  * CVE-2019-13147 (Closes: #931343)
+
+ -- Moritz Mühlenhoff <j...@debian.org>  Wed, 01 Jan 2025 17:42:41 +0100
+
 audiofile (0.3.6-5) unstable; urgency=medium
 
   * Team upload.
diff -Nru audiofile-0.3.6/debian/patches/13-Fix-CVE-2022-24599.patch 
audiofile-0.3.6/debian/patches/13-Fix-CVE-2022-24599.patch
--- audiofile-0.3.6/debian/patches/13-Fix-CVE-2022-24599.patch  1970-01-01 
01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/13-Fix-CVE-2022-24599.patch  2025-01-01 
17:41:31.000000000 +0100
@@ -0,0 +1,89 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <ro...@debian.org>
+Date: Sat, 11 Nov 2023 15:58:50 +0000
+Subject: Fix CVE-2022-24599
+
+Memory-leak bug in printfileinfo, due to memcpy on an non allocated memory 
buffer
+with a user declared string.
+
+Fix it by calloc(declaredsize+1,1) that zeros the buffer and terminate by '\0'
+for printf
+
+Avoid also a buffer overflow by refusing to allocating more than INT_MAX-1.
+
+Before under valgrind:
+libtool --mode=execute valgrind --track-origins=yes  ./sfinfo heapleak_poc.aiff
+
+Duration       -inf seconds
+==896222== Invalid read of size 1
+==896222==    at 0x4846794: strlen (vg_replace_strmem.c:494)
+==896222==    by 0x49246C8: __printf_buffer (vfprintf-process-arg.c:435)
+==896222==    by 0x4924D90: __vfprintf_internal (vfprintf-internal.c:1459)
+==896222==    by 0x49DE986: __printf_chk (printf_chk.c:33)
+==896222==    by 0x10985C: printf (stdio2.h:86)
+==896222==    by 0x10985C: printfileinfo (printinfo.c:134)
+==896222==    by 0x10930A: main (sfinfo.c:113)
+==896222==  Address 0x4e89bd1 is 0 bytes after a block of size 1 alloc'd
+==896222==    at 0x48407B4: malloc (vg_replace_malloc.c:381)
+==896222==    by 0x109825: copyrightstring (printinfo.c:163)
+==896222==    by 0x109825: printfileinfo (printinfo.c:131)
+==896222==    by 0x10930A: main (sfinfo.c:113)
+==896222==
+Copyright      C
+
+After:
+Duration       -inf seconds
+Copyright      C
+
+forwarded: https://github.com/mpruett/audiofile/issues/60
+bug: https://github.com/mpruett/audiofile/issues/60
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008017
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2022-24599
+---
+ sfcommands/printinfo.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/sfcommands/printinfo.c b/sfcommands/printinfo.c
+index 60e6947..f5cf925 100644
+--- a/sfcommands/printinfo.c
++++ b/sfcommands/printinfo.c
+@@ -37,6 +37,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <limits.h>
+ 
+ static char *copyrightstring (AFfilehandle file);
+ 
+@@ -147,7 +148,11 @@ static char *copyrightstring (AFfilehandle file)
+       int             i, misccount;
+ 
+       misccount = afGetMiscIDs(file, NULL);
+-      miscids = (int *) malloc(sizeof (int) * misccount);
++      if(!misccount)
++              return NULL;
++      miscids = (int *) calloc(misccount, sizeof(int));
++      if(!miscids)
++              return NULL;
+       afGetMiscIDs(file, miscids);
+ 
+       for (i=0; i<misccount; i++)
+@@ -159,13 +164,16 @@ static char *copyrightstring (AFfilehandle file)
+                       If this code executes, the miscellaneous chunk is a
+                       copyright chunk.
+               */
+-              int datasize = afGetMiscSize(file, miscids[i]);
+-              char *data = (char *) malloc(datasize);
++              size_t datasize = afGetMiscSize(file, miscids[i]);
++              if(datasize >= INT_MAX -1 ) {
++                      goto error;
++              }
++              char *data = (char *) calloc(datasize + 1, 1);
+               afReadMisc(file, miscids[i], data, datasize);
+               copyright = data;
+               break;
+       }
+-
++error:
+       free(miscids);
+ 
+       return copyright;
diff -Nru audiofile-0.3.6/debian/patches/14-Partial-fix-of-CVE-2019-13147.patch 
audiofile-0.3.6/debian/patches/14-Partial-fix-of-CVE-2019-13147.patch
--- audiofile-0.3.6/debian/patches/14-Partial-fix-of-CVE-2019-13147.patch       
1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/14-Partial-fix-of-CVE-2019-13147.patch       
2025-01-01 17:41:31.000000000 +0100
@@ -0,0 +1,43 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <ro...@debian.org>
+Date: Sat, 11 Nov 2023 17:42:03 +0000
+Subject: Partial fix of CVE-2019-13147
+
+This fix the symptom do not allow to allocate negative memory:
+==129695==WARNING: AddressSanitizer failed to allocate 0xffffffffc2c00000 bytes
+==129695==AddressSanitizer's allocator is terminating the process instead of 
returning 0
+==129695==If you don't like this behavior set allocator_may_return_null=1
+==129695==AddressSanitizer CHECK failed: 
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) 
!= (0)" (0x0, 0x0)
+    #0 0x7f48c8503c02  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02)
+    #1 0x7f48c8522595 in __sanitizer::CheckFailed(char const*, int, char 
const*, unsigned long long, unsigned long long) 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595)
+    #2 0x7f48c8509342  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xef342)
+    #3 0x7f48c8441e46  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27e46)
+    #4 0x7f48c84f8b1a in __interceptor_malloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb1a)
+    #5 0x558dc209af68 in copyaudiodata 
/home/tim/audiofile-santi/sfcommands/sfconvert.c:327
+    #6 0x558dc209a620 in main 
/home/tim/audiofile-santi/sfcommands/sfconvert.c:248
+    #7 0x7f48c7d38b96 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
+    #8 0x558dc209ac79 in _start 
(/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79)
+
+If negative bail out
+
+bug: https://github.com/mpruett/audiofile/issues/54
+forwarded: https://github.com/mpruett/audiofile/issues/54
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2019-13147
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931343
+---
+ sfcommands/sfconvert.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
+index 367f7a5..400d485 100644
+--- a/sfcommands/sfconvert.c
++++ b/sfcommands/sfconvert.c
+@@ -349,7 +349,8 @@ void printversion (void)
+ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
+ {
+       int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
+-
++      if(frameSize <= 0)
++              return false;
+       int kBufferFrameCount = 65536;
+       int bufferSize;
+       while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
diff -Nru audiofile-0.3.6/debian/patches/15-Partial-fix-of-CVE-2019-13147.patch 
audiofile-0.3.6/debian/patches/15-Partial-fix-of-CVE-2019-13147.patch
--- audiofile-0.3.6/debian/patches/15-Partial-fix-of-CVE-2019-13147.patch       
1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/15-Partial-fix-of-CVE-2019-13147.patch       
2025-01-01 17:41:31.000000000 +0100
@@ -0,0 +1,43 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <ro...@debian.org>
+Date: Sat, 11 Nov 2023 17:43:19 +0000
+Subject: Partial fix of CVE-2019-13147
+
+This is the fix of the POC. Do not allow too many channel
+
+Now it fail with:
+Audio File Library: invalid file with 1633771873 channels [error 15]
+Could not open file 'poc' for reading.
+
+bug: https://github.com/mpruett/audiofile/issues/54
+forwarded: https://github.com/mpruett/audiofile/issues/54
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2019-13147
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931343
+---
+ libaudiofile/NeXT.cpp | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libaudiofile/NeXT.cpp b/libaudiofile/NeXT.cpp
+index c462dbe..01c967c 100644
+--- a/libaudiofile/NeXT.cpp
++++ b/libaudiofile/NeXT.cpp
+@@ -32,6 +32,7 @@
+ #include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ 
+ #include "File.h"
+ #include "Setup.h"
+@@ -122,6 +123,12 @@ status NeXTFile::readInit(AFfilesetup setup)
+               _af_error(AF_BAD_CHANNELS, "invalid file with 0 channels");
+               return AF_FAIL;
+       }
++      /* avoid overflow of INT for double size rate */
++      if (channelCount > (INT32_MAX / (sizeof(double))))
++      {
++              _af_error(AF_BAD_CHANNELS, "invalid file with %i channels", 
channelCount);
++              return AF_FAIL;
++      }
+ 
+       Track *track = allocateTrack();
+       if (!track)
diff -Nru audiofile-0.3.6/debian/patches/series 
audiofile-0.3.6/debian/patches/series
--- audiofile-0.3.6/debian/patches/series       2019-04-05 16:10:40.000000000 
+0200
+++ audiofile-0.3.6/debian/patches/series       2025-01-01 17:42:28.000000000 
+0100
@@ -10,3 +10,6 @@
 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch
 11_CVE-2018-13440.patch
 12_CVE-2018-17095.patch
+13-Fix-CVE-2022-24599.patch
+14-Partial-fix-of-CVE-2019-13147.patch
+15-Partial-fix-of-CVE-2019-13147.patch

Reply via email to