From: Ross Burton <ross.bur...@intel.com> Remove CVE-2017-14245-14246.patch, fix rejected upstream as it doesn't solve the underlying issue.
Instead 0001-a-ulaw-fix-multiple-buffer-overflows-432 also solves CVE-2017-14245 and CVE-2017-14246 properly. Add patches for CVE-2017-12562 and CVE-2018-19758. Refresh CVE-2018-13139.patch. (From OE-Core rev: a5625df8031985e9c60c34068a4a01c36da40eec) Signed-off-by: Ross Burton <ross.bur...@intel.com> Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org> Signed-off-by: Sana Kazi <sana.k...@kpit.com> --- ...aw-fix-multiple-buffer-overflows-432.patch | 107 ++++++++++++++++ .../libsndfile1/CVE-2017-12562.patch | 96 ++++++++++++++ .../libsndfile1/CVE-2017-14245-14246.patch | 121 ------------------ .../libsndfile1/CVE-2018-13139.patch | 30 +++-- .../libsndfile1/CVE-2018-19758.patch | 34 +++++ .../libsndfile/libsndfile1_1.0.28.bb | 5 +- 6 files changed, 257 insertions(+), 136 deletions(-) create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch delete mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch new file mode 100644 index 0000000000..a4679cef2a --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch @@ -0,0 +1,107 @@ +This patch fixes #429 (CVE-2018-19661 CVE-2018-19662) and #344 (CVE-2017-17456 +CVE-2017-17457). As per +https://github.com/erikd/libsndfile/issues/344#issuecomment-448504425 it also +fixes #317 (CVE-2017-14245 CVE-2017-14246). + +CVE: CVE-2017-14245 CVE-2017-14246 +CVE: CVE-2017-17456 CVE-2017-17457 +CVE: CVE-2018-19661 CVE-2018-19662 + +Upstream-Status: Backport [8ddc442d539ca775d80cdbc7af17a718634a743f] +Signed-off-by: Ross Burton <ross.bur...@intel.com> + +From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing...@windriver.com> +Date: Mon, 7 Jan 2019 15:55:03 +0800 +Subject: [PATCH] a/ulaw: fix multiple buffer overflows (#432) + +i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN +properly, leading to buffer underflow. INT_MIN is a special value +since - INT_MIN cannot be represented as int. + +In this case round - INT_MIN to INT_MAX and proceed as usual. + +f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN +properly, leading to null pointer dereference. + +In this case, arbitrarily set the buffer value to 0. + +This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and +fixes #344 (CVE-2017-17456 and CVE-2017-17457). + +--- + src/alaw.c | 9 +++++++-- + src/ulaw.c | 9 +++++++-- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/src/alaw.c b/src/alaw.c +index 063fd1a..4220224 100644 +--- a/src/alaw.c ++++ b/src/alaw.c +@@ -19,6 +19,7 @@ + #include "sfconfig.h" + + #include <math.h> ++#include <limits.h> + + #include "sndfile.h" + #include "common.h" +@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer) + static inline void + i2alaw_array (const int *ptr, int count, unsigned char *buffer) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (ptr [count] == INT_MIN) ++ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ; ++ else if (ptr [count] >= 0) + buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ; + else + buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ; +@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact + static inline void + d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (!isfinite (ptr [count])) ++ buffer [count] = 0 ; ++ else if (ptr [count] >= 0) + buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ; + else + buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ; +diff --git a/src/ulaw.c b/src/ulaw.c +index e50b4cb..b6070ad 100644 +--- a/src/ulaw.c ++++ b/src/ulaw.c +@@ -19,6 +19,7 @@ + #include "sfconfig.h" + + #include <math.h> ++#include <limits.h> + + #include "sndfile.h" + #include "common.h" +@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer) + static inline void + i2ulaw_array (const int *ptr, int count, unsigned char *buffer) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (ptr [count] == INT_MIN) ++ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ; ++ else if (ptr [count] >= 0) + buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ; + else + buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ; +@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact + static inline void + d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (!isfinite (ptr [count])) ++ buffer [count] = 0 ; ++ else if (ptr [count] >= 0) + buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ; + else + buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ; +-- +2.7.4 + diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch new file mode 100644 index 0000000000..491dae3114 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch @@ -0,0 +1,96 @@ +Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in +libsndfile through 1.0.28 allows remote attackers to cause a denial of service +(application crash) or possibly have unspecified other impact. + +CVE: CVE-2017-12562 +Upstream-Status: Backport [cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8] +Signed-off-by: Ross Burton <ross.bur...@intel.com> + +From b6a9d7e95888ffa77d8c75ce3f03e6c7165587cd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osm...@problemloesungsmaschine.de> +Date: Wed, 14 Jun 2017 12:25:40 +0200 +Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings + in binheader + +Fixes the following problems: + 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes. + 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the + big switch statement by an amount (16 bytes) which is enough for all cases + where only a single value gets added. Cases 's', 'S', 'p' however + additionally write an arbitrary length block of data and again enlarge the + buffer to the required amount. However, the required space calculation does + not take into account the size of the length field which gets output before + the data. + 3. Buffer size requirement calculation in case 'S' does not account for the + padding byte ("size += (size & 1) ;" happens after the calculation which + uses "size"). + 4. Case 'S' can overrun the header buffer by 1 byte when no padding is + involved + ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while + the buffer is only guaranteed to have "size" space available). + 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte + beyond the space which is guaranteed to be allocated in the header buffer. + 6. Case 's' can overrun the provided source string by 1 byte if padding is + involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;" + where "size" is "strlen (strptr) + 1" (which includes the 0 terminator, + plus optionally another 1 which is padding and not guaranteed to be + readable via the source string pointer). + +Closes: https://github.com/erikd/libsndfile/issues/292 +--- + src/common.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/src/common.c b/src/common.c +index 1a6204ca..6b2a2ee9 100644 +--- a/src/common.c ++++ b/src/common.c +@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) + /* Write a C string (guaranteed to have a zero terminator). */ + strptr = va_arg (argptr, char *) ; + size = strlen (strptr) + 1 ; +- size += (size & 1) ; + +- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16)) ++ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) + return count ; + + if (psf->rwf_endian == SF_ENDIAN_BIG) +- header_put_be_int (psf, size) ; ++ header_put_be_int (psf, size + (size & 1)) ; + else +- header_put_le_int (psf, size) ; ++ header_put_le_int (psf, size + (size & 1)) ; + memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ; ++ size += (size & 1) ; + psf->header.indx += size ; + psf->header.ptr [psf->header.indx - 1] = 0 ; + count += 4 + size ; +@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) + */ + strptr = va_arg (argptr, char *) ; + size = strlen (strptr) ; +- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) ++ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) + return count ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + header_put_be_int (psf, size) ; + else + header_put_le_int (psf, size) ; +- memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ; ++ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ; + size += (size & 1) ; + psf->header.indx += size ; +- psf->header.ptr [psf->header.indx] = 0 ; + count += 4 + size ; + break ; + +@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) + size = (size & 1) ? size : size + 1 ; + size = (size > 254) ? 254 : size ; + +- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) ++ if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size)) + return count ; + + header_put_byte (psf, size) ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch deleted file mode 100644 index a17ec21f98..0000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 2d54514a4f6437b67829717c05472d2e3300a258 Mon Sep 17 00:00:00 2001 -From: Fabian Greffrath <fab...@greffrath.com> -Date: Wed, 27 Sep 2017 14:46:17 +0200 -Subject: [PATCH] sfe_copy_data_fp: check value of "max" variable for being - normal - -and check elements of the data[] array for being finite. - -Both checks use functions provided by the <math.h> header as declared -by the C99 standard. - -Fixes #317 -CVE: CVE-2017-14245 -CVE: CVE-2017-14246 - -Upstream-Status: Backport [https://github.com/fabiangreffrath/libsndfile/commit/2d54514a4f6437b67829717c05472d2e3300a258] - -Signed-off-by: Fabian Greffrath <fab...@greffrath.com> -Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjana...@mvista.com> ---- - programs/common.c | 20 ++++++++++++++++---- - programs/common.h | 2 +- - programs/sndfile-convert.c | 6 +++++- - 3 files changed, 22 insertions(+), 6 deletions(-) - -diff --git a/programs/common.c b/programs/common.c -index a21e62c..a249a58 100644 ---- a/programs/common.c -+++ b/programs/common.c -@@ -36,6 +36,7 @@ - #include <string.h> - #include <ctype.h> - #include <stdint.h> -+#include <math.h> - - #include <sndfile.h> - -@@ -45,7 +46,7 @@ - - #define MIN(x, y) ((x) < (y) ? (x) : (y)) - --void -+int - sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) - { static double data [BUFFER_LEN], max ; - int frames, readcount, k ; -@@ -54,6 +55,8 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize - readcount = frames ; - - sf_command (infile, SFC_CALC_SIGNAL_MAX, &max, sizeof (max)) ; -+ if (!isnormal (max)) /* neither zero, subnormal, infinite, nor NaN */ -+ return 1 ; - - if (!normalize && max < 1.0) - { while (readcount > 0) -@@ -67,12 +70,16 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize - while (readcount > 0) - { readcount = sf_readf_double (infile, data, frames) ; - for (k = 0 ; k < readcount * channels ; k++) -- data [k] /= max ; -+ { data [k] /= max ; -+ -+ if (!isfinite (data [k])) /* infinite or NaN */ -+ return 1; -+ } - sf_writef_double (outfile, data, readcount) ; - } ; - } ; - -- return ; -+ return 0 ; - } /* sfe_copy_data_fp */ - - void -@@ -252,7 +259,12 @@ sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * in - - /* If the input file is not the same as the output file, copy the data. */ - if ((infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT)) -- sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) ; -+ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) != 0) -+ { printf ("Error : Not able to decode input file '%s'\n", filenames [0]) ; -+ error_code = 1 ; -+ goto cleanup_exit ; -+ } ; -+ } - else - sfe_copy_data_int (outfile, infile, sfinfo.channels) ; - } ; -diff --git a/programs/common.h b/programs/common.h -index eda2d7d..986277e 100644 ---- a/programs/common.h -+++ b/programs/common.h -@@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_BROADCAST_INFO_2K ; - - void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ; - --void sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ; -+int sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ; - - void sfe_copy_data_int (SNDFILE *outfile, SNDFILE *infile, int channels) ; - -diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c -index dff7f79..e6de593 100644 ---- a/programs/sndfile-convert.c -+++ b/programs/sndfile-convert.c -@@ -335,7 +335,11 @@ main (int argc, char * argv []) - || (outfileminor == SF_FORMAT_DOUBLE) || (outfileminor == SF_FORMAT_FLOAT) - || (infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT) - || (infileminor == SF_FORMAT_VORBIS) || (outfileminor == SF_FORMAT_VORBIS)) -- sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) ; -+ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) != 0) -+ { printf ("Error : Not able to decode input file %s.\n", infilename) ; -+ return 1 ; -+ } ; -+ } - else - sfe_copy_data_int (outfile, infile, sfinfo.channels) ; - --- -2.7.4 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch index 4ae3674df1..707373d414 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch @@ -1,23 +1,25 @@ -From 5473aeef7875e54bd0f786fbdd259a35aaee875c Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing...@windriver.com> -Date: Wed, 10 Oct 2018 08:59:30 +0800 -Subject: [PATCH] libsndfile1: patch for CVE-2018-13139 +CVE: CVE-2018-13139 +Upstream-Status: Backport [9dc989eb89cd697e19897afa616d6ab0debe4822] +Signed-off-by: Ross Burton <ross.bur...@intel.com> -Upstream-Status: Backport [https://github.com/bwarden/libsndfile/ -commit/df18323c622b54221ee7ace74b177cdcccc152d7] +From 9dc989eb89cd697e19897afa616d6ab0debe4822 Mon Sep 17 00:00:00 2001 +From: "Brett T. Warden" <brett.t.war...@intel.com> +Date: Tue, 28 Aug 2018 12:01:17 -0700 +Subject: [PATCH] Check MAX_CHANNELS in sndfile-deinterleave -CVE: CVE-2018-13139 +Allocated buffer has space for only 16 channels. Verify that input file +meets this limit. -Signed-off-by: Changqing Li <changqing...@windriver.com> +Fixes #397 --- - programs/sndfile-deinterleave.c | 6 ++++++ - 1 file changed, 6 insertions(+) + programs/sndfile-deinterleave.c | 7 +++++++ + 1 file changed, 7 insertions(+) diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c -index e27593e..721bee7 100644 +index e27593e2..cb497e1f 100644 --- a/programs/sndfile-deinterleave.c +++ b/programs/sndfile-deinterleave.c -@@ -89,6 +89,12 @@ main (int argc, char **argv) +@@ -89,6 +89,13 @@ main (int argc, char **argv) exit (1) ; } ; @@ -26,10 +28,10 @@ index e27593e..721bee7 100644 + argv [1], sfinfo.channels, MAX_CHANNELS) ; + exit (1) ; + } ; ++ + state.channels = sfinfo.channels ; sfinfo.channels = 1 ; -- -2.7.4 - +2.11.0 diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch new file mode 100644 index 0000000000..c3586f9dfc --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch @@ -0,0 +1,34 @@ +There is a heap-based buffer over-read at wav.c in wav_write_header in +libsndfile 1.0.28 that will cause a denial of service. + +CVE: CVE-2018-19758 +Upstream-Status: Backport [42132c543358cee9f7c3e9e9b15bb6c1063a608e] +Signed-off-by: Ross Burton <ross.bur...@intel.com> + +From c12173b0197dd0c5cfa2cd27977e982d2ae59486 Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo <er...@mega-nerd.com> +Date: Tue, 1 Jan 2019 20:11:46 +1100 +Subject: [PATCH] src/wav.c: Fix heap read overflow + +This is CVE-2018-19758. + +Closes: https://github.com/erikd/libsndfile/issues/435 +--- + src/wav.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/wav.c b/src/wav.c +index e8405b55..6fb94ae8 100644 +--- a/src/wav.c ++++ b/src/wav.c +@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length) + psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ + psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; + ++ /* Loop count is signed 16 bit number so we limit it range to something sensible. */ ++ psf->instrument->loop_count &= 0x7fff ; + for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) + { int type ; + +-- +2.11.0 diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index b28f675286..eb2c719d8d 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb @@ -10,9 +10,12 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ file://CVE-2017-8361-8365.patch \ file://CVE-2017-8362.patch \ file://CVE-2017-8363.patch \ - file://CVE-2017-14245-14246.patch \ file://CVE-2017-14634.patch \ file://CVE-2018-13139.patch \ + file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \ + file://CVE-2018-19432.patch \ + file://CVE-2017-12562.patch \ + file://CVE-2018-19758.patch \ " SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146465): https://lists.openembedded.org/g/openembedded-core/message/146465 Mute This Topic: https://lists.openembedded.org/mt/79495916/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
