aboutsummaryrefslogtreecommitdiffstats
path: root/main/libsndfile
diff options
context:
space:
mode:
authorFrancesco Colista <fcolista@alpinelinux.org>2017-08-09 09:43:55 +0000
committerFrancesco Colista <fcolista@alpinelinux.org>2017-08-09 09:50:29 +0000
commit88faf291b6b6819355f20b24462febaac8936737 (patch)
tree2951ab548c2870db4e1bc7da9da13b9fe90d69c1 /main/libsndfile
parent887eaa1f505c054fcd518a7b0121ab2a14df6d64 (diff)
downloadaports-88faf291b6b6819355f20b24462febaac8936737.tar.bz2
aports-88faf291b6b6819355f20b24462febaac8936737.tar.xz
main/libsndfile: fix for CVE-2017-12562. Fixes #7646
Diffstat (limited to 'main/libsndfile')
-rw-r--r--main/libsndfile/APKBUILD16
-rw-r--r--main/libsndfile/CVE-2017-12562.patch88
2 files changed, 102 insertions, 2 deletions
diff --git a/main/libsndfile/APKBUILD b/main/libsndfile/APKBUILD
index d894549ca8..522f427a8e 100644
--- a/main/libsndfile/APKBUILD
+++ b/main/libsndfile/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libsndfile
pkgver=1.0.28
-pkgrel=1
+pkgrel=2
pkgdesc="A C library for reading and writing files containing sampled sound"
url="http://www.mega-nerd.com/libsndfile"
arch="all"
@@ -14,9 +14,12 @@ makedepends="linux-headers alsa-lib-dev $depends_dev"
source="http://www.mega-nerd.com/$pkgname/files/$pkgname-$pkgver.tar.gz
CVE-2017-8361_CVE-2017-8363_CVE-2017-8365.patch
CVE-2017-8362.patch
+ CVE-2017-12562.patch
"
# secfixes:
+# 1.0.28-r2:
+# - CVE-2017-12562
# 1.0.28-r0:
# - CVE-2017-7585
# - CVE-2017-7741
@@ -45,6 +48,15 @@ package() {
cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
}
+md5sums="646b5f98ce89ac60cdb060fcd398247c libsndfile-1.0.28.tar.gz
+cdd75dee754a3f97a2b9852193858e8b CVE-2017-8361_CVE-2017-8363_CVE-2017-8365.patch
+883e150165932d7dc89aee64795a5e5e CVE-2017-8362.patch
+bcee757ad4ec56f92c0c2ad5c9c9bf96 CVE-2017-12562.patch"
+sha256sums="1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9 libsndfile-1.0.28.tar.gz
+c2d2665744b32facab093540bd0b0c28e72496dd03f8fd51e0aef42fb76d9631 CVE-2017-8361_CVE-2017-8363_CVE-2017-8365.patch
+3dc977a26f36a779874bda304685a221a9da08d3e6b8d239f19785a31e18dbf7 CVE-2017-8362.patch
+5e13e843a247c5cc3e33e926183281003512bd34dbb32acab6c9360e06e6e3c9 CVE-2017-12562.patch"
sha512sums="890731a6b8173f714155ce05eaf6d991b31632c8ab207fbae860968861a107552df26fcf85602df2e7f65502c7256c1b41735e1122485a3a07ddb580aa83b57f libsndfile-1.0.28.tar.gz
f98c40696fca3e7bca867df993de55bb4145c23428e65d1a669182eb2293046478ac727ae7f94bb77123ef0355c3c53be4f9d6a432665c90c74687d8d3afd9e3 CVE-2017-8361_CVE-2017-8363_CVE-2017-8365.patch
-dfd4b5f1c7471fc416eed5c6040580a020543f145de9103751adaad6ce1c5c6a22abc1cf0ffd381aed3072644cd5ee03ba3598265aa7d202d63167da251cb595 CVE-2017-8362.patch"
+dfd4b5f1c7471fc416eed5c6040580a020543f145de9103751adaad6ce1c5c6a22abc1cf0ffd381aed3072644cd5ee03ba3598265aa7d202d63167da251cb595 CVE-2017-8362.patch
+814139567d90fb07908014e858c341fe933e04dca69b88ad66078910888237bbeba94f85d9e1489883c424f35fca312eb98c21ae2b122d9289bb6418725cd02e CVE-2017-12562.patch"
diff --git a/main/libsndfile/CVE-2017-12562.patch b/main/libsndfile/CVE-2017-12562.patch
new file mode 100644
index 0000000000..f195e87e43
--- /dev/null
+++ b/main/libsndfile/CVE-2017-12562.patch
@@ -0,0 +1,88 @@
+From cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de>
+Date: Wed, 14 Jun 2017 12:25:40 +0200
+Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings
+ in binheader
+
+Fixes the following problems:
+ 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
+ 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
+ big switch statement by an amount (16 bytes) which is enough for all cases
+ where only a single value gets added. Cases 's', 'S', 'p' however
+ additionally write an arbitrary length block of data and again enlarge the
+ buffer to the required amount. However, the required space calculation does
+ not take into account the size of the length field which gets output before
+ the data.
+ 3. Buffer size requirement calculation in case 'S' does not account for the
+ padding byte ("size += (size & 1) ;" happens after the calculation which
+ uses "size").
+ 4. Case 'S' can overrun the header buffer by 1 byte when no padding is
+ involved
+ ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
+ the buffer is only guaranteed to have "size" space available).
+ 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
+ beyond the space which is guaranteed to be allocated in the header buffer.
+ 6. Case 's' can overrun the provided source string by 1 byte if padding is
+ involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
+ where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
+ plus optionally another 1 which is padding and not guaranteed to be
+ readable via the source string pointer).
+
+Closes: https://github.com/erikd/libsndfile/issues/292
+---
+ src/common.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/src/common.c b/src/common.c
+index 1a6204ca..6b2a2ee9 100644
+--- a/src/common.c
++++ b/src/common.c
+@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ /* Write a C string (guaranteed to have a zero terminator). */
+ strptr = va_arg (argptr, char *) ;
+ size = strlen (strptr) + 1 ;
+- size += (size & 1) ;
+
+- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
++ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ return count ;
+
+ if (psf->rwf_endian == SF_ENDIAN_BIG)
+- header_put_be_int (psf, size) ;
++ header_put_be_int (psf, size + (size & 1)) ;
+ else
+- header_put_le_int (psf, size) ;
++ header_put_le_int (psf, size + (size & 1)) ;
+ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
++ size += (size & 1) ;
+ psf->header.indx += size ;
+ psf->header.ptr [psf->header.indx - 1] = 0 ;
+ count += 4 + size ;
+@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ */
+ strptr = va_arg (argptr, char *) ;
+ size = strlen (strptr) ;
+- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
++ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ return count ;
+ if (psf->rwf_endian == SF_ENDIAN_BIG)
+ header_put_be_int (psf, size) ;
+ else
+ header_put_le_int (psf, size) ;
+- memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;
++ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;
+ size += (size & 1) ;
+ psf->header.indx += size ;
+- psf->header.ptr [psf->header.indx] = 0 ;
+ count += 4 + size ;
+ break ;
+
+@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ size = (size & 1) ? size : size + 1 ;
+ size = (size > 254) ? 254 : size ;
+
+- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
++ if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
+ return count ;
+
+ header_put_byte (psf, size) ;