From ab144c7631ebe685ffec603e48824403fcd00cdd Mon Sep 17 00:00:00 2001 From: Andreas Sturmlechner Date: Mon, 11 Jun 2018 01:45:11 +0200 Subject: media-sound/sox: A truckload of security Kindly provided by Debian packaging... Bug: https://bugs.gentoo.org/627570 Bug: https://bugs.gentoo.org/626702 Bug: https://bugs.gentoo.org/634814 Bug: https://bugs.gentoo.org/634450 Package-Manager: Portage-2.3.40, Repoman-2.3.9 --- .../sox/files/sox-14.4.2-CVE-2017-11332.patch | 25 ++++++ .../sox/files/sox-14.4.2-CVE-2017-11333.patch | 43 ++++++++++ .../sox/files/sox-14.4.2-CVE-2017-11358.patch | 26 ++++++ .../sox/files/sox-14.4.2-CVE-2017-11359.patch | 27 ++++++ .../sox/files/sox-14.4.2-CVE-2017-15370.patch | 25 ++++++ .../sox/files/sox-14.4.2-CVE-2017-15371.patch | 37 +++++++++ .../sox/files/sox-14.4.2-CVE-2017-15372.patch | 97 ++++++++++++++++++++++ .../sox/files/sox-14.4.2-CVE-2017-15642.patch | 28 +++++++ .../sox/files/sox-14.4.2-CVE-2017-18189.patch | 30 +++++++ .../sox-14.4.2-wavpack-chk-errors-on-init.patch | 35 ++++++++ media-sound/sox/sox-14.4.2-r1.ebuild | 13 +++ 11 files changed, 386 insertions(+) create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch create mode 100644 media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch create mode 100644 media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch (limited to 'media-sound/sox') diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch new file mode 100644 index 000000000000..2b4448ed2d71 --- /dev/null +++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch @@ -0,0 +1,25 @@ +From 7405bcaacb1ded8c595cb751d407cf738cb26571 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Sun, 5 Nov 2017 16:29:28 +0000 +Subject: [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332) + +--- + src/wav.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/wav.c b/src/wav.c +index 3e80e692..3eaebfa7 100644 +--- a/src/wav.c ++++ b/src/wav.c +@@ -712,6 +712,11 @@ static int startread(sox_format_t * ft) + else + lsx_report("User options overriding channels read in .wav header"); + ++ if (ft->signal.channels == 0) { ++ lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero"); ++ return SOX_EOF; ++ } ++ + if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond) + ft->signal.rate = dwSamplesPerSecond; + else diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch new file mode 100644 index 000000000000..a9a5b2762199 --- /dev/null +++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch @@ -0,0 +1,43 @@ +From 93b6e4b5b0efa47b318151d39c35277fc06525f1 Mon Sep 17 00:00:00 2001 +Message-Id: <93b6e4b5b0efa47b318151d39c35277fc06525f1.1511192342.git.agx@sigxcpu.org> +From: =?UTF-8?q?Guido=20G=C3=BCnther?= +Date: Wed, 15 Nov 2017 18:36:58 +0100 +Subject: [PATCH] Handle vorbis_analysis_headerout errors + +This is related to + + https://github.com/xiph/vorbis/pull/34 + +but could also happen today with on other errors in the called function. +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882236 +Forwarded: sox-devel@lists.sourceforge.net +--- + src/vorbis.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +Index: sox/src/vorbis.c +=================================================================== +--- sox.orig/src/vorbis.c ++++ sox/src/vorbis.c +@@ -270,8 +270,11 @@ static int write_vorbis_header(sox_forma + vc.comment_lengths[i] = strlen(text); + } + } +- vorbis_analysis_headerout( /* Build the packets */ +- &ve->vd, &vc, &header_main, &header_comments, &header_codebooks); ++ if (vorbis_analysis_headerout( /* Build the packets */ ++ &ve->vd, &vc, &header_main, &header_comments, &header_codebooks) < 0) { ++ ret = HEADER_ERROR; ++ goto cleanup; ++ } + + ogg_stream_packetin(&ve->os, &header_main); /* And stream them out */ + ogg_stream_packetin(&ve->os, &header_comments); +@@ -280,6 +283,7 @@ static int write_vorbis_header(sox_forma + while (ogg_stream_flush(&ve->os, &ve->og) && ret == HEADER_OK) + if (!oe_write_page(&ve->og, ft)) + ret = HEADER_ERROR; ++cleanup: + for (i = 0; i < vc.comments; ++i) + free(vc.user_comments[i]); + free(vc.user_comments); diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch new file mode 100644 index 000000000000..6cd8c2bb15f6 --- /dev/null +++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch @@ -0,0 +1,26 @@ +From 6cb44a44b9eda6b321ccdbf6483348d4a9798b00 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Sun, 5 Nov 2017 16:43:35 +0000 +Subject: [PATCH] hcom: fix crash on input with corrupt dictionary + (CVE-2017-11358) + +--- + src/hcom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/hcom.c b/src/hcom.c +index c62b020c..1b0e09dd 100644 +--- a/src/hcom.c ++++ b/src/hcom.c +@@ -150,6 +150,11 @@ static int startread(sox_format_t * ft) + lsx_debug("%d %d", + p->dictionary[i].dict_leftson, + p->dictionary[i].dict_rightson); ++ if ((unsigned) p->dictionary[i].dict_leftson >= dictsize || ++ (unsigned) p->dictionary[i].dict_rightson >= dictsize) { ++ lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary"); ++ return SOX_EOF; ++ } + } + rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */ + if (rc) diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch new file mode 100644 index 000000000000..180d7d1c867b --- /dev/null +++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch @@ -0,0 +1,27 @@ +From 8b590b3a52f4ccc4eea3f41b4a067c38b3565b60 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Sun, 5 Nov 2017 17:02:11 +0000 +Subject: [PATCH] wav: fix crash writing header when channel count >64k + (CVE-2017-11359) + +--- + src/wav.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/wav.c b/src/wav.c +index 3eaebfa7..fad334cf 100644 +--- a/src/wav.c ++++ b/src/wav.c +@@ -1379,6 +1379,12 @@ static int wavwritehdr(sox_format_t * ft, int second_header) + long blocksWritten = 0; + sox_bool isExtensible = sox_false; /* WAVE_FORMAT_EXTENSIBLE? */ + ++ if (ft->signal.channels > UINT16_MAX) { ++ lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)", ++ ft->signal.channels); ++ return SOX_EOF; ++ } ++ + dwSamplesPerSecond = ft->signal.rate; + wChannels = ft->signal.channels; + wBitsPerSample = ft->encoding.bits_per_sample; diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch new file mode 100644 index 000000000000..473c383a663a --- /dev/null +++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch @@ -0,0 +1,25 @@ +From ef3d8be0f80cbb650e4766b545d61e10d7a24c9e Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Sun, 5 Nov 2017 16:21:23 +0000 +Subject: [PATCH] wav: ima_adpcm: fix buffer overflow on corrupt input + (CVE-2017-15370) + +Add the same check bad block size as was done for MS adpcm in commit +f39c574b ("More checks for invalid MS ADPCM blocks"). +--- + src/wav.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/wav.c b/src/wav.c +index 5202556c..3e80e692 100644 +--- a/src/wav.c ++++ b/src/wav.c +@@ -127,7 +127,7 @@ static unsigned short ImaAdpcmReadBlock(sox_format_t * ft) + /* work with partial blocks. Specs say it should be null */ + /* padded but I guess this is better than trailing quiet. */ + samplesThisBlock = lsx_ima_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t) 0); +- if (samplesThisBlock == 0) ++ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock) + { + lsx_warn("Premature EOF on .wav input file"); + return 0; diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch new file mode 100644 index 000000000000..cde253da4ecb --- /dev/null +++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch @@ -0,0 +1,37 @@ +From 818bdd0ccc1e5b6cae742c740c17fd414935cf39 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Sun, 5 Nov 2017 15:57:48 +0000 +Subject: [PATCH] flac: fix crash on corrupt metadata (CVE-2017-15371) + +--- + src/flac.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +Index: sox/src/flac.c +=================================================================== +--- sox.orig/src/flac.c ++++ sox/src/flac.c +@@ -119,9 +119,10 @@ static void decoder_metadata_callback(FL + p->total_samples = metadata->data.stream_info.total_samples; + } + else if (metadata->type == FLAC__METADATA_TYPE_VORBIS_COMMENT) { ++ const FLAC__StreamMetadata_VorbisComment *vc = &metadata->data.vorbis_comment; + size_t i; + +- if (metadata->data.vorbis_comment.num_comments == 0) ++ if (vc->num_comments == 0) + return; + + if (ft->oob.comments != NULL) { +@@ -129,8 +130,9 @@ static void decoder_metadata_callback(FL + return; + } + +- for (i = 0; i < metadata->data.vorbis_comment.num_comments; ++i) +- sox_append_comment(&ft->oob.comments, (char const *) metadata->data.vorbis_comment.comments[i].entry); ++ for (i = 0; i < vc->num_comments; ++i) ++ if (vc->comments[i].entry) ++ sox_append_comment(&ft->oob.comments, (char const *) vc->comments[i].entry); + } + } + diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch new file mode 100644 index 000000000000..8671213a98f3 --- /dev/null +++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch @@ -0,0 +1,97 @@ +From 3f7ed312614649e2695b54b398475d32be4f64f3 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Wed, 8 Nov 2017 00:29:14 +0000 +Subject: adpcm: fix stack overflow with >4 channels (CVE-2017-15372) + +--- + src/adpcm.c | 8 +++++++- + src/adpcm.h | 3 +++ + src/wav.c | 5 ++++- + 3 files changed, 14 insertions(+), 2 deletions(-) + +Index: sox/src/adpcm.c +=================================================================== +--- sox.orig/src/adpcm.c ++++ sox/src/adpcm.c +@@ -71,6 +71,11 @@ const short lsx_ms_adpcm_i_coef[7][2] = + { 392,-232} + }; + ++extern void *lsx_ms_adpcm_alloc(unsigned chans) ++{ ++ return lsx_malloc(chans * sizeof(MsState_t)); ++} ++ + static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state, + sox_sample_t sample1, sox_sample_t sample2) + { +@@ -102,6 +107,7 @@ static inline sox_sample_t AdpcmDecode(s + + /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ + const char *lsx_ms_adpcm_block_expand_i( ++ void *priv, + unsigned chans, /* total channels */ + int nCoef, + const short *coef, +@@ -113,7 +119,7 @@ const char *lsx_ms_adpcm_block_expand_i( + const unsigned char *ip; + unsigned ch; + const char *errmsg = NULL; +- MsState_t state[4]; /* One decompressor state for each channel */ ++ MsState_t *state = priv; /* One decompressor state for each channel */ + + /* Read the four-byte header for each channel */ + ip = ibuff; +Index: sox/src/adpcm.h +=================================================================== +--- sox.orig/src/adpcm.h ++++ sox/src/adpcm.h +@@ -29,8 +29,11 @@ + /* default coef sets */ + extern const short lsx_ms_adpcm_i_coef[7][2]; + ++extern void *lsx_ms_adpcm_alloc(unsigned chans); ++ + /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ + extern const char *lsx_ms_adpcm_block_expand_i( ++ void *priv, + unsigned chans, /* total channels */ + int nCoef, + const short *coef, +Index: sox/src/wav.c +=================================================================== +--- sox.orig/src/wav.c ++++ sox/src/wav.c +@@ -82,6 +82,7 @@ typedef struct { + /* following used by *ADPCM wav files */ + unsigned short nCoefs; /* ADPCM: number of coef sets */ + short *lsx_ms_adpcm_i_coefs; /* ADPCM: coef sets */ ++ void *ms_adpcm_data; /* Private data of adpcm decoder */ + unsigned char *packet; /* Temporary buffer for packets */ + short *samples; /* interleaved samples buffer */ + short *samplePtr; /* Pointer to current sample */ +@@ -175,7 +176,7 @@ static unsigned short AdpcmReadBlock(so + } + } + +- errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); ++ errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); + + if (errmsg) + lsx_warn("%s", errmsg); +@@ -791,6 +792,7 @@ static int startread(sox_format_t * ft) + + /* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */ + wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short)); ++ wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels); + { + int i, errct=0; + for (i=0; len>=2 && i < 2*wav->nCoefs; i++) { +@@ -1216,6 +1218,7 @@ static int stopread(sox_format_t * ft) + free(wav->packet); + free(wav->samples); + free(wav->lsx_ms_adpcm_i_coefs); ++ free(wav->ms_adpcm_data); + free(wav->comment); + wav->comment = NULL; + diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch new file mode 100644 index 000000000000..d43ef50d1012 --- /dev/null +++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch @@ -0,0 +1,28 @@ +Description: This fixes a use after free and double free if an empty comment +chunk follows a non-empty one. +Author: Mans Rullgard +Forwarded: not-needed +--- + src/aiff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: sox/src/aiff.c +=================================================================== +--- sox.orig/src/aiff.c ++++ sox/src/aiff.c +@@ -62,7 +62,6 @@ int lsx_aiffstartread(sox_format_t * ft) + size_t ssndsize = 0; + char *annotation; + char *author; +- char *comment = NULL; + char *copyright; + char *nametext; + +@@ -270,6 +269,7 @@ int lsx_aiffstartread(sox_format_t * ft) + free(annotation); + } + else if (strncmp(buf, "COMT", (size_t)4) == 0) { ++ char *comment = NULL; + rc = commentChunk(&comment, "Comment:", ft); + if (rc) { + /* Fail already called in function */ diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch new file mode 100644 index 000000000000..fd04bcdff131 --- /dev/null +++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch @@ -0,0 +1,30 @@ +Description: A corrupt header specifying zero channels would send read_channels() +into an infinite loop. Prevent this by sanity checking the channel +count in open_read(). Also add an upper bound to prevent overflow +in multiplication. +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121 +Author: Mans Rullgard + Jaromír Mikeš +Forwarded: not-needed + +--- + src/xa.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: sox/src/xa.c +=================================================================== +--- sox.orig/src/xa.c ++++ sox/src/xa.c +@@ -143,6 +143,12 @@ static int startread(sox_format_t * ft) + lsx_report("User options overriding rate read in .xa header"); + } + ++ if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) { ++ lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d", ++ ft->signal.channels); ++ return SOX_EOF; ++ } ++ + /* Check for supported formats */ + if (ft->encoding.bits_per_sample != 16) { + lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.", diff --git a/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch b/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch new file mode 100644 index 000000000000..4ebb31c0ae94 --- /dev/null +++ b/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch @@ -0,0 +1,35 @@ +Description: wavpack: check errors when initializing +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881145 +Author: Eric Wong + Jaromír Mikeš +Forwarded: not-needed + + src/wavpack.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/wavpack.c b/src/wavpack.c +index 9e525cd4..b7e8dafa 100644 +--- a/src/wavpack.c ++++ b/src/wavpack.c +@@ -65,6 +65,10 @@ static int start_read(sox_format_t * ft) + char msg[80]; + + p->codec = WavpackOpenFileInputEx(&io_fns, ft, NULL, msg, OPEN_NORMALIZE, 0); ++ if (!p->codec) { ++ lsx_fail_errno(ft, SOX_EHDR, "%s", msg); ++ return SOX_EOF; ++ } + ft->encoding.bits_per_sample = WavpackGetBytesPerSample(p->codec) << 3; + ft->signal.channels = WavpackGetNumChannels(p->codec); + if (WavpackGetSampleRate(p->codec) && ft->signal.rate && ft->signal.rate != WavpackGetSampleRate(p->codec)) +@@ -108,6 +112,10 @@ static int start_write(sox_format_t * ft) + uint64_t size64; + + p->codec = WavpackOpenFileOutput(ft_write_b_buf, ft, NULL); ++ if (!p->codec) { ++ lsx_fail_errno(ft, SOX_ENOMEM, "WavPack error creating output instance"); ++ return SOX_EOF; ++ } + memset(&config, 0, sizeof(config)); + config.bytes_per_sample = ft->encoding.bits_per_sample >> 3; + config.bits_per_sample = ft->encoding.bits_per_sample; diff --git a/media-sound/sox/sox-14.4.2-r1.ebuild b/media-sound/sox/sox-14.4.2-r1.ebuild index 8ebda3df10b8..d757a4e70b42 100644 --- a/media-sound/sox/sox-14.4.2-r1.ebuild +++ b/media-sound/sox/sox-14.4.2-r1.ebuild @@ -46,6 +46,19 @@ DEPEND="${RDEPEND} DOCS=( AUTHORS ChangeLog NEWS README ) +PATCHES=( + "${FILESDIR}"/${P}-CVE-2017-11332.patch + "${FILESDIR}"/${P}-CVE-2017-11333.patch + "${FILESDIR}"/${P}-CVE-2017-11358.patch + "${FILESDIR}"/${P}-CVE-2017-11359.patch + "${FILESDIR}"/${P}-CVE-2017-15370.patch + "${FILESDIR}"/${P}-CVE-2017-15371.patch + "${FILESDIR}"/${P}-CVE-2017-15372.patch + "${FILESDIR}"/${P}-CVE-2017-15642.patch + "${FILESDIR}"/${P}-CVE-2017-18189.patch + "${FILESDIR}"/${P}-wavpack-chk-errors-on-init.patch +) + src_prepare() { default sed -i -e 's:CFLAGS="-g":CFLAGS="$CFLAGS -g":' configure.ac || die #386027 -- cgit v1.2.3-65-gdbad