#30061 [PATCH] gnu: libvorbis: Fix CVE-2017-{14632,14633}.

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 10 Jan 2018 09:08:25 +0000
From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 10 04:08:25 2018
Received: from localhost ([127.0.0.1]:50265 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eZCMu-0006Qd-Uj
	for submit@debbugs.gnu.org; Wed, 10 Jan 2018 04:08:24 -0500
Received: from eggs.gnu.org ([208.118.235.92]:54764)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1eZCMr-0006QJ-7F
 for submit@debbugs.gnu.org; Wed, 10 Jan 2018 04:08:19 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1eZCMh-0006e0-Ho
 for submit@debbugs.gnu.org; Wed, 10 Jan 2018 04:08:12 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:35173)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1eZCMh-0006dq-Dd
 for submit@debbugs.gnu.org; Wed, 10 Jan 2018 04:08:07 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45716)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1eZCMf-00013I-Ot
 for guix-patches@gnu.org; Wed, 10 Jan 2018 04:08:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1eZCMc-0006cN-TR
 for guix-patches@gnu.org; Wed, 10 Jan 2018 04:08:05 -0500
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:56351)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1eZCMc-0006bv-8L
 for guix-patches@gnu.org; Wed, 10 Jan 2018 04:08:02 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 5BD0620230;
 Wed, 10 Jan 2018 04:08:01 -0500 (EST)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Wed, 10 Jan 2018 04:08:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:message-id:subject:to:x-me-sender:x-me-sender
 :x-sasl-enc; s=mesmtp; bh=T3CUxNrCP3+F4srL50mS9od6NKPw7U2k9kHsOQ
 pRrj4=; b=E68+ulUrn+/6E7rX58XceUADDwWdV2MgrDHMYLpfG2ZZCcvyI3NZQB
 z0CEF1vfYSeybcbxTHP1D9SJRJJxip9l71vRuWHbliO8XAXNTt8yCXkLLDaLt9ZQ
 yqEw3Zub1xykhGFups2g+vdzXbmtEvtZ3bAYKMurJGMICWIPt3V1U=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=date:from:message-id:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=T3CUxNrCP3+F4srL5
 0mS9od6NKPw7U2k9kHsOQpRrj4=; b=Ihl6yaP9jvCRk3qzWagt8lhkUkVYQBK+v
 OROEhvGa5JVWkdGbjF9OsXudevrAZcL92S2M6/ZdXkLXpXAp7pbLMK2FdTnbuotw
 pQaYmbl+NGHi1lomE3uPU880nmsP+KPfCexC8MEuCMOI2eGY9pkTL/lEmZTS4Zlm
 Xpl0INHMHxZkMulYRi7eemiDmY7MpAh32gqHj75b/WBH0gxKP68dg0fTdo1H+fuQ
 gvxNtFo+7wM4XFwzWJ18Rzw3wmBXjX0eJSpNDhlAw8yMOfRFWfA0S2waMKGCZ2qN
 WchwZ4qYo45JvWQwdN97u0LrQJfqDSPWiPxz6bii3pFrSO6l2BNYg==
X-ME-Sender: <xms:8ddVWjaZbOR4va-1MMkKrW1Fq2KYzrKWbl4iWCEachx0WCFyFChyJg>
Received: from jasmine.lan (unknown [162.208.95.194])
 by mail.messagingengine.com (Postfix) with ESMTPA id D7E4424771
 for <guix-patches@gnu.org>; Wed, 10 Jan 2018 04:08:00 -0500 (EST)
From: Leo Famulari <leo@famulari.name>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: libvorbis: Fix CVE-2017-{14632,14633}.
Date: Wed, 10 Jan 2018 01:07:39 -0800
Message-Id: <9a94afdf5d9bcc8a61f31acdf346bbab1f44307f.1515575258.git.leo@famulari.name>
X-Mailer: git-send-email 2.15.1
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)

* gnu/packages/patches/libvorbis-CVE-2017-14632.patch,
gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xiph.scm (libvorbis)[replacement]: New field.
(libvorbis/fixed): New variable.
---
 gnu/local.mk                                       |  2 +
 .../patches/libvorbis-CVE-2017-14632.patch         | 63 ++++++++++++++++++++++
 .../patches/libvorbis-CVE-2017-14633.patch         | 43 +++++++++++++++
 gnu/packages/xiph.scm                              |  9 ++++
 4 files changed, 117 insertions(+)
 create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14632.patch
 create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14633.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 44868d4bb..4b451c7a9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -851,6 +851,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libusb-0.1-disable-tests.patch		\
   %D%/packages/patches/libusb-for-axoloti.patch			\
   %D%/packages/patches/libvdpau-va-gl-unbundle.patch		\
+  %D%/packages/patches/libvorbis-CVE-2017-14632.patch		\
+  %D%/packages/patches/libvorbis-CVE-2017-14633.patch		\
   %D%/packages/patches/libvpx-CVE-2016-2818.patch		\
   %D%/packages/patches/libxcb-python-3.5-compat.patch		\
   %D%/packages/patches/libxml2-CVE-2016-4658.patch		\
diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14632.patch b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch
new file mode 100644
index 000000000..99debf210
--- /dev/null
+++ b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch
@@ -0,0 +1,63 @@
+Fix CVE-2017-14632:
+
+https://gitlab.xiph.org/xiph/vorbis/issues/2328
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632
+
+Patch copied from upstream source repository:
+
+https://gitlab.xiph.org/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d327f
+
+From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 15 Nov 2017 18:22:59 +0100
+Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
+ if not initialized
+
+If the number of channels is not within the allowed range
+we call oggback_writeclear altough it's not initialized yet.
+
+This fixes
+
+    =23371== Invalid free() / delete / delete[] / realloc()
+    ==23371==    at 0x4C2CE1B: free (vg_replace_malloc.c:530)
+    ==23371==    by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
+    ==23371==    by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
+    ==23371==    by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
+    ==23371==    by 0x10D82A: process (sox.c:1753)
+    ==23371==    by 0x10D82A: main (sox.c:3012)
+    ==23371==  Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
+    ==23371==    at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
+    ==23371==    by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
+    ==23371==    by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
+    ==23371==    by 0x10D82A: process (sox.c:1753)
+    ==23371==    by 0x10D82A: main (sox.c:3012)
+
+as seen when using the testcase from CVE-2017-11333 with
+008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
+there before.
+---
+ lib/info.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/info.c b/lib/info.c
+index 7bc4ea4..8d0b2ed 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+   private_state *b=v->backend_state;
+ 
+   if(!b||vi->channels<=0||vi->channels>256){
++    b = NULL;
+     ret=OV_EFAULT;
+     goto err_out;
+   }
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14633.patch b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch
new file mode 100644
index 000000000..ec6bf5265
--- /dev/null
+++ b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch
@@ -0,0 +1,43 @@
+Fix CVE-2017-14633:
+
+https://gitlab.xiph.org/xiph/vorbis/issues/2329
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
+
+Patch copied from upstream source repository:
+
+https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993
+
+From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Tue, 31 Oct 2017 18:32:46 +0100
+Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
+
+Otherwise
+
+ for(i=0;i<vi->channels;i++){
+      /* the encoder setup assumes that all the modes used by any
+         specific bitrate tweaking use the same floor */
+      int submap=info->chmuxlist[i];
+
+overreads later in mapping0_forward since chmuxlist is a fixed array of
+256 elements max.
+---
+ lib/info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/info.c b/lib/info.c
+index fe759ed..7bc4ea4 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+   oggpack_buffer opb;
+   private_state *b=v->backend_state;
+ 
+-  if(!b||vi->channels<=0){
++  if(!b||vi->channels<=0||vi->channels>256){
+     ret=OV_EFAULT;
+     goto err_out;
+   }
+-- 
+2.15.1
+
diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm
index 9277f57ad..e9ab06de4 100644
--- a/gnu/packages/xiph.scm
+++ b/gnu/packages/xiph.scm
@@ -79,6 +79,7 @@ periodic timestamps for seeking.")
 (define libvorbis
   (package
    (name "libvorbis")
+   (replacement libvorbis/fixed)
    (version "1.3.5")
    (source (origin
             (method url-fetch)
@@ -102,6 +103,14 @@ polyphonic) audio and music at fixed and variable bitrates from 16 to
                                "See COPYING in the distribution."))
    (home-page "http://xiph.org/vorbis/")))
 
+(define libvorbis/fixed
+  (package
+    (inherit libvorbis)
+    (source (origin
+              (inherit (package-source libvorbis))
+              (patches (search-patches "libvorbis-CVE-2017-14633.patch"
+                                       "libvorbis-CVE-2017-14632.patch"))))))
+
 (define libtheora
   (package
     (name "libtheora")
-- 
2.15.1

Send a report that this bug log contains spam.