[PATCH] gnu: libvorbis: Fix CVE-2017-{14632,14633}.

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 10 Jan 2018 10:07
(address . guix-patches@gnu.org)
9a94afdf5d9bcc8a61f31acdf346bbab1f44307f.1515575258.git.leo@famulari.name
* gnu/packages/patches/libvorbis-CVE-2017-14632.patch,
gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xiph.scm (libvorbis)[replacement]: New field.
(libvorbis/fixed): New variable.
---
gnu/local.mk | 2 +
.../patches/libvorbis-CVE-2017-14632.patch | 63 ++++++++++++++++++++++
.../patches/libvorbis-CVE-2017-14633.patch | 43 +++++++++++++++
gnu/packages/xiph.scm | 9 ++++
4 files changed, 117 insertions(+)
create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14632.patch
create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14633.patch

Toggle diff (160 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 44868d4bb..4b451c7a9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -851,6 +851,8 @@ dist_patch_DATA = \
%D%/packages/patches/libusb-0.1-disable-tests.patch \
%D%/packages/patches/libusb-for-axoloti.patch \
%D%/packages/patches/libvdpau-va-gl-unbundle.patch \
+ %D%/packages/patches/libvorbis-CVE-2017-14632.patch \
+ %D%/packages/patches/libvorbis-CVE-2017-14633.patch \
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
%D%/packages/patches/libxcb-python-3.5-compat.patch \
%D%/packages/patches/libxml2-CVE-2016-4658.patch \
diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14632.patch b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch
new file mode 100644
index 000000000..99debf210
--- /dev/null
+++ b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch
@@ -0,0 +1,63 @@
+Fix CVE-2017-14632:
+
+https://gitlab.xiph.org/xiph/vorbis/issues/2328
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632
+
+Patch copied from upstream source repository:
+
+https://gitlab.xiph.org/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d327f
+
+From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 15 Nov 2017 18:22:59 +0100
+Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
+ if not initialized
+
+If the number of channels is not within the allowed range
+we call oggback_writeclear altough it's not initialized yet.
+
+This fixes
+
+ =23371== Invalid free() / delete / delete[] / realloc()
+ ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
+ ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
+ ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
+ ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+ ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x10D82A: open_output_file (sox.c:1556)
+ ==23371== by 0x10D82A: process (sox.c:1753)
+ ==23371== by 0x10D82A: main (sox.c:3012)
+ ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
+ ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
+ ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
+ ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+ ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x10D82A: open_output_file (sox.c:1556)
+ ==23371== by 0x10D82A: process (sox.c:1753)
+ ==23371== by 0x10D82A: main (sox.c:3012)
+
+as seen when using the testcase from CVE-2017-11333 with
+008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
+there before.
+---
+ lib/info.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/info.c b/lib/info.c
+index 7bc4ea4..8d0b2ed 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+ private_state *b=v->backend_state;
+
+ if(!b||vi->channels<=0||vi->channels>256){
++ b = NULL;
+ ret=OV_EFAULT;
+ goto err_out;
+ }
+--
+2.15.1
+
diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14633.patch b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch
new file mode 100644
index 000000000..ec6bf5265
--- /dev/null
+++ b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch
@@ -0,0 +1,43 @@
+Fix CVE-2017-14633:
+
+https://gitlab.xiph.org/xiph/vorbis/issues/2329
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
+
+Patch copied from upstream source repository:
+
+https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993
+
+From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Tue, 31 Oct 2017 18:32:46 +0100
+Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
+
+Otherwise
+
+ for(i=0;i<vi->channels;i++){
+ /* the encoder setup assumes that all the modes used by any
+ specific bitrate tweaking use the same floor */
+ int submap=info->chmuxlist[i];
+
+overreads later in mapping0_forward since chmuxlist is a fixed array of
+256 elements max.
+---
+ lib/info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/info.c b/lib/info.c
+index fe759ed..7bc4ea4 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+ oggpack_buffer opb;
+ private_state *b=v->backend_state;
+
+- if(!b||vi->channels<=0){
++ if(!b||vi->channels<=0||vi->channels>256){
+ ret=OV_EFAULT;
+ goto err_out;
+ }
+--
+2.15.1
+
diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm
index 9277f57ad..e9ab06de4 100644
--- a/gnu/packages/xiph.scm
+++ b/gnu/packages/xiph.scm
@@ -79,6 +79,7 @@ periodic timestamps for seeking.")
(define libvorbis
(package
(name "libvorbis")
+ (replacement libvorbis/fixed)
(version "1.3.5")
(source (origin
(method url-fetch)
@@ -102,6 +103,14 @@ polyphonic) audio and music at fixed and variable bitrates from 16 to
"See COPYING in the distribution."))
(home-page "http://xiph.org/vorbis/")))
+(define libvorbis/fixed
+ (package
+ (inherit libvorbis)
+ (source (origin
+ (inherit (package-source libvorbis))
+ (patches (search-patches "libvorbis-CVE-2017-14633.patch"
+ "libvorbis-CVE-2017-14632.patch"))))))
+
(define libtheora
(package
(name "libtheora")
--
2.15.1
L
L
Ludovic Courtès wrote on 11 Jan 2018 22:24
control message for bug #30061
(address . control@debbugs.gnu.org)
87lgh4nl6o.fsf@gnu.org
tags 30061 security
L
L
Ludovic Courtès wrote on 11 Jan 2018 22:25
Re: [bug#30061] [PATCH] gnu: libvorbis: Fix CVE-2017-{14632,14633}.
(name . Leo Famulari)(address . leo@famulari.name)(address . 30061@debbugs.gnu.org)
87h8rsnl4i.fsf@gnu.org
Hi,

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (6 lines)
> * gnu/packages/patches/libvorbis-CVE-2017-14632.patch,
> gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/xiph.scm (libvorbis)[replacement]: New field.
> (libvorbis/fixed): New variable.

LGTM.

On ‘core-updates’, should we perform a rebuild instead of grafting?

Thank you!

Ludo’.
L
L
Leo Famulari wrote on 11 Jan 2018 23:33
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 30061-done@debbugs.gnu.org)
20180111223322.GA12238@jasmine.lan
On Thu, Jan 11, 2018 at 10:25:33PM +0100, Ludovic Courtès wrote:
Toggle quote (12 lines)
> Hi,
>
> Leo Famulari <leo@famulari.name> skribis:
>
> > * gnu/packages/patches/libvorbis-CVE-2017-14632.patch,
> > gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
> > * gnu/packages/xiph.scm (libvorbis)[replacement]: New field.
> > (libvorbis/fixed): New variable.
>
> LGTM.

Pushed as 138c08899ba73049de8afd2b74a8cf6845a1d9e1

Toggle quote (2 lines)
> On ‘core-updates’, should we perform a rebuild instead of grafting?

Yes, I merged master into core-updates and ungrafted libvorbis in
e6ebc7b13225f0eddc404b7d8e136120b962181e
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpX5jIACgkQJkb6MLrK
fwjXeA//QpH4EHthoNVDzlsLhf+xSUKWTh5zTRkRR5hQZPlikKEqJB9gDrMVv71Z
06HY2f9Yz2W8b+vxsBPFo6tYeiVOyUZ3LrK3CbejYNo82LO84NGGJZteakwIL7cz
MftHSZgEPmZSD82KVqfDPL/As3+BsKBmi/U6FE1DnKEdBLtsERgq7ErCD5GdLpnb
94l1uFLONTQymO4FOwafaGbOGCPBUdk1rcnx2mTZgmuo6RgkcblRq719rPk/RXIC
aIab0ovTaM4A3hATXn20yfPVaPylb1xZpU/Pu0Q6P67gX5Ln1X8J9TfaVi60+Oz/
VUF2Hy0OvmVukvmHS4KnhO92ixIDQOgpMnC1pMEhyEVTZMr7B6Ni1eKWav9EAhUz
iDUL9li/jHnqbKQWFW/3zs2lqC0jgSn+1yUxGOTKRWLj7sxC0L7Bdcp+DGH86sU/
kDaMFZ6iFY+HfcXKh/5WcOYJjm4p5Su1QeKKwQpdkJLmIuYUSkmf8pwXYkzZ5486
hR7KOjMimEXH5jOHrQsCAO3EgS83l3K+M6tWx9yORmZvuMDKi6I9+wJ3bh+GKAVF
pHRvSMfP2psrEvuHy15Ecmnsui1HyiohFfE7aJGSPpUqNm9UTKG0PVhv3tK4UwL9
OpW05WDJxqJfo1u9dF4+P1Amm2+M7MkYjShym9lkBvnSKliHn5I=
=thrW
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 30061@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 30061
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch