1 |
commit: c8d9d005d305c0d4a8232649e3ec93535c1bacca |
2 |
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Sep 18 14:54:25 2018 +0000 |
4 |
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Sep 18 15:07:45 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8d9d005 |
7 |
|
8 |
media-libs/libquicktime: Fix CVE-2017-9122..9128 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/634806 |
11 |
Package-Manager: Portage-2.3.49, Repoman-2.3.10 |
12 |
|
13 |
.../libquicktime-1.2.4-CVE-2017-9122_et_al.patch | 151 +++++++++++++++++++++ |
14 |
.../libquicktime/libquicktime-1.2.4-r3.ebuild | 1 + |
15 |
2 files changed, 152 insertions(+) |
16 |
|
17 |
diff --git a/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch b/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch |
18 |
new file mode 100644 |
19 |
index 00000000000..06fb7b33758 |
20 |
--- /dev/null |
21 |
+++ b/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch |
22 |
@@ -0,0 +1,151 @@ |
23 |
+From: Burkhard Plaum <plaum@×××××××××××××××××.de> |
24 |
+Origin: https://sourceforge.net/p/libquicktime/mailman/libquicktime-devel/?viewmonth=201706 |
25 |
+ |
26 |
+Hi, |
27 |
+ |
28 |
+I committed some (mostly trivial) updates to CVS. The following CVE's |
29 |
+are fixed and/or no longer reproducible: |
30 |
+ |
31 |
+CVE-2017-9122 |
32 |
+CVE-2017-9123 |
33 |
+CVE-2017-9124 |
34 |
+CVE-2017-9125 |
35 |
+CVE-2017-9126 |
36 |
+CVE-2017-9127 |
37 |
+CVE-2017-9128 |
38 |
+ |
39 |
+I was a bit surprised that one simple sanity check fixes a whole bunch of files. |
40 |
+ |
41 |
+So it could be, that the problems are still there, but better hidden since the |
42 |
+critical code isn't executed anymore with the sample files I got. |
43 |
+ |
44 |
+If someone encounters more crashes, feel free to report them. |
45 |
+ |
46 |
+Burkhard |
47 |
+ |
48 |
+--- a/include/lqt_funcprotos.h |
49 |
++++ b/include/lqt_funcprotos.h |
50 |
+@@ -1345,9 +1345,9 @@ int quicktime_write_int32_le(quicktime_t |
51 |
+ int quicktime_write_char32(quicktime_t *file, char *string); |
52 |
+ float quicktime_read_fixed16(quicktime_t *file); |
53 |
+ int quicktime_write_fixed16(quicktime_t *file, float number); |
54 |
+-unsigned long quicktime_read_uint32(quicktime_t *file); |
55 |
+-long quicktime_read_int32(quicktime_t *file); |
56 |
+-long quicktime_read_int32_le(quicktime_t *file); |
57 |
++uint32_t quicktime_read_uint32(quicktime_t *file); |
58 |
++int32_t quicktime_read_int32(quicktime_t *file); |
59 |
++int32_t quicktime_read_int32_le(quicktime_t *file); |
60 |
+ int64_t quicktime_read_int64(quicktime_t *file); |
61 |
+ int64_t quicktime_read_int64_le(quicktime_t *file); |
62 |
+ long quicktime_read_int24(quicktime_t *file); |
63 |
+--- a/src/atom.c |
64 |
++++ b/src/atom.c |
65 |
+@@ -131,6 +131,9 @@ int quicktime_atom_read_header(quicktime |
66 |
+ atom->size = read_size64(header); |
67 |
+ atom->end = atom->start + atom->size; |
68 |
+ } |
69 |
++/* Avoid broken files */ |
70 |
++ if(atom->end > file->total_length) |
71 |
++ result = 1; |
72 |
+ } |
73 |
+ |
74 |
+ |
75 |
+--- a/src/lqt_quicktime.c |
76 |
++++ b/src/lqt_quicktime.c |
77 |
+@@ -1788,8 +1788,8 @@ int quicktime_read_info(quicktime_t *fil |
78 |
+ quicktime_set_position(file, start_position); |
79 |
+ free(temp); |
80 |
+ |
81 |
+- quicktime_read_moov(file, &file->moov, &leaf_atom); |
82 |
+- got_header = 1; |
83 |
++ if(!quicktime_read_moov(file, &file->moov, &leaf_atom)) |
84 |
++ got_header = 1; |
85 |
+ } |
86 |
+ else |
87 |
+ quicktime_atom_skip(file, &leaf_atom); |
88 |
+--- a/src/moov.c |
89 |
++++ b/src/moov.c |
90 |
+@@ -218,7 +218,8 @@ int quicktime_read_moov(quicktime_t *fil |
91 |
+ if(quicktime_atom_is(&leaf_atom, "trak")) |
92 |
+ { |
93 |
+ quicktime_trak_t *trak = quicktime_add_trak(file); |
94 |
+- quicktime_read_trak(file, trak, &leaf_atom); |
95 |
++ if(quicktime_read_trak(file, trak, &leaf_atom)) |
96 |
++ return 1; |
97 |
+ } |
98 |
+ else |
99 |
+ if(quicktime_atom_is(&leaf_atom, "udta")) |
100 |
+--- a/src/trak.c |
101 |
++++ b/src/trak.c |
102 |
+@@ -269,6 +269,14 @@ int quicktime_read_trak(quicktime_t *fil |
103 |
+ else quicktime_atom_skip(file, &leaf_atom); |
104 |
+ } while(quicktime_position(file) < trak_atom->end); |
105 |
+ |
106 |
++ /* Do some sanity checks to prevent later crashes */ |
107 |
++ if(trak->mdia.minf.is_video || trak->mdia.minf.is_video) |
108 |
++ { |
109 |
++ if(!trak->mdia.minf.stbl.stsc.table || |
110 |
++ !trak->mdia.minf.stbl.stco.table) |
111 |
++ return 1; |
112 |
++ } |
113 |
++ |
114 |
+ #if 1 |
115 |
+ if(trak->mdia.minf.is_video && |
116 |
+ quicktime_match_32(trak->mdia.minf.stbl.stsd.table[0].format, "drac")) |
117 |
+--- a/src/util.c |
118 |
++++ b/src/util.c |
119 |
+@@ -647,10 +647,10 @@ int quicktime_write_fixed16(quicktime_t |
120 |
+ return quicktime_write_data(file, data, 2); |
121 |
+ } |
122 |
+ |
123 |
+-unsigned long quicktime_read_uint32(quicktime_t *file) |
124 |
++uint32_t quicktime_read_uint32(quicktime_t *file) |
125 |
+ { |
126 |
+- unsigned long result; |
127 |
+- unsigned long a, b, c, d; |
128 |
++ uint32_t result; |
129 |
++ uint32_t a, b, c, d; |
130 |
+ uint8_t data[4]; |
131 |
+ |
132 |
+ quicktime_read_data(file, data, 4); |
133 |
+@@ -663,10 +663,10 @@ unsigned long quicktime_read_uint32(quic |
134 |
+ return result; |
135 |
+ } |
136 |
+ |
137 |
+-long quicktime_read_int32(quicktime_t *file) |
138 |
++int32_t quicktime_read_int32(quicktime_t *file) |
139 |
+ { |
140 |
+- unsigned long result; |
141 |
+- unsigned long a, b, c, d; |
142 |
++ uint32_t result; |
143 |
++ uint32_t a, b, c, d; |
144 |
+ uint8_t data[4]; |
145 |
+ |
146 |
+ quicktime_read_data(file, data, 4); |
147 |
+@@ -676,13 +676,13 @@ long quicktime_read_int32(quicktime_t *f |
148 |
+ d = data[3]; |
149 |
+ |
150 |
+ result = (a << 24) | (b << 16) | (c << 8) | d; |
151 |
+- return (long)result; |
152 |
++ return (int32_t)result; |
153 |
+ } |
154 |
+ |
155 |
+-long quicktime_read_int32_le(quicktime_t *file) |
156 |
++int32_t quicktime_read_int32_le(quicktime_t *file) |
157 |
+ { |
158 |
+- unsigned long result; |
159 |
+- unsigned long a, b, c, d; |
160 |
++ uint32_t result; |
161 |
++ uint32_t a, b, c, d; |
162 |
+ uint8_t data[4]; |
163 |
+ |
164 |
+ quicktime_read_data(file, data, 4); |
165 |
+@@ -692,7 +692,7 @@ long quicktime_read_int32_le(quicktime_t |
166 |
+ d = data[3]; |
167 |
+ |
168 |
+ result = (d << 24) | (c << 16) | (b << 8) | a; |
169 |
+- return (long)result; |
170 |
++ return (int32_t)result; |
171 |
+ } |
172 |
+ |
173 |
+ int64_t quicktime_read_int64(quicktime_t *file) |
174 |
|
175 |
diff --git a/media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild b/media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild |
176 |
index 69f1b64818e..e4c2bea8920 100644 |
177 |
--- a/media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild |
178 |
+++ b/media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild |
179 |
@@ -61,6 +61,7 @@ PATCHES=( |
180 |
"${FILESDIR}"/${P}-ffmpeg2.patch |
181 |
"${FILESDIR}"/${P}-ffmpeg29.patch |
182 |
"${FILESDIR}"/${P}-CVE-2016-2399.patch |
183 |
+ "${FILESDIR}"/${P}-CVE-2017-9122_et_al.patch |
184 |
) |
185 |
|
186 |
src_prepare() { |