Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sam James <sam@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: media-libs/libmp4v2/, media-libs/libmp4v2/files/
Date: Mon, 03 Aug 2020 00:49:47
Message-Id: 1596415770.1560154cd7f50715577cc36e52f8d03a15a80419.sam@gentoo
1 commit: 1560154cd7f50715577cc36e52f8d03a15a80419
2 Author: John Helmert III <jchelmert3 <AT> posteo <DOT> net>
3 AuthorDate: Mon Aug 3 00:49:30 2020 +0000
4 Commit: Sam James <sam <AT> gentoo <DOT> org>
5 CommitDate: Mon Aug 3 00:49:30 2020 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1560154c
7
8 media-libs/libmp4v2: add security patches
9
10 Bug: https://bugs.gentoo.org/661582
11 Package-Manager: Portage-3.0.0, Repoman-2.3.23
12 Signed-off-by: John Helmert III <jchelmert3 <AT> posteo.net>
13 Closes: https://github.com/gentoo/gentoo/pull/16811
14 Signed-off-by: Sam James <sam <AT> gentoo.org>
15
16 .../files/libmp4v2-2.0.0-CVE-2018-14054.patch | 35 +++++++++++++
17 .../files/libmp4v2-2.0.0-CVE-2018-14325.patch | 60 ++++++++++++++++++++++
18 .../files/libmp4v2-2.0.0-CVE-2018-14379.patch | 33 ++++++++++++
19 .../files/libmp4v2-2.0.0-CVE-2018-14403.patch | 28 ++++++++++
20 media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild | 54 +++++++++++++++++++
21 5 files changed, 210 insertions(+)
22
23 diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14054.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14054.patch
24 new file mode 100644
25 index 00000000000..3ff3e731b93
26 --- /dev/null
27 +++ b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14054.patch
28 @@ -0,0 +1,35 @@
29 +Upstream: https://github.com/sergiomb2/libmp4v2/commit/3410bc66fb91f46325ab1d008b6a421dd8240949
30 +Gentoo Bug: https://bugs.gentoo.org/661582
31 +
32 +From 3410bc66fb91f46325ab1d008b6a421dd8240949 Mon Sep 17 00:00:00 2001
33 +From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= <sergio@××××××.com>
34 +Date: Sat, 2 Nov 2019 04:21:17 +0000
35 +Subject: [PATCH] Null out pointer after free to prevent double free
36 +
37 +If an exception occurs (because of a crafted MP4) before the value is reassigned, then a double free can occur. By setting the pointer to NULL after the first free, we prevent the double free in this case.
38 +Addresses: https://nvd.nist.gov/vuln/detail/CVE-2018-14054
39 +
40 +copied form https://github.com/TechSmith/mp4v2/commit/f09cceeee5bd7f783fd31f10e8b3c440ccf4c743
41 +From: Dave O'Rourke
42 +Date: Wed, 20 Mar 2019 08:57:29 -0400
43 +---
44 + src/mp4property.cpp | 6 ++++--
45 + 1 file changed, 4 insertions(+), 2 deletions(-)
46 +
47 +diff --git a/src/mp4property.cpp b/src/mp4property.cpp
48 +index 9a5b1e3..1b8e1d2 100644
49 +--- a/src/mp4property.cpp
50 ++++ b/src/mp4property.cpp
51 +@@ -391,8 +391,10 @@ void MP4StringProperty::Read( MP4File& file, uint32_t index )
52 + char*& value = m_values[i];
53 +
54 + // Generally a default atom setting, e.g. see atom_avc1.cpp, "JVT/AVC Coding"; we'll leak this string if
55 +- // we don't free. Note that MP4Free checks for null.
56 +- MP4Free(value);
57 ++ // we don't free. Note that this code checks for null before calling free and sets the pointer to null
58 ++ // after freeing it, to prevent a double free in case an exception occurs before the value is reassigned.
59 ++ MP4Free( value );
60 ++ value = NULL;
61 +
62 + if( m_useCountedFormat ) {
63 + value = file.ReadCountedString( (m_useUnicode ? 2 : 1), m_useExpandedCount, m_fixedLength );
64
65 diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch
66 new file mode 100644
67 index 00000000000..eb23926bb49
68 --- /dev/null
69 +++ b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch
70 @@ -0,0 +1,60 @@
71 +Upstream: https://github.com/sergiomb2/libmp4v2/commit/9084868fd9f86bee118001c23171e832f15009f4
72 +Gentoo Bug: https://bugs.gentoo.org/661582
73 +
74 +
75 +From 9084868fd9f86bee118001c23171e832f15009f4 Mon Sep 17 00:00:00 2001
76 +From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= <sergio@××××××.com>
77 +Date: Fri, 8 Nov 2019 02:01:32 +0000
78 +Subject: [PATCH] Fix v3 Integer underflow/overflow in MP4v2 2.0.0
79 +
80 +Reference: https://www.openwall.com/lists/oss-security/2018/07/16/1
81 +
82 +For the overflow, we could check the result of the integer multiplication:
83 +
84 +fix vulnerability where an atom list size is enormous
85 +and calculating the number of bytes needed to hold the list overflows
86 +https://github.com/TechSmith/mp4v2/pull/27/commits/70d823ccd8e2d7d0ed9e62fb7e8983d21e6acbeb
87 +
88 +Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14326 and https://nvd.nist.gov/vuln/detail/CVE-2018-14446
89 +
90 +For the underflow, we could check if `dataSize >= hdrSize` satisfies:
91 +Throw exception when invalid atom size would cause integer underflow
92 +The calculation `hdrSize - dataSize` can underflow the 64-bit unsigned int dataSize type, which can lead to incorrect results. We throw an exception to stop the code from going any further.
93 +
94 +Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14325
95 +Based on https://github.com/TechSmith/mp4v2/commit/e475013c6ef78093055a02b0d035eda0f9f01451
96 +---
97 + src/mp4array.h | 2 ++
98 + src/mp4atom.cpp | 6 ++++++
99 + 2 files changed, 8 insertions(+)
100 +
101 +diff --git a/src/mp4array.h b/src/mp4array.h
102 +index c49d59b..69d470a 100644
103 +--- a/src/mp4array.h
104 ++++ b/src/mp4array.h
105 +@@ -102,6 +102,8 @@ class MP4Array {
106 + void Resize(MP4ArrayIndex newSize) { \
107 + m_numElements = newSize; \
108 + m_maxNumElements = newSize; \
109 ++ if ( (uint64_t) m_maxNumElements * sizeof(type) > 0xFFFFFFFF ) \
110 ++ throw new PlatformException("requested array size exceeds 4GB", ERANGE, __FILE__, __LINE__, __FUNCTION__); /* prevent overflow */ \
111 + m_elements = (type*)MP4Realloc(m_elements, \
112 + m_maxNumElements * sizeof(type)); \
113 + } \
114 +diff --git a/src/mp4atom.cpp b/src/mp4atom.cpp
115 +index 7a0a53f..f5d5dc0 100644
116 +--- a/src/mp4atom.cpp
117 ++++ b/src/mp4atom.cpp
118 +@@ -143,6 +143,12 @@ MP4Atom* MP4Atom::ReadAtom(MP4File& file, MP4Atom* pParentAtom)
119 + dataSize = file.GetSize() - pos;
120 + }
121 +
122 ++ if(dataSize < hdrSize) {
123 ++ ostringstream oss;
124 ++ oss << "Invalid atom size in '" << type << "' atom, dataSize = " << dataSize << " cannot be less than hdrSize = " << static_cast<unsigned>( hdrSize );
125 ++ log.errorf( "%s: \"%s\": %s", __FUNCTION__, file.GetFilename().c_str(), oss.str().c_str() );
126 ++ throw new Exception( oss.str().c_str(), __FILE__, __LINE__, __FUNCTION__ );
127 ++ }
128 + dataSize -= hdrSize;
129 +
130 + log.verbose1f("\"%s\": type = \"%s\" data-size = %" PRIu64 " (0x%" PRIx64 ") hdr %u",
131
132 diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14379.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14379.patch
133 new file mode 100644
134 index 00000000000..487dc709af3
135 --- /dev/null
136 +++ b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14379.patch
137 @@ -0,0 +1,33 @@
138 +Upstream: https://github.com/sergiomb2/libmp4v2/commit/bb920de948c85e3db4a52292ac7250a50e3bfc86
139 +Gentoo Bug: https://bugs.gentoo.org/661582
140 +
141 +From bb920de948c85e3db4a52292ac7250a50e3bfc86 Mon Sep 17 00:00:00 2001
142 +From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= <sergio@××××××.com>
143 +Date: Sat, 2 Nov 2019 04:19:27 +0000
144 +Subject: [PATCH] Fix v2 Type confusion in MP4v2 2.0.0
145 +
146 +The bug is caused by the wrong assumption that the child of an `ilst`
147 +can never be an `ilst`. So we could fix it by simply adding an ASSERT.
148 +
149 +Reference: https://www.openwall.com/lists/oss-security/2018/07/17/1
150 +Addresses: https://nvd.nist.gov/vuln/detail/CVE-2018-14379
151 +---
152 + src/mp4atom.cpp | 4 +++-
153 + 1 file changed, 3 insertions(+), 1 deletion(-)
154 +
155 +diff --git a/src/mp4atom.cpp b/src/mp4atom.cpp
156 +index 520cbc8..7a0a53f 100644
157 +--- a/src/mp4atom.cpp
158 ++++ b/src/mp4atom.cpp
159 +@@ -778,8 +778,10 @@ MP4Atom::factory( MP4File &file, MP4Atom* parent, const char* type )
160 + const char* const ptype = parent->GetType();
161 +
162 + if( descendsFrom( parent, "ilst" )) {
163 +- if( ATOMID( ptype ) == ATOMID( "ilst" ))
164 ++ if( ATOMID( ptype ) == ATOMID( "ilst" )) {
165 ++ ASSERT(ATOMID( type ) != ATOMID( "ilst" ));
166 + return new MP4ItemAtom( file, type );
167 ++ }
168 +
169 + if( ATOMID( type ) == ATOMID( "data" ))
170 + return new MP4DataAtom(file);
171
172 diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14403.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14403.patch
173 new file mode 100644
174 index 00000000000..e7bea4e1dee
175 --- /dev/null
176 +++ b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14403.patch
177 @@ -0,0 +1,28 @@
178 +Upstream: https://github.com/sergiomb2/libmp4v2/commit/a94a3372c6ef66a2276cc6cd92f7ec07a9c8bb6b
179 +Gentoo Bug: https://bugs.gentoo.org/661582
180 +
181 +From a94a3372c6ef66a2276cc6cd92f7ec07a9c8bb6b Mon Sep 17 00:00:00 2001
182 +From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= <sergio@××××××.com>
183 +Date: Wed, 17 Oct 2018 16:13:06 +0100
184 +Subject: [PATCH] Fix Out-of-bounds memory access in MP4v2 2.0.0
185 +
186 +The bug can be fixed by more checks when doing type comparison.
187 +Reference: https://www.openwall.com/lists/oss-security/2018/07/18/3
188 +
189 +Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14403
190 +---
191 + src/mp4util.cpp | 1 +
192 + 1 file changed, 1 insertion(+)
193 +
194 +diff --git a/src/mp4util.cpp b/src/mp4util.cpp
195 +index 47bd74e..696dab4 100644
196 +--- a/src/mp4util.cpp
197 ++++ b/src/mp4util.cpp
198 +@@ -46,6 +46,7 @@ bool MP4NameFirstMatches(const char* s1, const char* s2)
199 + s1++;
200 + s2++;
201 + }
202 ++ if(*s2 != '[' && *s2 != '.' && *s2 != '\0') return false;
203 + return true;
204 + }
205 +
206
207 diff --git a/media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild b/media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild
208 new file mode 100644
209 index 00000000000..55a53112dd4
210 --- /dev/null
211 +++ b/media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild
212 @@ -0,0 +1,54 @@
213 +# Copyright 1999-2020 Gentoo Authors
214 +# Distributed under the terms of the GNU General Public License v2
215 +
216 +EAPI=7
217 +
218 +MY_P=${P/lib}
219 +
220 +inherit libtool
221 +
222 +DESCRIPTION="Functions for accessing ISO-IEC:14496-1:2001 MPEG-4 standard"
223 +HOMEPAGE="https://code.google.com/p/mp4v2/"
224 +SRC_URI="https://mp4v2.googlecode.com/files/${MY_P}.tar.bz2"
225 +
226 +LICENSE="MPL-1.1"
227 +SLOT="0"
228 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris"
229 +IUSE="static-libs test utils"
230 +RESTRICT="!test? ( test )"
231 +
232 +BDEPEND="
233 + test? ( dev-util/dejagnu )
234 + utils? ( sys-apps/help2man )
235 +"
236 +
237 +DOCS=( doc/{Authors,BuildSource,Documentation,ReleaseNotes,ToolGuide}.txt README )
238 +
239 +S="${WORKDIR}/${MY_P}"
240 +
241 +PATCHES=(
242 + "${FILESDIR}/${P}-gcc7.patch"
243 + "${FILESDIR}/${P}-mp4tags-corruption.patch"
244 + "${FILESDIR}/${P}-clang.patch"
245 + "${FILESDIR}/${P}-CVE-2018-14054.patch"
246 + "${FILESDIR}/${P}-CVE-2018-14325.patch"
247 + "${FILESDIR}/${P}-CVE-2018-14379.patch"
248 + "${FILESDIR}/${P}-CVE-2018-14403.patch"
249 +)
250 +
251 +src_prepare() {
252 + default
253 + elibtoolize
254 +}
255 +
256 +src_configure() {
257 + econf \
258 + --disable-gch \
259 + $(use_enable utils util) \
260 + $(use_enable static-libs static)
261 +}
262 +
263 +src_install() {
264 + default
265 + find "${D}" -name '*.la' -delete || die
266 +}
Report Message
Find on MARC Find on Google Groups