1 |
commit: 1560154cd7f50715577cc36e52f8d03a15a80419 |
2 |
Author: John Helmert III <jchelmert3 <AT> posteo <DOT> net> |
3 |
AuthorDate: Mon Aug 3 00:49:30 2020 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Aug 3 00:49:30 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1560154c |
7 |
|
8 |
media-libs/libmp4v2: add security patches |
9 |
|
10 |
Bug: https://bugs.gentoo.org/661582 |
11 |
Package-Manager: Portage-3.0.0, Repoman-2.3.23 |
12 |
Signed-off-by: John Helmert III <jchelmert3 <AT> posteo.net> |
13 |
Closes: https://github.com/gentoo/gentoo/pull/16811 |
14 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
15 |
|
16 |
.../files/libmp4v2-2.0.0-CVE-2018-14054.patch | 35 +++++++++++++ |
17 |
.../files/libmp4v2-2.0.0-CVE-2018-14325.patch | 60 ++++++++++++++++++++++ |
18 |
.../files/libmp4v2-2.0.0-CVE-2018-14379.patch | 33 ++++++++++++ |
19 |
.../files/libmp4v2-2.0.0-CVE-2018-14403.patch | 28 ++++++++++ |
20 |
media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild | 54 +++++++++++++++++++ |
21 |
5 files changed, 210 insertions(+) |
22 |
|
23 |
diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14054.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14054.patch |
24 |
new file mode 100644 |
25 |
index 00000000000..3ff3e731b93 |
26 |
--- /dev/null |
27 |
+++ b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14054.patch |
28 |
@@ -0,0 +1,35 @@ |
29 |
+Upstream: https://github.com/sergiomb2/libmp4v2/commit/3410bc66fb91f46325ab1d008b6a421dd8240949 |
30 |
+Gentoo Bug: https://bugs.gentoo.org/661582 |
31 |
+ |
32 |
+From 3410bc66fb91f46325ab1d008b6a421dd8240949 Mon Sep 17 00:00:00 2001 |
33 |
+From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= <sergio@××××××.com> |
34 |
+Date: Sat, 2 Nov 2019 04:21:17 +0000 |
35 |
+Subject: [PATCH] Null out pointer after free to prevent double free |
36 |
+ |
37 |
+If an exception occurs (because of a crafted MP4) before the value is reassigned, then a double free can occur. By setting the pointer to NULL after the first free, we prevent the double free in this case. |
38 |
+Addresses: https://nvd.nist.gov/vuln/detail/CVE-2018-14054 |
39 |
+ |
40 |
+copied form https://github.com/TechSmith/mp4v2/commit/f09cceeee5bd7f783fd31f10e8b3c440ccf4c743 |
41 |
+From: Dave O'Rourke |
42 |
+Date: Wed, 20 Mar 2019 08:57:29 -0400 |
43 |
+--- |
44 |
+ src/mp4property.cpp | 6 ++++-- |
45 |
+ 1 file changed, 4 insertions(+), 2 deletions(-) |
46 |
+ |
47 |
+diff --git a/src/mp4property.cpp b/src/mp4property.cpp |
48 |
+index 9a5b1e3..1b8e1d2 100644 |
49 |
+--- a/src/mp4property.cpp |
50 |
++++ b/src/mp4property.cpp |
51 |
+@@ -391,8 +391,10 @@ void MP4StringProperty::Read( MP4File& file, uint32_t index ) |
52 |
+ char*& value = m_values[i]; |
53 |
+ |
54 |
+ // Generally a default atom setting, e.g. see atom_avc1.cpp, "JVT/AVC Coding"; we'll leak this string if |
55 |
+- // we don't free. Note that MP4Free checks for null. |
56 |
+- MP4Free(value); |
57 |
++ // we don't free. Note that this code checks for null before calling free and sets the pointer to null |
58 |
++ // after freeing it, to prevent a double free in case an exception occurs before the value is reassigned. |
59 |
++ MP4Free( value ); |
60 |
++ value = NULL; |
61 |
+ |
62 |
+ if( m_useCountedFormat ) { |
63 |
+ value = file.ReadCountedString( (m_useUnicode ? 2 : 1), m_useExpandedCount, m_fixedLength ); |
64 |
|
65 |
diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch |
66 |
new file mode 100644 |
67 |
index 00000000000..eb23926bb49 |
68 |
--- /dev/null |
69 |
+++ b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch |
70 |
@@ -0,0 +1,60 @@ |
71 |
+Upstream: https://github.com/sergiomb2/libmp4v2/commit/9084868fd9f86bee118001c23171e832f15009f4 |
72 |
+Gentoo Bug: https://bugs.gentoo.org/661582 |
73 |
+ |
74 |
+ |
75 |
+From 9084868fd9f86bee118001c23171e832f15009f4 Mon Sep 17 00:00:00 2001 |
76 |
+From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= <sergio@××××××.com> |
77 |
+Date: Fri, 8 Nov 2019 02:01:32 +0000 |
78 |
+Subject: [PATCH] Fix v3 Integer underflow/overflow in MP4v2 2.0.0 |
79 |
+ |
80 |
+Reference: https://www.openwall.com/lists/oss-security/2018/07/16/1 |
81 |
+ |
82 |
+For the overflow, we could check the result of the integer multiplication: |
83 |
+ |
84 |
+fix vulnerability where an atom list size is enormous |
85 |
+and calculating the number of bytes needed to hold the list overflows |
86 |
+https://github.com/TechSmith/mp4v2/pull/27/commits/70d823ccd8e2d7d0ed9e62fb7e8983d21e6acbeb |
87 |
+ |
88 |
+Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14326 and https://nvd.nist.gov/vuln/detail/CVE-2018-14446 |
89 |
+ |
90 |
+For the underflow, we could check if `dataSize >= hdrSize` satisfies: |
91 |
+Throw exception when invalid atom size would cause integer underflow |
92 |
+The calculation `hdrSize - dataSize` can underflow the 64-bit unsigned int dataSize type, which can lead to incorrect results. We throw an exception to stop the code from going any further. |
93 |
+ |
94 |
+Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14325 |
95 |
+Based on https://github.com/TechSmith/mp4v2/commit/e475013c6ef78093055a02b0d035eda0f9f01451 |
96 |
+--- |
97 |
+ src/mp4array.h | 2 ++ |
98 |
+ src/mp4atom.cpp | 6 ++++++ |
99 |
+ 2 files changed, 8 insertions(+) |
100 |
+ |
101 |
+diff --git a/src/mp4array.h b/src/mp4array.h |
102 |
+index c49d59b..69d470a 100644 |
103 |
+--- a/src/mp4array.h |
104 |
++++ b/src/mp4array.h |
105 |
+@@ -102,6 +102,8 @@ class MP4Array { |
106 |
+ void Resize(MP4ArrayIndex newSize) { \ |
107 |
+ m_numElements = newSize; \ |
108 |
+ m_maxNumElements = newSize; \ |
109 |
++ if ( (uint64_t) m_maxNumElements * sizeof(type) > 0xFFFFFFFF ) \ |
110 |
++ throw new PlatformException("requested array size exceeds 4GB", ERANGE, __FILE__, __LINE__, __FUNCTION__); /* prevent overflow */ \ |
111 |
+ m_elements = (type*)MP4Realloc(m_elements, \ |
112 |
+ m_maxNumElements * sizeof(type)); \ |
113 |
+ } \ |
114 |
+diff --git a/src/mp4atom.cpp b/src/mp4atom.cpp |
115 |
+index 7a0a53f..f5d5dc0 100644 |
116 |
+--- a/src/mp4atom.cpp |
117 |
++++ b/src/mp4atom.cpp |
118 |
+@@ -143,6 +143,12 @@ MP4Atom* MP4Atom::ReadAtom(MP4File& file, MP4Atom* pParentAtom) |
119 |
+ dataSize = file.GetSize() - pos; |
120 |
+ } |
121 |
+ |
122 |
++ if(dataSize < hdrSize) { |
123 |
++ ostringstream oss; |
124 |
++ oss << "Invalid atom size in '" << type << "' atom, dataSize = " << dataSize << " cannot be less than hdrSize = " << static_cast<unsigned>( hdrSize ); |
125 |
++ log.errorf( "%s: \"%s\": %s", __FUNCTION__, file.GetFilename().c_str(), oss.str().c_str() ); |
126 |
++ throw new Exception( oss.str().c_str(), __FILE__, __LINE__, __FUNCTION__ ); |
127 |
++ } |
128 |
+ dataSize -= hdrSize; |
129 |
+ |
130 |
+ log.verbose1f("\"%s\": type = \"%s\" data-size = %" PRIu64 " (0x%" PRIx64 ") hdr %u", |
131 |
|
132 |
diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14379.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14379.patch |
133 |
new file mode 100644 |
134 |
index 00000000000..487dc709af3 |
135 |
--- /dev/null |
136 |
+++ b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14379.patch |
137 |
@@ -0,0 +1,33 @@ |
138 |
+Upstream: https://github.com/sergiomb2/libmp4v2/commit/bb920de948c85e3db4a52292ac7250a50e3bfc86 |
139 |
+Gentoo Bug: https://bugs.gentoo.org/661582 |
140 |
+ |
141 |
+From bb920de948c85e3db4a52292ac7250a50e3bfc86 Mon Sep 17 00:00:00 2001 |
142 |
+From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= <sergio@××××××.com> |
143 |
+Date: Sat, 2 Nov 2019 04:19:27 +0000 |
144 |
+Subject: [PATCH] Fix v2 Type confusion in MP4v2 2.0.0 |
145 |
+ |
146 |
+The bug is caused by the wrong assumption that the child of an `ilst` |
147 |
+can never be an `ilst`. So we could fix it by simply adding an ASSERT. |
148 |
+ |
149 |
+Reference: https://www.openwall.com/lists/oss-security/2018/07/17/1 |
150 |
+Addresses: https://nvd.nist.gov/vuln/detail/CVE-2018-14379 |
151 |
+--- |
152 |
+ src/mp4atom.cpp | 4 +++- |
153 |
+ 1 file changed, 3 insertions(+), 1 deletion(-) |
154 |
+ |
155 |
+diff --git a/src/mp4atom.cpp b/src/mp4atom.cpp |
156 |
+index 520cbc8..7a0a53f 100644 |
157 |
+--- a/src/mp4atom.cpp |
158 |
++++ b/src/mp4atom.cpp |
159 |
+@@ -778,8 +778,10 @@ MP4Atom::factory( MP4File &file, MP4Atom* parent, const char* type ) |
160 |
+ const char* const ptype = parent->GetType(); |
161 |
+ |
162 |
+ if( descendsFrom( parent, "ilst" )) { |
163 |
+- if( ATOMID( ptype ) == ATOMID( "ilst" )) |
164 |
++ if( ATOMID( ptype ) == ATOMID( "ilst" )) { |
165 |
++ ASSERT(ATOMID( type ) != ATOMID( "ilst" )); |
166 |
+ return new MP4ItemAtom( file, type ); |
167 |
++ } |
168 |
+ |
169 |
+ if( ATOMID( type ) == ATOMID( "data" )) |
170 |
+ return new MP4DataAtom(file); |
171 |
|
172 |
diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14403.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14403.patch |
173 |
new file mode 100644 |
174 |
index 00000000000..e7bea4e1dee |
175 |
--- /dev/null |
176 |
+++ b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14403.patch |
177 |
@@ -0,0 +1,28 @@ |
178 |
+Upstream: https://github.com/sergiomb2/libmp4v2/commit/a94a3372c6ef66a2276cc6cd92f7ec07a9c8bb6b |
179 |
+Gentoo Bug: https://bugs.gentoo.org/661582 |
180 |
+ |
181 |
+From a94a3372c6ef66a2276cc6cd92f7ec07a9c8bb6b Mon Sep 17 00:00:00 2001 |
182 |
+From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= <sergio@××××××.com> |
183 |
+Date: Wed, 17 Oct 2018 16:13:06 +0100 |
184 |
+Subject: [PATCH] Fix Out-of-bounds memory access in MP4v2 2.0.0 |
185 |
+ |
186 |
+The bug can be fixed by more checks when doing type comparison. |
187 |
+Reference: https://www.openwall.com/lists/oss-security/2018/07/18/3 |
188 |
+ |
189 |
+Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14403 |
190 |
+--- |
191 |
+ src/mp4util.cpp | 1 + |
192 |
+ 1 file changed, 1 insertion(+) |
193 |
+ |
194 |
+diff --git a/src/mp4util.cpp b/src/mp4util.cpp |
195 |
+index 47bd74e..696dab4 100644 |
196 |
+--- a/src/mp4util.cpp |
197 |
++++ b/src/mp4util.cpp |
198 |
+@@ -46,6 +46,7 @@ bool MP4NameFirstMatches(const char* s1, const char* s2) |
199 |
+ s1++; |
200 |
+ s2++; |
201 |
+ } |
202 |
++ if(*s2 != '[' && *s2 != '.' && *s2 != '\0') return false; |
203 |
+ return true; |
204 |
+ } |
205 |
+ |
206 |
|
207 |
diff --git a/media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild b/media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild |
208 |
new file mode 100644 |
209 |
index 00000000000..55a53112dd4 |
210 |
--- /dev/null |
211 |
+++ b/media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild |
212 |
@@ -0,0 +1,54 @@ |
213 |
+# Copyright 1999-2020 Gentoo Authors |
214 |
+# Distributed under the terms of the GNU General Public License v2 |
215 |
+ |
216 |
+EAPI=7 |
217 |
+ |
218 |
+MY_P=${P/lib} |
219 |
+ |
220 |
+inherit libtool |
221 |
+ |
222 |
+DESCRIPTION="Functions for accessing ISO-IEC:14496-1:2001 MPEG-4 standard" |
223 |
+HOMEPAGE="https://code.google.com/p/mp4v2/" |
224 |
+SRC_URI="https://mp4v2.googlecode.com/files/${MY_P}.tar.bz2" |
225 |
+ |
226 |
+LICENSE="MPL-1.1" |
227 |
+SLOT="0" |
228 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris" |
229 |
+IUSE="static-libs test utils" |
230 |
+RESTRICT="!test? ( test )" |
231 |
+ |
232 |
+BDEPEND=" |
233 |
+ test? ( dev-util/dejagnu ) |
234 |
+ utils? ( sys-apps/help2man ) |
235 |
+" |
236 |
+ |
237 |
+DOCS=( doc/{Authors,BuildSource,Documentation,ReleaseNotes,ToolGuide}.txt README ) |
238 |
+ |
239 |
+S="${WORKDIR}/${MY_P}" |
240 |
+ |
241 |
+PATCHES=( |
242 |
+ "${FILESDIR}/${P}-gcc7.patch" |
243 |
+ "${FILESDIR}/${P}-mp4tags-corruption.patch" |
244 |
+ "${FILESDIR}/${P}-clang.patch" |
245 |
+ "${FILESDIR}/${P}-CVE-2018-14054.patch" |
246 |
+ "${FILESDIR}/${P}-CVE-2018-14325.patch" |
247 |
+ "${FILESDIR}/${P}-CVE-2018-14379.patch" |
248 |
+ "${FILESDIR}/${P}-CVE-2018-14403.patch" |
249 |
+) |
250 |
+ |
251 |
+src_prepare() { |
252 |
+ default |
253 |
+ elibtoolize |
254 |
+} |
255 |
+ |
256 |
+src_configure() { |
257 |
+ econf \ |
258 |
+ --disable-gch \ |
259 |
+ $(use_enable utils util) \ |
260 |
+ $(use_enable static-libs static) |
261 |
+} |
262 |
+ |
263 |
+src_install() { |
264 |
+ default |
265 |
+ find "${D}" -name '*.la' -delete || die |
266 |
+} |