| 1 |
commit: ab144c7631ebe685ffec603e48824403fcd00cdd |
| 2 |
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Sun Jun 10 23:45:11 2018 +0000 |
| 4 |
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Jun 11 00:04:20 2018 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab144c76 |
| 7 |
|
| 8 |
media-sound/sox: A truckload of security |
| 9 |
|
| 10 |
Kindly provided by Debian packaging... |
| 11 |
|
| 12 |
Bug: https://bugs.gentoo.org/627570 |
| 13 |
Bug: https://bugs.gentoo.org/626702 |
| 14 |
Bug: https://bugs.gentoo.org/634814 |
| 15 |
Bug: https://bugs.gentoo.org/634450 |
| 16 |
Package-Manager: Portage-2.3.40, Repoman-2.3.9 |
| 17 |
|
| 18 |
.../sox/files/sox-14.4.2-CVE-2017-11332.patch | 25 ++++++ |
| 19 |
.../sox/files/sox-14.4.2-CVE-2017-11333.patch | 43 ++++++++++ |
| 20 |
.../sox/files/sox-14.4.2-CVE-2017-11358.patch | 26 ++++++ |
| 21 |
.../sox/files/sox-14.4.2-CVE-2017-11359.patch | 27 ++++++ |
| 22 |
.../sox/files/sox-14.4.2-CVE-2017-15370.patch | 25 ++++++ |
| 23 |
.../sox/files/sox-14.4.2-CVE-2017-15371.patch | 37 +++++++++ |
| 24 |
.../sox/files/sox-14.4.2-CVE-2017-15372.patch | 97 ++++++++++++++++++++++ |
| 25 |
.../sox/files/sox-14.4.2-CVE-2017-15642.patch | 28 +++++++ |
| 26 |
.../sox/files/sox-14.4.2-CVE-2017-18189.patch | 30 +++++++ |
| 27 |
.../sox-14.4.2-wavpack-chk-errors-on-init.patch | 35 ++++++++ |
| 28 |
media-sound/sox/sox-14.4.2-r1.ebuild | 13 +++ |
| 29 |
11 files changed, 386 insertions(+) |
| 30 |
|
| 31 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch |
| 32 |
new file mode 100644 |
| 33 |
index 00000000000..2b4448ed2d7 |
| 34 |
--- /dev/null |
| 35 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11332.patch |
| 36 |
@@ -0,0 +1,25 @@ |
| 37 |
+From 7405bcaacb1ded8c595cb751d407cf738cb26571 Mon Sep 17 00:00:00 2001 |
| 38 |
+From: Mans Rullgard <mans@×××××.com> |
| 39 |
+Date: Sun, 5 Nov 2017 16:29:28 +0000 |
| 40 |
+Subject: [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332) |
| 41 |
+ |
| 42 |
+--- |
| 43 |
+ src/wav.c | 5 +++++ |
| 44 |
+ 1 file changed, 5 insertions(+) |
| 45 |
+ |
| 46 |
+diff --git a/src/wav.c b/src/wav.c |
| 47 |
+index 3e80e692..3eaebfa7 100644 |
| 48 |
+--- a/src/wav.c |
| 49 |
++++ b/src/wav.c |
| 50 |
+@@ -712,6 +712,11 @@ static int startread(sox_format_t * ft) |
| 51 |
+ else |
| 52 |
+ lsx_report("User options overriding channels read in .wav header"); |
| 53 |
+ |
| 54 |
++ if (ft->signal.channels == 0) { |
| 55 |
++ lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero"); |
| 56 |
++ return SOX_EOF; |
| 57 |
++ } |
| 58 |
++ |
| 59 |
+ if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond) |
| 60 |
+ ft->signal.rate = dwSamplesPerSecond; |
| 61 |
+ else |
| 62 |
|
| 63 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch |
| 64 |
new file mode 100644 |
| 65 |
index 00000000000..a9a5b276219 |
| 66 |
--- /dev/null |
| 67 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11333.patch |
| 68 |
@@ -0,0 +1,43 @@ |
| 69 |
+From 93b6e4b5b0efa47b318151d39c35277fc06525f1 Mon Sep 17 00:00:00 2001 |
| 70 |
+Message-Id: <93b6e4b5b0efa47b318151d39c35277fc06525f1.1511192342.git.agx@×××××××.org> |
| 71 |
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@×××××××.org> |
| 72 |
+Date: Wed, 15 Nov 2017 18:36:58 +0100 |
| 73 |
+Subject: [PATCH] Handle vorbis_analysis_headerout errors |
| 74 |
+ |
| 75 |
+This is related to |
| 76 |
+ |
| 77 |
+ https://github.com/xiph/vorbis/pull/34 |
| 78 |
+ |
| 79 |
+but could also happen today with on other errors in the called function. |
| 80 |
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882236 |
| 81 |
+Forwarded: sox-devel@×××××××××××××××××.net |
| 82 |
+--- |
| 83 |
+ src/vorbis.c | 8 ++++++-- |
| 84 |
+ 1 file changed, 6 insertions(+), 2 deletions(-) |
| 85 |
+ |
| 86 |
+Index: sox/src/vorbis.c |
| 87 |
+=================================================================== |
| 88 |
+--- sox.orig/src/vorbis.c |
| 89 |
++++ sox/src/vorbis.c |
| 90 |
+@@ -270,8 +270,11 @@ static int write_vorbis_header(sox_forma |
| 91 |
+ vc.comment_lengths[i] = strlen(text); |
| 92 |
+ } |
| 93 |
+ } |
| 94 |
+- vorbis_analysis_headerout( /* Build the packets */ |
| 95 |
+- &ve->vd, &vc, &header_main, &header_comments, &header_codebooks); |
| 96 |
++ if (vorbis_analysis_headerout( /* Build the packets */ |
| 97 |
++ &ve->vd, &vc, &header_main, &header_comments, &header_codebooks) < 0) { |
| 98 |
++ ret = HEADER_ERROR; |
| 99 |
++ goto cleanup; |
| 100 |
++ } |
| 101 |
+ |
| 102 |
+ ogg_stream_packetin(&ve->os, &header_main); /* And stream them out */ |
| 103 |
+ ogg_stream_packetin(&ve->os, &header_comments); |
| 104 |
+@@ -280,6 +283,7 @@ static int write_vorbis_header(sox_forma |
| 105 |
+ while (ogg_stream_flush(&ve->os, &ve->og) && ret == HEADER_OK) |
| 106 |
+ if (!oe_write_page(&ve->og, ft)) |
| 107 |
+ ret = HEADER_ERROR; |
| 108 |
++cleanup: |
| 109 |
+ for (i = 0; i < vc.comments; ++i) |
| 110 |
+ free(vc.user_comments[i]); |
| 111 |
+ free(vc.user_comments); |
| 112 |
|
| 113 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch |
| 114 |
new file mode 100644 |
| 115 |
index 00000000000..6cd8c2bb15f |
| 116 |
--- /dev/null |
| 117 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11358.patch |
| 118 |
@@ -0,0 +1,26 @@ |
| 119 |
+From 6cb44a44b9eda6b321ccdbf6483348d4a9798b00 Mon Sep 17 00:00:00 2001 |
| 120 |
+From: Mans Rullgard <mans@×××××.com> |
| 121 |
+Date: Sun, 5 Nov 2017 16:43:35 +0000 |
| 122 |
+Subject: [PATCH] hcom: fix crash on input with corrupt dictionary |
| 123 |
+ (CVE-2017-11358) |
| 124 |
+ |
| 125 |
+--- |
| 126 |
+ src/hcom.c | 5 +++++ |
| 127 |
+ 1 file changed, 5 insertions(+) |
| 128 |
+ |
| 129 |
+diff --git a/src/hcom.c b/src/hcom.c |
| 130 |
+index c62b020c..1b0e09dd 100644 |
| 131 |
+--- a/src/hcom.c |
| 132 |
++++ b/src/hcom.c |
| 133 |
+@@ -150,6 +150,11 @@ static int startread(sox_format_t * ft) |
| 134 |
+ lsx_debug("%d %d", |
| 135 |
+ p->dictionary[i].dict_leftson, |
| 136 |
+ p->dictionary[i].dict_rightson); |
| 137 |
++ if ((unsigned) p->dictionary[i].dict_leftson >= dictsize || |
| 138 |
++ (unsigned) p->dictionary[i].dict_rightson >= dictsize) { |
| 139 |
++ lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary"); |
| 140 |
++ return SOX_EOF; |
| 141 |
++ } |
| 142 |
+ } |
| 143 |
+ rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */ |
| 144 |
+ if (rc) |
| 145 |
|
| 146 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch |
| 147 |
new file mode 100644 |
| 148 |
index 00000000000..180d7d1c867 |
| 149 |
--- /dev/null |
| 150 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-11359.patch |
| 151 |
@@ -0,0 +1,27 @@ |
| 152 |
+From 8b590b3a52f4ccc4eea3f41b4a067c38b3565b60 Mon Sep 17 00:00:00 2001 |
| 153 |
+From: Mans Rullgard <mans@×××××.com> |
| 154 |
+Date: Sun, 5 Nov 2017 17:02:11 +0000 |
| 155 |
+Subject: [PATCH] wav: fix crash writing header when channel count >64k |
| 156 |
+ (CVE-2017-11359) |
| 157 |
+ |
| 158 |
+--- |
| 159 |
+ src/wav.c | 6 ++++++ |
| 160 |
+ 1 file changed, 6 insertions(+) |
| 161 |
+ |
| 162 |
+diff --git a/src/wav.c b/src/wav.c |
| 163 |
+index 3eaebfa7..fad334cf 100644 |
| 164 |
+--- a/src/wav.c |
| 165 |
++++ b/src/wav.c |
| 166 |
+@@ -1379,6 +1379,12 @@ static int wavwritehdr(sox_format_t * ft, int second_header) |
| 167 |
+ long blocksWritten = 0; |
| 168 |
+ sox_bool isExtensible = sox_false; /* WAVE_FORMAT_EXTENSIBLE? */ |
| 169 |
+ |
| 170 |
++ if (ft->signal.channels > UINT16_MAX) { |
| 171 |
++ lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)", |
| 172 |
++ ft->signal.channels); |
| 173 |
++ return SOX_EOF; |
| 174 |
++ } |
| 175 |
++ |
| 176 |
+ dwSamplesPerSecond = ft->signal.rate; |
| 177 |
+ wChannels = ft->signal.channels; |
| 178 |
+ wBitsPerSample = ft->encoding.bits_per_sample; |
| 179 |
|
| 180 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch |
| 181 |
new file mode 100644 |
| 182 |
index 00000000000..473c383a663 |
| 183 |
--- /dev/null |
| 184 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15370.patch |
| 185 |
@@ -0,0 +1,25 @@ |
| 186 |
+From ef3d8be0f80cbb650e4766b545d61e10d7a24c9e Mon Sep 17 00:00:00 2001 |
| 187 |
+From: Mans Rullgard <mans@×××××.com> |
| 188 |
+Date: Sun, 5 Nov 2017 16:21:23 +0000 |
| 189 |
+Subject: [PATCH] wav: ima_adpcm: fix buffer overflow on corrupt input |
| 190 |
+ (CVE-2017-15370) |
| 191 |
+ |
| 192 |
+Add the same check bad block size as was done for MS adpcm in commit |
| 193 |
+f39c574b ("More checks for invalid MS ADPCM blocks"). |
| 194 |
+--- |
| 195 |
+ src/wav.c | 2 +- |
| 196 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
| 197 |
+ |
| 198 |
+diff --git a/src/wav.c b/src/wav.c |
| 199 |
+index 5202556c..3e80e692 100644 |
| 200 |
+--- a/src/wav.c |
| 201 |
++++ b/src/wav.c |
| 202 |
+@@ -127,7 +127,7 @@ static unsigned short ImaAdpcmReadBlock(sox_format_t * ft) |
| 203 |
+ /* work with partial blocks. Specs say it should be null */ |
| 204 |
+ /* padded but I guess this is better than trailing quiet. */ |
| 205 |
+ samplesThisBlock = lsx_ima_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t) 0); |
| 206 |
+- if (samplesThisBlock == 0) |
| 207 |
++ if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock) |
| 208 |
+ { |
| 209 |
+ lsx_warn("Premature EOF on .wav input file"); |
| 210 |
+ return 0; |
| 211 |
|
| 212 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch |
| 213 |
new file mode 100644 |
| 214 |
index 00000000000..cde253da4ec |
| 215 |
--- /dev/null |
| 216 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15371.patch |
| 217 |
@@ -0,0 +1,37 @@ |
| 218 |
+From 818bdd0ccc1e5b6cae742c740c17fd414935cf39 Mon Sep 17 00:00:00 2001 |
| 219 |
+From: Mans Rullgard <mans@×××××.com> |
| 220 |
+Date: Sun, 5 Nov 2017 15:57:48 +0000 |
| 221 |
+Subject: [PATCH] flac: fix crash on corrupt metadata (CVE-2017-15371) |
| 222 |
+ |
| 223 |
+--- |
| 224 |
+ src/flac.c | 8 +++++--- |
| 225 |
+ 1 file changed, 5 insertions(+), 3 deletions(-) |
| 226 |
+ |
| 227 |
+Index: sox/src/flac.c |
| 228 |
+=================================================================== |
| 229 |
+--- sox.orig/src/flac.c |
| 230 |
++++ sox/src/flac.c |
| 231 |
+@@ -119,9 +119,10 @@ static void decoder_metadata_callback(FL |
| 232 |
+ p->total_samples = metadata->data.stream_info.total_samples; |
| 233 |
+ } |
| 234 |
+ else if (metadata->type == FLAC__METADATA_TYPE_VORBIS_COMMENT) { |
| 235 |
++ const FLAC__StreamMetadata_VorbisComment *vc = &metadata->data.vorbis_comment; |
| 236 |
+ size_t i; |
| 237 |
+ |
| 238 |
+- if (metadata->data.vorbis_comment.num_comments == 0) |
| 239 |
++ if (vc->num_comments == 0) |
| 240 |
+ return; |
| 241 |
+ |
| 242 |
+ if (ft->oob.comments != NULL) { |
| 243 |
+@@ -129,8 +130,9 @@ static void decoder_metadata_callback(FL |
| 244 |
+ return; |
| 245 |
+ } |
| 246 |
+ |
| 247 |
+- for (i = 0; i < metadata->data.vorbis_comment.num_comments; ++i) |
| 248 |
+- sox_append_comment(&ft->oob.comments, (char const *) metadata->data.vorbis_comment.comments[i].entry); |
| 249 |
++ for (i = 0; i < vc->num_comments; ++i) |
| 250 |
++ if (vc->comments[i].entry) |
| 251 |
++ sox_append_comment(&ft->oob.comments, (char const *) vc->comments[i].entry); |
| 252 |
+ } |
| 253 |
+ } |
| 254 |
+ |
| 255 |
|
| 256 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch |
| 257 |
new file mode 100644 |
| 258 |
index 00000000000..8671213a98f |
| 259 |
--- /dev/null |
| 260 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15372.patch |
| 261 |
@@ -0,0 +1,97 @@ |
| 262 |
+From 3f7ed312614649e2695b54b398475d32be4f64f3 Mon Sep 17 00:00:00 2001 |
| 263 |
+From: Mans Rullgard <mans@×××××.com> |
| 264 |
+Date: Wed, 8 Nov 2017 00:29:14 +0000 |
| 265 |
+Subject: adpcm: fix stack overflow with >4 channels (CVE-2017-15372) |
| 266 |
+ |
| 267 |
+--- |
| 268 |
+ src/adpcm.c | 8 +++++++- |
| 269 |
+ src/adpcm.h | 3 +++ |
| 270 |
+ src/wav.c | 5 ++++- |
| 271 |
+ 3 files changed, 14 insertions(+), 2 deletions(-) |
| 272 |
+ |
| 273 |
+Index: sox/src/adpcm.c |
| 274 |
+=================================================================== |
| 275 |
+--- sox.orig/src/adpcm.c |
| 276 |
++++ sox/src/adpcm.c |
| 277 |
+@@ -71,6 +71,11 @@ const short lsx_ms_adpcm_i_coef[7][2] = |
| 278 |
+ { 392,-232} |
| 279 |
+ }; |
| 280 |
+ |
| 281 |
++extern void *lsx_ms_adpcm_alloc(unsigned chans) |
| 282 |
++{ |
| 283 |
++ return lsx_malloc(chans * sizeof(MsState_t)); |
| 284 |
++} |
| 285 |
++ |
| 286 |
+ static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state, |
| 287 |
+ sox_sample_t sample1, sox_sample_t sample2) |
| 288 |
+ { |
| 289 |
+@@ -102,6 +107,7 @@ static inline sox_sample_t AdpcmDecode(s |
| 290 |
+ |
| 291 |
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ |
| 292 |
+ const char *lsx_ms_adpcm_block_expand_i( |
| 293 |
++ void *priv, |
| 294 |
+ unsigned chans, /* total channels */ |
| 295 |
+ int nCoef, |
| 296 |
+ const short *coef, |
| 297 |
+@@ -113,7 +119,7 @@ const char *lsx_ms_adpcm_block_expand_i( |
| 298 |
+ const unsigned char *ip; |
| 299 |
+ unsigned ch; |
| 300 |
+ const char *errmsg = NULL; |
| 301 |
+- MsState_t state[4]; /* One decompressor state for each channel */ |
| 302 |
++ MsState_t *state = priv; /* One decompressor state for each channel */ |
| 303 |
+ |
| 304 |
+ /* Read the four-byte header for each channel */ |
| 305 |
+ ip = ibuff; |
| 306 |
+Index: sox/src/adpcm.h |
| 307 |
+=================================================================== |
| 308 |
+--- sox.orig/src/adpcm.h |
| 309 |
++++ sox/src/adpcm.h |
| 310 |
+@@ -29,8 +29,11 @@ |
| 311 |
+ /* default coef sets */ |
| 312 |
+ extern const short lsx_ms_adpcm_i_coef[7][2]; |
| 313 |
+ |
| 314 |
++extern void *lsx_ms_adpcm_alloc(unsigned chans); |
| 315 |
++ |
| 316 |
+ /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ |
| 317 |
+ extern const char *lsx_ms_adpcm_block_expand_i( |
| 318 |
++ void *priv, |
| 319 |
+ unsigned chans, /* total channels */ |
| 320 |
+ int nCoef, |
| 321 |
+ const short *coef, |
| 322 |
+Index: sox/src/wav.c |
| 323 |
+=================================================================== |
| 324 |
+--- sox.orig/src/wav.c |
| 325 |
++++ sox/src/wav.c |
| 326 |
+@@ -82,6 +82,7 @@ typedef struct { |
| 327 |
+ /* following used by *ADPCM wav files */ |
| 328 |
+ unsigned short nCoefs; /* ADPCM: number of coef sets */ |
| 329 |
+ short *lsx_ms_adpcm_i_coefs; /* ADPCM: coef sets */ |
| 330 |
++ void *ms_adpcm_data; /* Private data of adpcm decoder */ |
| 331 |
+ unsigned char *packet; /* Temporary buffer for packets */ |
| 332 |
+ short *samples; /* interleaved samples buffer */ |
| 333 |
+ short *samplePtr; /* Pointer to current sample */ |
| 334 |
+@@ -175,7 +176,7 @@ static unsigned short AdpcmReadBlock(so |
| 335 |
+ } |
| 336 |
+ } |
| 337 |
+ |
| 338 |
+- errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); |
| 339 |
++ errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); |
| 340 |
+ |
| 341 |
+ if (errmsg) |
| 342 |
+ lsx_warn("%s", errmsg); |
| 343 |
+@@ -791,6 +792,7 @@ static int startread(sox_format_t * ft) |
| 344 |
+ |
| 345 |
+ /* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */ |
| 346 |
+ wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short)); |
| 347 |
++ wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels); |
| 348 |
+ { |
| 349 |
+ int i, errct=0; |
| 350 |
+ for (i=0; len>=2 && i < 2*wav->nCoefs; i++) { |
| 351 |
+@@ -1216,6 +1218,7 @@ static int stopread(sox_format_t * ft) |
| 352 |
+ free(wav->packet); |
| 353 |
+ free(wav->samples); |
| 354 |
+ free(wav->lsx_ms_adpcm_i_coefs); |
| 355 |
++ free(wav->ms_adpcm_data); |
| 356 |
+ free(wav->comment); |
| 357 |
+ wav->comment = NULL; |
| 358 |
+ |
| 359 |
|
| 360 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch |
| 361 |
new file mode 100644 |
| 362 |
index 00000000000..d43ef50d101 |
| 363 |
--- /dev/null |
| 364 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-15642.patch |
| 365 |
@@ -0,0 +1,28 @@ |
| 366 |
+Description: This fixes a use after free and double free if an empty comment |
| 367 |
+chunk follows a non-empty one. |
| 368 |
+Author: Mans Rullgard <mans@×××××.com> |
| 369 |
+Forwarded: not-needed |
| 370 |
+--- |
| 371 |
+ src/aiff.c | 2 +- |
| 372 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
| 373 |
+ |
| 374 |
+Index: sox/src/aiff.c |
| 375 |
+=================================================================== |
| 376 |
+--- sox.orig/src/aiff.c |
| 377 |
++++ sox/src/aiff.c |
| 378 |
+@@ -62,7 +62,6 @@ int lsx_aiffstartread(sox_format_t * ft) |
| 379 |
+ size_t ssndsize = 0; |
| 380 |
+ char *annotation; |
| 381 |
+ char *author; |
| 382 |
+- char *comment = NULL; |
| 383 |
+ char *copyright; |
| 384 |
+ char *nametext; |
| 385 |
+ |
| 386 |
+@@ -270,6 +269,7 @@ int lsx_aiffstartread(sox_format_t * ft) |
| 387 |
+ free(annotation); |
| 388 |
+ } |
| 389 |
+ else if (strncmp(buf, "COMT", (size_t)4) == 0) { |
| 390 |
++ char *comment = NULL; |
| 391 |
+ rc = commentChunk(&comment, "Comment:", ft); |
| 392 |
+ if (rc) { |
| 393 |
+ /* Fail already called in function */ |
| 394 |
|
| 395 |
diff --git a/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch b/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch |
| 396 |
new file mode 100644 |
| 397 |
index 00000000000..fd04bcdff13 |
| 398 |
--- /dev/null |
| 399 |
+++ b/media-sound/sox/files/sox-14.4.2-CVE-2017-18189.patch |
| 400 |
@@ -0,0 +1,30 @@ |
| 401 |
+Description: A corrupt header specifying zero channels would send read_channels() |
| 402 |
+into an infinite loop. Prevent this by sanity checking the channel |
| 403 |
+count in open_read(). Also add an upper bound to prevent overflow |
| 404 |
+in multiplication. |
| 405 |
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121 |
| 406 |
+Author: Mans Rullgard <mans@×××××.com> |
| 407 |
+ Jaromír Mikeš <mira.mikes@××××××.cz> |
| 408 |
+Forwarded: not-needed |
| 409 |
+ |
| 410 |
+--- |
| 411 |
+ src/xa.c | 6 ++++++ |
| 412 |
+ 1 file changed, 6 insertions(+) |
| 413 |
+ |
| 414 |
+Index: sox/src/xa.c |
| 415 |
+=================================================================== |
| 416 |
+--- sox.orig/src/xa.c |
| 417 |
++++ sox/src/xa.c |
| 418 |
+@@ -143,6 +143,12 @@ static int startread(sox_format_t * ft) |
| 419 |
+ lsx_report("User options overriding rate read in .xa header"); |
| 420 |
+ } |
| 421 |
+ |
| 422 |
++ if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) { |
| 423 |
++ lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d", |
| 424 |
++ ft->signal.channels); |
| 425 |
++ return SOX_EOF; |
| 426 |
++ } |
| 427 |
++ |
| 428 |
+ /* Check for supported formats */ |
| 429 |
+ if (ft->encoding.bits_per_sample != 16) { |
| 430 |
+ lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.", |
| 431 |
|
| 432 |
diff --git a/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch b/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch |
| 433 |
new file mode 100644 |
| 434 |
index 00000000000..4ebb31c0ae9 |
| 435 |
--- /dev/null |
| 436 |
+++ b/media-sound/sox/files/sox-14.4.2-wavpack-chk-errors-on-init.patch |
| 437 |
@@ -0,0 +1,35 @@ |
| 438 |
+Description: wavpack: check errors when initializing |
| 439 |
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881145 |
| 440 |
+Author: Eric Wong <normalperson@××××.net> |
| 441 |
+ Jaromír Mikeš <mira.mikes@××××××.cz> |
| 442 |
+Forwarded: not-needed |
| 443 |
+ |
| 444 |
+ src/wavpack.c | 8 ++++++++ |
| 445 |
+ 1 file changed, 8 insertions(+) |
| 446 |
+ |
| 447 |
+diff --git a/src/wavpack.c b/src/wavpack.c |
| 448 |
+index 9e525cd4..b7e8dafa 100644 |
| 449 |
+--- a/src/wavpack.c |
| 450 |
++++ b/src/wavpack.c |
| 451 |
+@@ -65,6 +65,10 @@ static int start_read(sox_format_t * ft) |
| 452 |
+ char msg[80]; |
| 453 |
+ |
| 454 |
+ p->codec = WavpackOpenFileInputEx(&io_fns, ft, NULL, msg, OPEN_NORMALIZE, 0); |
| 455 |
++ if (!p->codec) { |
| 456 |
++ lsx_fail_errno(ft, SOX_EHDR, "%s", msg); |
| 457 |
++ return SOX_EOF; |
| 458 |
++ } |
| 459 |
+ ft->encoding.bits_per_sample = WavpackGetBytesPerSample(p->codec) << 3; |
| 460 |
+ ft->signal.channels = WavpackGetNumChannels(p->codec); |
| 461 |
+ if (WavpackGetSampleRate(p->codec) && ft->signal.rate && ft->signal.rate != WavpackGetSampleRate(p->codec)) |
| 462 |
+@@ -108,6 +112,10 @@ static int start_write(sox_format_t * ft) |
| 463 |
+ uint64_t size64; |
| 464 |
+ |
| 465 |
+ p->codec = WavpackOpenFileOutput(ft_write_b_buf, ft, NULL); |
| 466 |
++ if (!p->codec) { |
| 467 |
++ lsx_fail_errno(ft, SOX_ENOMEM, "WavPack error creating output instance"); |
| 468 |
++ return SOX_EOF; |
| 469 |
++ } |
| 470 |
+ memset(&config, 0, sizeof(config)); |
| 471 |
+ config.bytes_per_sample = ft->encoding.bits_per_sample >> 3; |
| 472 |
+ config.bits_per_sample = ft->encoding.bits_per_sample; |
| 473 |
|
| 474 |
diff --git a/media-sound/sox/sox-14.4.2-r1.ebuild b/media-sound/sox/sox-14.4.2-r1.ebuild |
| 475 |
index 8ebda3df10b..d757a4e70b4 100644 |
| 476 |
--- a/media-sound/sox/sox-14.4.2-r1.ebuild |
| 477 |
+++ b/media-sound/sox/sox-14.4.2-r1.ebuild |
| 478 |
@@ -46,6 +46,19 @@ DEPEND="${RDEPEND} |
| 479 |
|
| 480 |
DOCS=( AUTHORS ChangeLog NEWS README ) |
| 481 |
|
| 482 |
+PATCHES=( |
| 483 |
+ "${FILESDIR}"/${P}-CVE-2017-11332.patch |
| 484 |
+ "${FILESDIR}"/${P}-CVE-2017-11333.patch |
| 485 |
+ "${FILESDIR}"/${P}-CVE-2017-11358.patch |
| 486 |
+ "${FILESDIR}"/${P}-CVE-2017-11359.patch |
| 487 |
+ "${FILESDIR}"/${P}-CVE-2017-15370.patch |
| 488 |
+ "${FILESDIR}"/${P}-CVE-2017-15371.patch |
| 489 |
+ "${FILESDIR}"/${P}-CVE-2017-15372.patch |
| 490 |
+ "${FILESDIR}"/${P}-CVE-2017-15642.patch |
| 491 |
+ "${FILESDIR}"/${P}-CVE-2017-18189.patch |
| 492 |
+ "${FILESDIR}"/${P}-wavpack-chk-errors-on-init.patch |
| 493 |
+) |
| 494 |
+ |
| 495 |
src_prepare() { |
| 496 |
default |
| 497 |
sed -i -e 's:CFLAGS="-g":CFLAGS="$CFLAGS -g":' configure.ac || die #386027 |
Archives