[gentoo-commits] repo/gentoo:master commit in: media-libs/libsndfile/, media-libs/libsndfile/files/ - gentoo-commits

From:	Andreas Sturmlechner <asturm@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: media-libs/libsndfile/, media-libs/libsndfile/files/
Date:	Tue, 18 Sep 2018 16:24:28
Message-Id:	`1537287709.fcefddf42de6342aeff7dce16760923b10a05909.asturm@gentoo`

1

commit:     fcefddf42de6342aeff7dce16760923b10a05909

2

Author:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>

3

AuthorDate: Tue Sep 18 16:21:49 2018 +0000

4

Commit:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>

5

CommitDate: Tue Sep 18 16:21:49 2018 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fcefddf4

7

8

media-libs/libsndfile: Fix CVE-2017-12562

9

10

Bug: https://bugs.gentoo.org/627152

11

Package-Manager: Portage-2.3.49, Repoman-2.3.10

12

13

 .../files/libsndfile-1.0.28-CVE-2017-12562.patch   | 88 ++++++++++++++++++++++

14

 media-libs/libsndfile/libsndfile-1.0.28-r2.ebuild  | 65 ++++++++++++++++

15

 2 files changed, 153 insertions(+)

16

17

diff --git a/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2017-12562.patch b/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2017-12562.patch

18

new file mode 100644

19

index 00000000000..0ff2b7ef459

20

--- /dev/null

21

+++ b/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2017-12562.patch

22

@@ -0,0 +1,88 @@

23

+From b6a9d7e95888ffa77d8c75ce3f03e6c7165587cd Mon Sep 17 00:00:00 2001

24

+From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@×××××××××××××××××××××××.de>

25

+Date: Wed, 14 Jun 2017 12:25:40 +0200

26

+Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings

27

+ in binheader

28

+

29

+Fixes the following problems:

30

+ 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.

31

+ 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the

32

+    big switch statement by an amount (16 bytes) which is enough for all cases

33

+    where only a single value gets added. Cases 's', 'S', 'p' however

34

+    additionally write an arbitrary length block of data and again enlarge the

35

+    buffer to the required amount. However, the required space calculation does

36

+    not take into account the size of the length field which gets output before

37

+    the data.

38

+ 3. Buffer size requirement calculation in case 'S' does not account for the

39

+    padding byte ("size += (size & 1) ;" happens after the calculation which

40

+    uses "size").

41

+ 4. Case 'S' can overrun the header buffer by 1 byte when no padding is

42

+    involved

43

+    ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while

44

+    the buffer is only guaranteed to have "size" space available).

45

+ 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte

46

+    beyond the space which is guaranteed to be allocated in the header buffer.

47

+ 6. Case 's' can overrun the provided source string by 1 byte if padding is

48

+    involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"

49

+    where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,

50

+    plus optionally another 1 which is padding and not guaranteed to be

51

+    readable via the source string pointer).

52

+

53

+Closes: https://github.com/erikd/libsndfile/issues/292

54

+---

55

+ src/common.c | 15 +++++++--------

56

+ 1 file changed, 7 insertions(+), 8 deletions(-)

57

+

58

+diff --git a/src/common.c b/src/common.c

59

+index 1a6204ca..6b2a2ee9 100644

60

+--- a/src/common.c

61

++++ b/src/common.c

62

+@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)

63

+ 					/* Write a C string (guaranteed to have a zero terminator). */

64

+ 					strptr = va_arg (argptr, char *) ;

65

+ 					size = strlen (strptr) + 1 ;

66

+-					size += (size & 1) ;

67

+

68

+-					if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))

69

++					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))

70

+ 						return count ;

71

+

72

+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)

73

+-						header_put_be_int (psf, size) ;

74

++						header_put_be_int (psf, size + (size & 1)) ;

75

+ 					else

76

+-						header_put_le_int (psf, size) ;

77

++						header_put_le_int (psf, size + (size & 1)) ;

78

+ 					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;

79

++					size += (size & 1) ;

80

+ 					psf->header.indx += size ;

81

+ 					psf->header.ptr [psf->header.indx - 1] = 0 ;

82

+ 					count += 4 + size ;

83

+@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)

84

+ 					*/

85

+ 					strptr = va_arg (argptr, char *) ;

86

+ 					size = strlen (strptr) ;

87

+-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))

88

++					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))

89

+ 						return count ;

90

+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)

91

+ 						header_put_be_int (psf, size) ;

92

+ 					else

93

+ 						header_put_le_int (psf, size) ;

94

+-					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;

95

++					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;

96

+ 					size += (size & 1) ;

97

+ 					psf->header.indx += size ;

98

+-					psf->header.ptr [psf->header.indx] = 0 ;

99

+ 					count += 4 + size ;

100

+ 					break ;

101

+

102

+@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)

103

+ 					size = (size & 1) ? size : size + 1 ;

104

+ 					size = (size > 254) ? 254 : size ;

105

+

106

+-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))

107

++					if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))

108

+ 						return count ;

109

+

110

+ 					header_put_byte (psf, size) ;

111

112

diff --git a/media-libs/libsndfile/libsndfile-1.0.28-r2.ebuild b/media-libs/libsndfile/libsndfile-1.0.28-r2.ebuild

113

new file mode 100644

114

index 00000000000..dda9e8b990d

115

--- /dev/null

116

+++ b/media-libs/libsndfile/libsndfile-1.0.28-r2.ebuild

117

@@ -0,0 +1,65 @@

118

+# Copyright 1999-2018 Gentoo Foundation

119

+# Distributed under the terms of the GNU General Public License v2

120

+

121

+EAPI=6

122

+

123

+PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} pypy{,3} )

124

+

125

+inherit python-any-r1 multilib-minimal

126

+

127

+MY_P=${P/_pre/pre}

128

+

129

+DESCRIPTION="C library for reading and writing files containing sampled sound"

130

+HOMEPAGE="http://www.mega-nerd.com/libsndfile"

131

+if [[ ${MY_P} == ${P} ]]; then

132

+	SRC_URI="http://www.mega-nerd.com/libsndfile/files/${P}.tar.gz"

133

+else

134

+	SRC_URI="http://www.mega-nerd.com/tmp/${MY_P}b.tar.gz"

135

+fi

136

+

137

+LICENSE="LGPL-2.1"

138

+SLOT="0"

139

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"

140

+IUSE="alsa minimal sqlite static-libs test"

141

+

142

+RDEPEND="

143

+	!minimal? (

144

+		>=media-libs/flac-1.2.1-r5[${MULTILIB_USEDEP}]

145

+		>=media-libs/libogg-1.3.0[${MULTILIB_USEDEP}]

146

+		>=media-libs/libvorbis-1.3.3-r1[${MULTILIB_USEDEP}]

147

+	)

148

+	alsa? ( media-libs/alsa-lib )

149

+	sqlite? ( >=dev-db/sqlite-3.2 )"

150

+DEPEND="${RDEPEND}

151

+	virtual/pkgconfig

152

+	test? ( ${PYTHON_DEPS} )"

153

+

154

+S=${WORKDIR}/${MY_P}

155

+

156

+PATCHES=(

157

+	"${FILESDIR}"/${P}-arm-varargs-failure.patch

158

+	"${FILESDIR}"/${P}-CVE-2017-12562.patch

159

+)

160

+

161

+pkg_setup() {

162

+	use test && python-any-r1_pkg_setup

163

+}

164

+

165

+multilib_src_configure() {

166

+	ECONF_SOURCE="${S}" econf \

167

+		--disable-octave \

168

+		--enable-gcc-pipe \

169

+		--enable-gcc-opt \

170

+		$(use_enable static-libs static) \

171

+		$(use_enable !minimal external-libs) \

172

+		$(multilib_native_enable full-suite) \

173

+		$(multilib_native_use_enable alsa) \

174

+		$(multilib_native_use_enable sqlite)

175

+}

176

+

177

+multilib_src_install_all() {

178

+	einstalldocs

179

+

180

+	# package provides .pc files

181

+	find "${D}" -name '*.la' -delete || die

182

+}

1	commit: fcefddf42de6342aeff7dce16760923b10a05909
2	Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
3	AuthorDate: Tue Sep 18 16:21:49 2018 +0000
4	Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
5	CommitDate: Tue Sep 18 16:21:49 2018 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fcefddf4
7
8	media-libs/libsndfile: Fix CVE-2017-12562
9
10	Bug: https://bugs.gentoo.org/627152
11	Package-Manager: Portage-2.3.49, Repoman-2.3.10
12
13	.../files/libsndfile-1.0.28-CVE-2017-12562.patch \| 88 ++++++++++++++++++++++
14	media-libs/libsndfile/libsndfile-1.0.28-r2.ebuild \| 65 ++++++++++++++++
15	2 files changed, 153 insertions(+)
16
17	diff --git a/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2017-12562.patch b/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2017-12562.patch
18	new file mode 100644
19	index 00000000000..0ff2b7ef459
20	--- /dev/null
21	+++ b/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2017-12562.patch
22	@@ -0,0 +1,88 @@
23	+From b6a9d7e95888ffa77d8c75ce3f03e6c7165587cd Mon Sep 17 00:00:00 2001
24	+From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@×××××××××××××××××××××××.de>
25	+Date: Wed, 14 Jun 2017 12:25:40 +0200
26	+Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings
27	+ in binheader
28	+
29	+Fixes the following problems:
30	+ 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
31	+ 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
32	+ big switch statement by an amount (16 bytes) which is enough for all cases
33	+ where only a single value gets added. Cases 's', 'S', 'p' however
34	+ additionally write an arbitrary length block of data and again enlarge the
35	+ buffer to the required amount. However, the required space calculation does
36	+ not take into account the size of the length field which gets output before
37	+ the data.
38	+ 3. Buffer size requirement calculation in case 'S' does not account for the
39	+ padding byte ("size += (size & 1) ;" happens after the calculation which
40	+ uses "size").
41	+ 4. Case 'S' can overrun the header buffer by 1 byte when no padding is
42	+ involved
43	+ ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
44	+ the buffer is only guaranteed to have "size" space available).
45	+ 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
46	+ beyond the space which is guaranteed to be allocated in the header buffer.
47	+ 6. Case 's' can overrun the provided source string by 1 byte if padding is
48	+ involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
49	+ where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
50	+ plus optionally another 1 which is padding and not guaranteed to be
51	+ readable via the source string pointer).
52	+
53	+Closes: https://github.com/erikd/libsndfile/issues/292
54	+---
55	+ src/common.c \| 15 +++++++--------
56	+ 1 file changed, 7 insertions(+), 8 deletions(-)
57	+
58	+diff --git a/src/common.c b/src/common.c
59	+index 1a6204ca..6b2a2ee9 100644
60	+--- a/src/common.c
61	++++ b/src/common.c
62	+@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE psf, const char format, ...)
63	+ /* Write a C string (guaranteed to have a zero terminator). */
64	+ strptr = va_arg (argptr, char *) ;
65	+ size = strlen (strptr) + 1 ;
66	+- size += (size & 1) ;
67	+
68	+- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
69	++ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
70	+ return count ;
71	+
72	+ if (psf->rwf_endian == SF_ENDIAN_BIG)
73	+- header_put_be_int (psf, size) ;
74	++ header_put_be_int (psf, size + (size & 1)) ;
75	+ else
76	+- header_put_le_int (psf, size) ;
77	++ header_put_le_int (psf, size + (size & 1)) ;
78	+ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
79	++ size += (size & 1) ;
80	+ psf->header.indx += size ;
81	+ psf->header.ptr [psf->header.indx - 1] = 0 ;
82	+ count += 4 + size ;
83	+@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE psf, const char format, ...)
84	+ */
85	+ strptr = va_arg (argptr, char *) ;
86	+ size = strlen (strptr) ;
87	+- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
88	++ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
89	+ return count ;
90	+ if (psf->rwf_endian == SF_ENDIAN_BIG)
91	+ header_put_be_int (psf, size) ;
92	+ else
93	+ header_put_le_int (psf, size) ;
94	+- memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;
95	++ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;
96	+ size += (size & 1) ;
97	+ psf->header.indx += size ;
98	+- psf->header.ptr [psf->header.indx] = 0 ;
99	+ count += 4 + size ;
100	+ break ;
101	+
102	+@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE psf, const char format, ...)
103	+ size = (size & 1) ? size : size + 1 ;
104	+ size = (size > 254) ? 254 : size ;
105	+
106	+- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
107	++ if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
108	+ return count ;
109	+
110	+ header_put_byte (psf, size) ;
111
112	diff --git a/media-libs/libsndfile/libsndfile-1.0.28-r2.ebuild b/media-libs/libsndfile/libsndfile-1.0.28-r2.ebuild
113	new file mode 100644
114	index 00000000000..dda9e8b990d
115	--- /dev/null
116	+++ b/media-libs/libsndfile/libsndfile-1.0.28-r2.ebuild
117	@@ -0,0 +1,65 @@
118	+# Copyright 1999-2018 Gentoo Foundation
119	+# Distributed under the terms of the GNU General Public License v2
120	+
121	+EAPI=6
122	+
123	+PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} pypy{,3} )
124	+
125	+inherit python-any-r1 multilib-minimal
126	+
127	+MY_P=${P/_pre/pre}
128	+
129	+DESCRIPTION="C library for reading and writing files containing sampled sound"
130	+HOMEPAGE="http://www.mega-nerd.com/libsndfile"
131	+if [[ ${MY_P} == ${P} ]]; then
132	+ SRC_URI="http://www.mega-nerd.com/libsndfile/files/${P}.tar.gz"
133	+else
134	+ SRC_URI="http://www.mega-nerd.com/tmp/${MY_P}b.tar.gz"
135	+fi
136	+
137	+LICENSE="LGPL-2.1"
138	+SLOT="0"
139	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
140	+IUSE="alsa minimal sqlite static-libs test"
141	+
142	+RDEPEND="
143	+ !minimal? (
144	+ >=media-libs/flac-1.2.1-r5[${MULTILIB_USEDEP}]
145	+ >=media-libs/libogg-1.3.0[${MULTILIB_USEDEP}]
146	+ >=media-libs/libvorbis-1.3.3-r1[${MULTILIB_USEDEP}]
147	+ )
148	+ alsa? ( media-libs/alsa-lib )
149	+ sqlite? ( >=dev-db/sqlite-3.2 )"
150	+DEPEND="${RDEPEND}
151	+ virtual/pkgconfig
152	+ test? ( ${PYTHON_DEPS} )"
153	+
154	+S=${WORKDIR}/${MY_P}
155	+
156	+PATCHES=(
157	+ "${FILESDIR}"/${P}-arm-varargs-failure.patch
158	+ "${FILESDIR}"/${P}-CVE-2017-12562.patch
159	+)
160	+
161	+pkg_setup() {
162	+ use test && python-any-r1_pkg_setup
163	+}
164	+
165	+multilib_src_configure() {
166	+ ECONF_SOURCE="${S}" econf \
167	+ --disable-octave \
168	+ --enable-gcc-pipe \
169	+ --enable-gcc-opt \
170	+ $(use_enable static-libs static) \
171	+ $(use_enable !minimal external-libs) \
172	+ $(multilib_native_enable full-suite) \
173	+ $(multilib_native_use_enable alsa) \
174	+ $(multilib_native_use_enable sqlite)
175	+}
176	+
177	+multilib_src_install_all() {
178	+ einstalldocs
179	+
180	+ # package provides .pc files
181	+ find "${D}" -name '*.la' -delete \|\| die
182	+}

Gentoo Archives: gentoo-commits