From f55d08ac6babfc9b9ae659cf0ebd56c63de06e44 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 11 Apr 2017 10:39:11 +0200 Subject: [PATCH 1/9] updated to 1.0.28 fix possible buffer overflow when parsing crafted ID3 tags (#1440758, CVE-2017-7586) fix possible buffer overflow when parsing crafted flac file (#1440756, CVE-2017-7585) --- .gitignore | 1 + libsndfile.spec | 9 +++++++-- sources | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 3631163..2e16d72 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ libsndfile-1.0.21.tar.gz /libsndfile-1.0.24.tar.gz /libsndfile-1.0.25.tar.gz /libsndfile-1.0.27.tar.gz +/libsndfile-1.0.28.tar.gz diff --git a/libsndfile.spec b/libsndfile.spec index 7ccb463..5fd7640 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile -Version: 1.0.27 -Release: 2%{?dist} +Version: 1.0.28 +Release: 1%{?dist} License: LGPLv2+ and GPLv2+ and BSD Group: System Environment/Libraries URL: http://www.mega-nerd.com/libsndfile/ @@ -150,6 +150,11 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %changelog +* Tue Apr 11 2017 Michal Hlavinka - 1.0.28-1 +- updated to 1.0.28 +- fix possible buffer overflow when parsing crafted ID3 tags (#1440758, CVE-2017-7586) +- fix possible buffer overflow when parsing crafted flac file (#1440756, CVE-2017-7585) + * Fri Feb 10 2017 Fedora Release Engineering - 1.0.27-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild diff --git a/sources b/sources index a3ffa74..629c63d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -fd1d97c6077f03b5d984d7956ffedb7a libsndfile-1.0.27.tar.gz +SHA512 (libsndfile-1.0.28.tar.gz) = 890731a6b8173f714155ce05eaf6d991b31632c8ab207fbae860968861a107552df26fcf85602df2e7f65502c7256c1b41735e1122485a3a07ddb580aa83b57f From 91405f64a1cdace55b2a0e6775b49a2a08057838 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 11 Apr 2017 11:00:56 +0200 Subject: [PATCH 2/9] update patch --- libsndfile-1.0.25-system-gsm.patch | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libsndfile-1.0.25-system-gsm.patch b/libsndfile-1.0.25-system-gsm.patch index c48f5ee..d6d1b34 100644 --- a/libsndfile-1.0.25-system-gsm.patch +++ b/libsndfile-1.0.25-system-gsm.patch @@ -1,6 +1,6 @@ -diff -up libsndfile-1.0.27/src/gsm610.c.systemgsm libsndfile-1.0.27/src/gsm610.c ---- libsndfile-1.0.27/src/gsm610.c.systemgsm 2016-04-01 23:08:53.000000000 +0200 -+++ libsndfile-1.0.27/src/gsm610.c 2016-11-11 19:12:06.749656521 +0100 +diff -up libsndfile-1.0.28/src/gsm610.c.systemgsm libsndfile-1.0.28/src/gsm610.c +--- libsndfile-1.0.28/src/gsm610.c.systemgsm 2016-09-10 10:08:27.000000000 +0200 ++++ libsndfile-1.0.28/src/gsm610.c 2017-04-11 10:47:40.437162489 +0200 @@ -27,7 +27,7 @@ #include "sfendian.h" #include "common.h" @@ -20,9 +20,9 @@ diff -up libsndfile-1.0.27/src/gsm610.c.systemgsm libsndfile-1.0.27/src/gsm610.c if ((SF_CONTAINER (psf->sf.format)) == SF_FORMAT_WAV || (SF_CONTAINER (psf->sf.format)) == SF_FORMAT_W64) gsm_option (pgsm610->gsm_data, GSM_OPT_WAV49, &true_flag) ; -diff -up libsndfile-1.0.27/src/Makefile.am.systemgsm libsndfile-1.0.27/src/Makefile.am ---- libsndfile-1.0.27/src/Makefile.am.systemgsm 2016-11-11 19:10:05.220551515 +0100 -+++ libsndfile-1.0.27/src/Makefile.am 2016-11-11 19:10:14.315634212 +0100 +diff -up libsndfile-1.0.28/src/Makefile.am.systemgsm libsndfile-1.0.28/src/Makefile.am +--- libsndfile-1.0.28/src/Makefile.am.systemgsm 2017-04-01 09:18:02.000000000 +0200 ++++ libsndfile-1.0.28/src/Makefile.am 2017-04-11 10:48:43.855620172 +0200 @@ -8,7 +8,7 @@ lib_LTLIBRARIES = libsndfile.la include_HEADERS = sndfile.hh nodist_include_HEADERS = sndfile.h @@ -32,7 +32,7 @@ diff -up libsndfile-1.0.27/src/Makefile.am.systemgsm libsndfile-1.0.27/src/Makef SYMBOL_FILES = Symbols.gnu-binutils Symbols.darwin libsndfile-1.def Symbols.os2 Symbols.static -@@ -46,7 +46,7 @@ endif +@@ -43,7 +43,7 @@ libsndfile_la_CPPFLAGS = -DSNDFILE_EXPOR libsndfile_la_LDFLAGS = -no-undefined -version-info $(SHARED_VERSION_INFO) $(SHLIB_VERSION_ARG) libsndfile_la_SOURCES = $(FILESPECIFIC) $(noinst_HEADERS) nodist_libsndfile_la_SOURCES = $(nodist_include_HEADERS) @@ -40,8 +40,8 @@ diff -up libsndfile-1.0.27/src/Makefile.am.systemgsm libsndfile-1.0.27/src/Makef +libsndfile_la_LIBADD = -lgsm G72x/libg72x.la ALAC/libalac.la \ libcommon.la $(EXTERNAL_XIPH_LIBS) -lm - libcommon_la_SOURCES = $(COMMON) -@@ -54,12 +54,6 @@ libcommon_la_SOURCES = $(COMMON) + EXTRA_libsndfile_la_DEPENDENCIES = $(SYMBOL_FILES) +@@ -58,12 +58,6 @@ libcommon_la_SOURCES = common.c file_io. #====================================================================== # Subdir libraries. From b6e20e2bf6e25c0ce2039b312fc1c862e528c478 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 11 Apr 2017 14:59:38 +0200 Subject: [PATCH 3/9] revert regressing commit, to get security fix released --- libsndfile.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libsndfile.spec b/libsndfile.spec index 5fd7640..9e92652 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -8,7 +8,7 @@ URL: http://www.mega-nerd.com/libsndfile/ Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz Patch0: libsndfile-1.0.25-system-gsm.patch Patch1: libsndfile-1.0.25-zerodivfix.patch - +Patch2: revert.patch BuildRequires: alsa-lib-devel BuildRequires: flac-devel BuildRequires: libogg-devel @@ -55,6 +55,7 @@ This package contains command line utilities for libsndfile. %setup -q %patch0 -p1 -b .systemgsm %patch1 -p1 -b .zerodivfix +%patch2 -p1 -b .revert rm -r src/GSM610 %build From cd35b896cd598e8954f78f4003e910be802417a0 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 11 Apr 2017 15:12:28 +0200 Subject: [PATCH 4/9] add missing patch --- revert.patch | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 revert.patch diff --git a/revert.patch b/revert.patch new file mode 100644 index 0000000..fbdd96d --- /dev/null +++ b/revert.patch @@ -0,0 +1,37 @@ +--- libsndfile-1.0.28/src/rf64.c 2017-04-02 09:43:22.000000000 +0200 ++++ libsndfile-1.0.27/src/rf64.c 2016-04-01 23:08:53.000000000 +0200 +@@ -735,25 +734,27 @@ rf64_write_header (SF_PRIVATE *psf, int + + #endif + +- pad_size = psf->dataoffset - 16 - psf->header.indx ; +- if (pad_size >= 0) +- psf_binheader_writef (psf, "m4z", PAD_MARKER, pad_size, make_size_t (pad_size)) ; ++ if (psf->header.indx + 8 < psf->dataoffset) ++ { /* Add PAD data if necessary. */ ++ int k = psf->dataoffset - 16 - psf->header.indx ; ++ psf_binheader_writef (psf, "m4z", PAD_MARKER, k, make_size_t (k)) ; ++ } ; + + if (wpriv->rf64_downgrade && (psf->filelength < RIFF_DOWNGRADE_BYTES)) + psf_binheader_writef (psf, "tm8", data_MARKER, psf->datalength) ; + else + psf_binheader_writef (psf, "m4", data_MARKER, 0xffffffff) ; + +- psf_fwrite (psf->header.ptr, psf->header.indx, 1, psf) ; ++ psf_fwrite (psf->header.ptr, psf->header.indx, 1, psf) ; + if (psf->error) + return psf->error ; + +- if (has_data && psf->dataoffset != psf->header.indx) +- { psf_log_printf (psf, "Oooops : has_data && psf->dataoffset != psf->header.indx\n") ; ++ if (has_data && psf->dataoffset != psf->header.indx) ++ { psf_log_printf (psf, "Oooops : has_data && psf->dataoffset != psf->header.indx\n") ; + return psf->error = SFE_INTERNAL ; + } ; + +- psf->dataoffset = psf->header.indx ; ++ psf->dataoffset = psf->header.indx ; + + if (NOT (has_data)) + psf_fseek (psf, psf->dataoffset, SEEK_SET) ; From 1108fba06f0e3ba00fd852f09e8ee97caf8c2f50 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 5 Jun 2017 15:48:52 +0200 Subject: [PATCH 5/9] fix flac and pcm buffer overflows (CVE-2017-8361,CVE-2017-8362,CVE-2017-8363,CVE-2017-8365) --- libsndfile-1.0.28-flacbufovfl.patch | 64 +++++++++++++++++++++++++++++ libsndfile.spec | 7 +++- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 libsndfile-1.0.28-flacbufovfl.patch diff --git a/libsndfile-1.0.28-flacbufovfl.patch b/libsndfile-1.0.28-flacbufovfl.patch new file mode 100644 index 0000000..1dc5b57 --- /dev/null +++ b/libsndfile-1.0.28-flacbufovfl.patch @@ -0,0 +1,64 @@ +From fd0484aba8e51d16af1e3a880f9b8b857b385eb3 Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo +Date: Wed, 12 Apr 2017 19:45:30 +1000 +Subject: [PATCH] FLAC: Fix a buffer read overrun + +Buffer read overrun occurs when reading a FLAC file that switches +from 2 channels to one channel mid-stream. Only option is to +abort the read. + +Closes: https://github.com/erikd/libsndfile/issues/230 +--- + src/common.h | 1 + + src/flac.c | 13 +++++++++++++ + src/sndfile.c | 1 + + 3 files changed, 15 insertions(+) + +diff --git a/src/common.h b/src/common.h +index 0bd810c3..e2669b6a 100644 +--- a/src/common.h ++++ b/src/common.h +@@ -725,6 +725,7 @@ enum + SFE_FLAC_INIT_DECODER, + SFE_FLAC_LOST_SYNC, + SFE_FLAC_BAD_SAMPLE_RATE, ++ SFE_FLAC_CHANNEL_COUNT_CHANGED, + SFE_FLAC_UNKOWN_ERROR, + + SFE_WVE_NOT_WVE, +diff --git a/src/flac.c b/src/flac.c +index 84de0e26..986a7b8f 100644 +--- a/src/flac.c ++++ b/src/flac.c +@@ -434,6 +434,19 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_ + + switch (metadata->type) + { case FLAC__METADATA_TYPE_STREAMINFO : ++ if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels) ++ { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n" ++ "Nothing to be but to error out.\n" , ++ psf->sf.channels, metadata->data.stream_info.channels) ; ++ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; ++ return ; ++ } ; ++ ++ if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate) ++ { psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n" ++ "Carrying on as if nothing happened.", ++ psf->sf.samplerate, metadata->data.stream_info.sample_rate) ; ++ } ; + psf->sf.channels = metadata->data.stream_info.channels ; + psf->sf.samplerate = metadata->data.stream_info.sample_rate ; + psf->sf.frames = metadata->data.stream_info.total_samples ; +diff --git a/src/sndfile.c b/src/sndfile.c +index 41875610..e2a87be8 100644 +--- a/src/sndfile.c ++++ b/src/sndfile.c +@@ -245,6 +245,7 @@ ErrorStruct SndfileErrors [] = + { SFE_FLAC_INIT_DECODER , "Error : problem with initialization of the flac decoder." }, + { SFE_FLAC_LOST_SYNC , "Error : flac decoder lost sync." }, + { SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." }, ++ { SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." }, + { SFE_FLAC_UNKOWN_ERROR , "Error : unknown error in flac decoder." }, + + { SFE_WVE_NOT_WVE , "Error : not a WVE file." }, diff --git a/libsndfile.spec b/libsndfile.spec index 9e92652..a956c65 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.0.28 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ and GPLv2+ and BSD Group: System Environment/Libraries URL: http://www.mega-nerd.com/libsndfile/ @@ -9,6 +9,7 @@ Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz Patch0: libsndfile-1.0.25-system-gsm.patch Patch1: libsndfile-1.0.25-zerodivfix.patch Patch2: revert.patch +Patch3: libsndfile-1.0.28-flacbufovfl.patch BuildRequires: alsa-lib-devel BuildRequires: flac-devel BuildRequires: libogg-devel @@ -56,6 +57,7 @@ This package contains command line utilities for libsndfile. %patch0 -p1 -b .systemgsm %patch1 -p1 -b .zerodivfix %patch2 -p1 -b .revert +%patch3 -p1 -b .flacbufovfl rm -r src/GSM610 %build @@ -151,6 +153,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %changelog +* Mon Jun 05 2017 Michal Hlavinka - 1.0.28-2 +- fix flac and pcm buffer overflows (CVE-2017-8361,CVE-2017-8362,CVE-2017-8363,CVE-2017-8365) + * Tue Apr 11 2017 Michal Hlavinka - 1.0.28-1 - updated to 1.0.28 - fix possible buffer overflow when parsing crafted ID3 tags (#1440758, CVE-2017-7586) From 376b103aa2e8180b069c9e50c7c8c79bb517d068 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Wed, 21 Jun 2017 15:03:53 +0200 Subject: [PATCH 6/9] fix buffer overflow in aiff (CVE-2017-6892,rhbz#1463328) --- libsndfile-1.0.29-cve2017_6892.patch | 25 +++++++++++++++++++++++++ libsndfile.spec | 7 ++++++- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 libsndfile-1.0.29-cve2017_6892.patch diff --git a/libsndfile-1.0.29-cve2017_6892.patch b/libsndfile-1.0.29-cve2017_6892.patch new file mode 100644 index 0000000..d5ccf72 --- /dev/null +++ b/libsndfile-1.0.29-cve2017_6892.patch @@ -0,0 +1,25 @@ +From f833c53cb596e9e1792949f762e0b33661822748 Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo +Date: Tue, 23 May 2017 20:15:24 +1000 +Subject: [PATCH] src/aiff.c: Fix a buffer read overflow + +Secunia Advisory SA76717. + +Found by: Laurent Delosieres, Secunia Research at Flexera Software +--- + src/aiff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/aiff.c b/src/aiff.c +index 5b5f9f53..45864b76 100644 +--- a/src/aiff.c ++++ b/src/aiff.c +@@ -1759,7 +1759,7 @@ aiff_read_chanmap (SF_PRIVATE * psf, unsigned dword) + psf_binheader_readf (psf, "j", dword - bytesread) ; + + if (map_info->channel_map != NULL) +- { size_t chanmap_size = psf->sf.channels * sizeof (psf->channel_map [0]) ; ++ { size_t chanmap_size = SF_MIN (psf->sf.channels, layout_tag & 0xffff) * sizeof (psf->channel_map [0]) ; + + free (psf->channel_map) ; + diff --git a/libsndfile.spec b/libsndfile.spec index a956c65..5ef482f 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.0.28 -Release: 2%{?dist} +Release: 3%{?dist} License: LGPLv2+ and GPLv2+ and BSD Group: System Environment/Libraries URL: http://www.mega-nerd.com/libsndfile/ @@ -10,6 +10,7 @@ Patch0: libsndfile-1.0.25-system-gsm.patch Patch1: libsndfile-1.0.25-zerodivfix.patch Patch2: revert.patch Patch3: libsndfile-1.0.28-flacbufovfl.patch +Patch4: libsndfile-1.0.29-cve2017_6892.patch BuildRequires: alsa-lib-devel BuildRequires: flac-devel BuildRequires: libogg-devel @@ -58,6 +59,7 @@ This package contains command line utilities for libsndfile. %patch1 -p1 -b .zerodivfix %patch2 -p1 -b .revert %patch3 -p1 -b .flacbufovfl +%patch4 -p1 -b .cve2017_6892 rm -r src/GSM610 %build @@ -153,6 +155,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %changelog +* Wed Jun 21 2017 Michal Hlavinka - 1.0.28-3 +- fix buffer overflow in aiff (CVE-2017-6892,rhbz#1463328) + * Mon Jun 05 2017 Michal Hlavinka - 1.0.28-2 - fix flac and pcm buffer overflows (CVE-2017-8361,CVE-2017-8362,CVE-2017-8363,CVE-2017-8365) From 2d9a44de92ddbc99ecbe113f7b2252b72cfc9d58 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 26 Jul 2017 19:44:18 +0000 Subject: [PATCH 7/9] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild --- libsndfile.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libsndfile.spec b/libsndfile.spec index 5ef482f..747b578 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.0.28 -Release: 3%{?dist} +Release: 4%{?dist} License: LGPLv2+ and GPLv2+ and BSD Group: System Environment/Libraries URL: http://www.mega-nerd.com/libsndfile/ @@ -155,6 +155,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %changelog +* Wed Jul 26 2017 Fedora Release Engineering - 1.0.28-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Wed Jun 21 2017 Michal Hlavinka - 1.0.28-3 - fix buffer overflow in aiff (CVE-2017-6892,rhbz#1463328) From a97a847564b19c70ad21c21ee77d60608768d523 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 3 Aug 2017 02:17:48 +0000 Subject: [PATCH 8/9] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild --- libsndfile.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libsndfile.spec b/libsndfile.spec index 747b578..284c885 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.0.28 -Release: 4%{?dist} +Release: 5%{?dist} License: LGPLv2+ and GPLv2+ and BSD Group: System Environment/Libraries URL: http://www.mega-nerd.com/libsndfile/ @@ -155,6 +155,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %changelog +* Thu Aug 03 2017 Fedora Release Engineering - 1.0.28-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + * Wed Jul 26 2017 Fedora Release Engineering - 1.0.28-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild From 782f864162aa87a9f90abd5e630f0e3e32ff2aab Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 24 Aug 2017 10:45:56 +0200 Subject: [PATCH 9/9] heap-based Buffer Overflow in psf_binheader_writef function (#1483140, CVE-2017-12562) --- libsndfile-1.0.28-cve2017_12562.patch | 88 +++++++++++++++++++++++++++ libsndfile.spec | 9 ++- 2 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 libsndfile-1.0.28-cve2017_12562.patch diff --git a/libsndfile-1.0.28-cve2017_12562.patch b/libsndfile-1.0.28-cve2017_12562.patch new file mode 100644 index 0000000..f195e87 --- /dev/null +++ b/libsndfile-1.0.28-cve2017_12562.patch @@ -0,0 +1,88 @@ +From cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= +Date: Wed, 14 Jun 2017 12:25:40 +0200 +Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings + in binheader + +Fixes the following problems: + 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes. + 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the + big switch statement by an amount (16 bytes) which is enough for all cases + where only a single value gets added. Cases 's', 'S', 'p' however + additionally write an arbitrary length block of data and again enlarge the + buffer to the required amount. However, the required space calculation does + not take into account the size of the length field which gets output before + the data. + 3. Buffer size requirement calculation in case 'S' does not account for the + padding byte ("size += (size & 1) ;" happens after the calculation which + uses "size"). + 4. Case 'S' can overrun the header buffer by 1 byte when no padding is + involved + ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while + the buffer is only guaranteed to have "size" space available). + 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte + beyond the space which is guaranteed to be allocated in the header buffer. + 6. Case 's' can overrun the provided source string by 1 byte if padding is + involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;" + where "size" is "strlen (strptr) + 1" (which includes the 0 terminator, + plus optionally another 1 which is padding and not guaranteed to be + readable via the source string pointer). + +Closes: https://github.com/erikd/libsndfile/issues/292 +--- + src/common.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/src/common.c b/src/common.c +index 1a6204ca..6b2a2ee9 100644 +--- a/src/common.c ++++ b/src/common.c +@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) + /* Write a C string (guaranteed to have a zero terminator). */ + strptr = va_arg (argptr, char *) ; + size = strlen (strptr) + 1 ; +- size += (size & 1) ; + +- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16)) ++ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) + return count ; + + if (psf->rwf_endian == SF_ENDIAN_BIG) +- header_put_be_int (psf, size) ; ++ header_put_be_int (psf, size + (size & 1)) ; + else +- header_put_le_int (psf, size) ; ++ header_put_le_int (psf, size + (size & 1)) ; + memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ; ++ size += (size & 1) ; + psf->header.indx += size ; + psf->header.ptr [psf->header.indx - 1] = 0 ; + count += 4 + size ; +@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) + */ + strptr = va_arg (argptr, char *) ; + size = strlen (strptr) ; +- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) ++ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) + return count ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + header_put_be_int (psf, size) ; + else + header_put_le_int (psf, size) ; +- memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ; ++ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ; + size += (size & 1) ; + psf->header.indx += size ; +- psf->header.ptr [psf->header.indx] = 0 ; + count += 4 + size ; + break ; + +@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) + size = (size & 1) ? size : size + 1 ; + size = (size > 254) ? 254 : size ; + +- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) ++ if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size)) + return count ; + + header_put_byte (psf, size) ; diff --git a/libsndfile.spec b/libsndfile.spec index 284c885..67e6fb0 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.0.28 -Release: 5%{?dist} +Release: 6%{?dist} License: LGPLv2+ and GPLv2+ and BSD Group: System Environment/Libraries URL: http://www.mega-nerd.com/libsndfile/ @@ -11,6 +11,9 @@ Patch1: libsndfile-1.0.25-zerodivfix.patch Patch2: revert.patch Patch3: libsndfile-1.0.28-flacbufovfl.patch Patch4: libsndfile-1.0.29-cve2017_6892.patch +#libsndfile-1.0.29-cve2017_6892.patch +# from upstream, for <= 1.0.28, rhbz#1483140 +Patch5: libsndfile-1.0.28-cve2017_12562.patch BuildRequires: alsa-lib-devel BuildRequires: flac-devel BuildRequires: libogg-devel @@ -60,6 +63,7 @@ This package contains command line utilities for libsndfile. %patch2 -p1 -b .revert %patch3 -p1 -b .flacbufovfl %patch4 -p1 -b .cve2017_6892 +%patch5 -p1 -b .cve2017_12562 rm -r src/GSM610 %build @@ -155,6 +159,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %changelog +* Thu Aug 24 2017 Michal Hlavinka - 1.0.28-6 +- heap-based Buffer Overflow in psf_binheader_writef function (#1483140, CVE-2017-12562) + * Thu Aug 03 2017 Fedora Release Engineering - 1.0.28-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild