From 8356ca83948713430d0d2a646e7dbb619bd95a72 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 23 Jul 2021 15:16:13 +0200 Subject: [PATCH] a crafted wav file could cause heap buffer overflow that allowed an arbitrary code execution (#1984320) --- libsndfile-1.0.31-deb669ee.patch | 21 +++++++++++++++++++++ libsndfile.spec | 8 +++++++- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 libsndfile-1.0.31-deb669ee.patch diff --git a/libsndfile-1.0.31-deb669ee.patch b/libsndfile-1.0.31-deb669ee.patch new file mode 100644 index 0000000..06c89b4 --- /dev/null +++ b/libsndfile-1.0.31-deb669ee.patch @@ -0,0 +1,21 @@ +diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c +index 5e8f1a31..a21cb994 100644 +--- a/src/ms_adpcm.c ++++ b/src/ms_adpcm.c +@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) + if (psf->file.mode == SFM_WRITE) + samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ; + +- if (blockalign < 7 * psf->sf.channels) +- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ; ++ /* There's 7 samples per channel in the preamble of each block */ ++ if (samplesperblock < 7 * psf->sf.channels) ++ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ; ++ return SFE_INTERNAL ; ++ } ; ++ ++ if (2 * blockalign < samplesperblock * psf->sf.channels) ++ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ; + return SFE_INTERNAL ; + } ; + diff --git a/libsndfile.spec b/libsndfile.spec index d3dc258..5e5cb30 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -1,12 +1,14 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.0.31 -Release: 4%{?dist} +Release: 5%{?dist}%{?dist} License: LGPLv2+ and GPLv2+ and BSD URL: http://libsndfile.github.io/libsndfile/ Source0: https://github.com/libsndfile/libsndfile/releases/download/%{version}/libsndfile-%{version}.tar.bz2 Patch0: libsndfile-1.0.25-system-gsm.patch Patch1: libsndfile-1.0.25-zerodivfix.patch +# from upstream, fix #1984320=CVE-2021-3246, for <= 1.0.31 +Patch2: libsndfile-1.0.31-deb669ee.patch BuildRequires: gcc-c++ BuildRequires: alsa-lib-devel BuildRequires: flac-devel @@ -58,6 +60,7 @@ This package contains command line utilities for libsndfile. rm -r src/GSM610 # TODO: check if this patch is still needed %patch1 -p1 -b .zerodivfix +%patch2 -p1 -b .deb669ee %build autoreconf -I M4 -fiv # for system-gsm patch @@ -149,6 +152,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %changelog +* Fri Jul 23 2021 Michal Hlavinka - 1.0.31-5 +- a crafted wav file could cause heap buffer overflow that allowed an arbitrary code execution (#1984320) + * Thu Jul 22 2021 Fedora Release Engineering - 1.0.31-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild