Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libebml for openSUSE:Factory checked in at 2021-03-02 14:42:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libebml (Old) and /work/SRC/openSUSE:Factory/.libebml.new.2378 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libebml" Tue Mar 2 14:42:53 2021 rev:49 rq:874592 version:1.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libebml/libebml.changes 2021-01-06 19:55:52.436996060 +0100 +++ /work/SRC/openSUSE:Factory/.libebml.new.2378/libebml.changes 2021-03-02 15:18:48.981684917 +0100 @@ -1,0 +2,7 @@ +Tue Feb 23 11:47:12 UTC 2021 - Dirk M??ller <dmuel...@suse.com> + +- update to 1.4.2: + * Fixed several heap overflow bugs in the `ReadData` functions of + various data type classes. This fixes CVE-2021-3405. + +------------------------------------------------------------------- Old: ---- libebml-1.4.1.tar.xz New: ---- libebml-1.4.2.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libebml.spec ++++++ --- /var/tmp/diff_new_pack.jJXhwd/_old 2021-03-02 15:18:49.521685269 +0100 +++ /var/tmp/diff_new_pack.jJXhwd/_new 2021-03-02 15:18:49.525685272 +0100 @@ -18,7 +18,7 @@ %define soname 5 Name: libebml -Version: 1.4.1 +Version: 1.4.2 Release: 0 Summary: Library to parse EBML (Extensible Binary Markup Language) files License: LGPL-2.1-or-later ++++++ libebml-1.4.1.tar.xz -> libebml-1.4.2.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.1/CMakeLists.txt new/libebml-1.4.2/CMakeLists.txt --- old/libebml-1.4.1/CMakeLists.txt 2021-01-04 15:18:57.000000000 +0100 +++ new/libebml-1.4.2/CMakeLists.txt 2021-02-18 12:42:59.000000000 +0100 @@ -1,6 +1,6 @@ cmake_minimum_required(VERSION 3.1.2) -project(ebml VERSION 1.4.1) +project(ebml VERSION 1.4.2) option(DISABLE_PKGCONFIG "Disable PkgConfig module generation" OFF) option(DISABLE_CMAKE_CONFIG "Disable CMake package config module generation" OFF) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.1/ChangeLog new/libebml-1.4.2/ChangeLog --- old/libebml-1.4.1/ChangeLog 2021-01-04 15:18:57.000000000 +0100 +++ new/libebml-1.4.2/ChangeLog 2021-02-18 12:42:59.000000000 +0100 @@ -1,3 +1,10 @@ +2021-02-18 Moritz Bunkus <mo@bunkus.online> + + * Release v1.4.2. + + * Fixed several heap overflow bugs in the `ReadData` functions of + various data type classes. This fixes CVE-2021-3405. + 2021-01-04 Moritz Bunkus <mo@bunkus.online> * Release v1.4.1. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.1/ebml/EbmlVersion.h new/libebml-1.4.2/ebml/EbmlVersion.h --- old/libebml-1.4.1/ebml/EbmlVersion.h 2021-01-04 15:18:57.000000000 +0100 +++ new/libebml-1.4.2/ebml/EbmlVersion.h 2021-02-18 12:42:59.000000000 +0100 @@ -42,7 +42,7 @@ START_LIBEBML_NAMESPACE -#define LIBEBML_VERSION 0x010401 +#define LIBEBML_VERSION 0x010402 extern const EBML_DLL_API std::string EbmlCodeVersion; extern const EBML_DLL_API std::string EbmlCodeDate; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.1/libebml.proj new/libebml-1.4.2/libebml.proj --- old/libebml-1.4.1/libebml.proj 2021-01-04 15:18:57.000000000 +0100 +++ new/libebml-1.4.2/libebml.proj 2021-02-18 12:42:59.000000000 +0100 @@ -13,7 +13,7 @@ LIB ebml { - PROJECT_VERSION 1.4.1 + PROJECT_VERSION 1.4.2 USE libebml_coremake_automake INCLUDE . diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.1/src/EbmlBinary.cpp new/libebml-1.4.2/src/EbmlBinary.cpp --- old/libebml-1.4.1/src/EbmlBinary.cpp 2021-01-04 15:18:57.000000000 +0100 +++ new/libebml-1.4.2/src/EbmlBinary.cpp 2021-02-18 12:42:59.000000000 +0100 @@ -97,7 +97,7 @@ return 0; } - Data = static_cast<binary *>(malloc(GetSize())); + Data = (GetSize() < SIZE_MAX) ? static_cast<binary *>(malloc(GetSize())) : nullptr; if (Data == nullptr) throw CRTError(std::string("Error allocating data")); SetValueIsSet(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.1/src/EbmlCrc32.cpp new/libebml-1.4.2/src/EbmlCrc32.cpp --- old/libebml-1.4.1/src/EbmlCrc32.cpp 2021-01-04 15:18:57.000000000 +0100 +++ new/libebml-1.4.2/src/EbmlCrc32.cpp 2021-02-18 12:42:59.000000000 +0100 @@ -232,20 +232,18 @@ filepos_t EbmlCrc32::ReadData(IOCallback & input, ScopeMode ReadFully) { - if (ReadFully != SCOPE_NO_DATA) { - auto Buffer = new (std::nothrow) binary[GetSize()]; - if (Buffer == nullptr) { - // impossible to read, skip it - input.setFilePointer(GetSize(), seek_current); - } else { - input.readFully(Buffer, GetSize()); + if (ReadFully == SCOPE_NO_DATA) + return GetSize(); - memcpy((void *)&m_crc_final, Buffer, 4); - delete [] Buffer; - SetValueIsSet(); - } + if (GetSize() != 4) { + // impossible to read, skip it + input.setFilePointer(GetSize(), seek_current); + return GetSize(); } + input.readFully(&m_crc_final, GetSize()); + SetValueIsSet(); + return GetSize(); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.1/src/EbmlDate.cpp new/libebml-1.4.2/src/EbmlDate.cpp --- old/libebml-1.4.1/src/EbmlDate.cpp 2021-01-04 15:18:57.000000000 +0100 +++ new/libebml-1.4.2/src/EbmlDate.cpp 2021-02-18 12:42:59.000000000 +0100 @@ -51,6 +51,12 @@ return GetSize(); assert(GetSize() == 8); + if (GetSize() != 8) { + // impossible to read, skip it + input.setFilePointer(GetSize(), seek_current); + return GetSize(); + } + binary Buffer[8]; input.readFully(Buffer, GetSize()); @@ -59,7 +65,6 @@ myDate = b64; SetValueIsSet(); - return GetSize(); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.1/src/EbmlFloat.cpp new/libebml-1.4.2/src/EbmlFloat.cpp --- old/libebml-1.4.1/src/EbmlFloat.cpp 2021-01-04 15:18:57.000000000 +0100 +++ new/libebml-1.4.2/src/EbmlFloat.cpp 2021-02-18 12:42:59.000000000 +0100 @@ -112,28 +112,35 @@ */ filepos_t EbmlFloat::ReadData(IOCallback & input, ScopeMode ReadFully) { - if (ReadFully != SCOPE_NO_DATA) { - binary Buffer[20]; - assert(GetSize() <= 20); - input.readFully(Buffer, GetSize()); + if (ReadFully == SCOPE_NO_DATA) + return GetSize(); - if (GetSize() == 4) { - big_int32 TmpRead; - TmpRead.Eval(Buffer); - auto tmpp = int32(TmpRead); - float val; - memcpy(&val, &tmpp, 4); - Value = static_cast<double>(val); - SetValueIsSet(); - } else if (GetSize() == 8) { - big_int64 TmpRead; - TmpRead.Eval(Buffer); - auto tmpp = int64(TmpRead); - double val; - memcpy(&val, &tmpp, 8); - Value = val; - SetValueIsSet(); - } + assert(GetSize() == 4 || GetSize() == 8); + if (GetSize() != 4 && GetSize() != 8) { + // impossible to read, skip it + input.setFilePointer(GetSize(), seek_current); + return GetSize(); + } + + binary Buffer[8]; + input.readFully(Buffer, GetSize()); + + if (GetSize() == 4) { + big_int32 TmpRead; + TmpRead.Eval(Buffer); + auto tmpp = int32(TmpRead); + float val; + memcpy(&val, &tmpp, 4); + Value = static_cast<double>(val); + SetValueIsSet(); + } else { + big_int64 TmpRead; + TmpRead.Eval(Buffer); + auto tmpp = int64(TmpRead); + double val; + memcpy(&val, &tmpp, 8); + Value = val; + SetValueIsSet(); } return GetSize(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.1/src/EbmlSInteger.cpp new/libebml-1.4.2/src/EbmlSInteger.cpp --- old/libebml-1.4.1/src/EbmlSInteger.cpp 2021-01-04 15:18:57.000000000 +0100 +++ new/libebml-1.4.2/src/EbmlSInteger.cpp 2021-02-18 12:42:59.000000000 +0100 @@ -133,22 +133,28 @@ filepos_t EbmlSInteger::ReadData(IOCallback & input, ScopeMode ReadFully) { - if (ReadFully != SCOPE_NO_DATA) { - binary Buffer[8]; - input.readFully(Buffer, GetSize()); + if (ReadFully == SCOPE_NO_DATA) + return GetSize(); - uint64 TempValue = Buffer[0] & 0x80 ? std::numeric_limits<uint64>::max() : 0; + if (GetSize() > 8) { + // impossible to read, skip it + input.setFilePointer(GetSize(), seek_current); + return GetSize(); + } - for (unsigned int i=0; i<GetSize(); i++) { - TempValue <<= 8; - TempValue |= Buffer[i]; - } + binary Buffer[8]; + input.readFully(Buffer, GetSize()); - Value = ToSigned(TempValue); + uint64 TempValue = Buffer[0] & 0x80 ? std::numeric_limits<uint64>::max() : 0; - SetValueIsSet(); + for (unsigned int i=0; i<GetSize(); i++) { + TempValue <<= 8; + TempValue |= Buffer[i]; } + Value = ToSigned(TempValue); + + SetValueIsSet(); return GetSize(); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.1/src/EbmlString.cpp new/libebml-1.4.2/src/EbmlString.cpp --- old/libebml-1.4.1/src/EbmlString.cpp 2021-01-04 15:18:57.000000000 +0100 +++ new/libebml-1.4.2/src/EbmlString.cpp 2021-02-18 12:42:59.000000000 +0100 @@ -137,24 +137,25 @@ filepos_t EbmlString::ReadData(IOCallback & input, ScopeMode ReadFully) { - if (ReadFully != SCOPE_NO_DATA) { - if (GetSize() == 0) { - Value = ""; - SetValueIsSet(); + if (ReadFully == SCOPE_NO_DATA) + return GetSize(); + + if (GetSize() == 0) { + Value = ""; + SetValueIsSet(); + } else { + auto Buffer = (GetSize() + 1 < std::numeric_limits<std::size_t>::max()) ? new (std::nothrow) char[GetSize() + 1] : nullptr; + if (Buffer == nullptr) { + // unable to store the data, skip it + input.setFilePointer(GetSize(), seek_current); } else { - auto Buffer = new (std::nothrow) char[GetSize() + 1]; - if (Buffer == nullptr) { - // unable to store the data, skip it - input.setFilePointer(GetSize(), seek_current); - } else { - input.readFully(Buffer, GetSize()); - if (Buffer[GetSize()-1] != '\0') { - Buffer[GetSize()] = '\0'; - } - Value = Buffer; - delete [] Buffer; - SetValueIsSet(); + input.readFully(Buffer, GetSize()); + if (Buffer[GetSize()-1] != '\0') { + Buffer[GetSize()] = '\0'; } + Value = Buffer; + delete [] Buffer; + SetValueIsSet(); } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.1/src/EbmlUInteger.cpp new/libebml-1.4.2/src/EbmlUInteger.cpp --- old/libebml-1.4.1/src/EbmlUInteger.cpp 2021-01-04 15:18:57.000000000 +0100 +++ new/libebml-1.4.2/src/EbmlUInteger.cpp 2021-02-18 12:42:59.000000000 +0100 @@ -127,18 +127,25 @@ filepos_t EbmlUInteger::ReadData(IOCallback & input, ScopeMode ReadFully) { - if (ReadFully != SCOPE_NO_DATA) { - binary Buffer[8]; - input.readFully(Buffer, GetSize()); - Value = 0; + if (ReadFully == SCOPE_NO_DATA) + return GetSize(); - for (unsigned int i=0; i<GetSize(); i++) { - Value <<= 8; - Value |= Buffer[i]; - } - SetValueIsSet(); + if (GetSize() > 8) { + // impossible to read, skip it + input.setFilePointer(GetSize(), seek_current); + return GetSize(); } + binary Buffer[8]; + input.readFully(Buffer, GetSize()); + Value = 0; + + for (unsigned int i=0; i<GetSize(); i++) { + Value <<= 8; + Value |= Buffer[i]; + } + SetValueIsSet(); + return GetSize(); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.1/src/EbmlUnicodeString.cpp new/libebml-1.4.2/src/EbmlUnicodeString.cpp --- old/libebml-1.4.1/src/EbmlUnicodeString.cpp 2021-01-04 15:18:57.000000000 +0100 +++ new/libebml-1.4.2/src/EbmlUnicodeString.cpp 2021-02-18 12:42:59.000000000 +0100 @@ -302,25 +302,26 @@ */ filepos_t EbmlUnicodeString::ReadData(IOCallback & input, ScopeMode ReadFully) { - if (ReadFully != SCOPE_NO_DATA) { - if (GetSize() == 0) { - Value = UTFstring::value_type(0); - SetValueIsSet(); - } else { - auto Buffer = new (std::nothrow) char[GetSize()+1]; - if (Buffer == nullptr) { - // impossible to read, skip it - input.setFilePointer(GetSize(), seek_current); - } else { - input.readFully(Buffer, GetSize()); - if (Buffer[GetSize()-1] != 0) { - Buffer[GetSize()] = 0; - } + if (ReadFully == SCOPE_NO_DATA) + return GetSize(); - Value.SetUTF8(Buffer); // implicit conversion to std::string - delete [] Buffer; - SetValueIsSet(); + if (GetSize() == 0) { + Value = UTFstring::value_type(0); + SetValueIsSet(); + } else { + auto Buffer = (GetSize() + 1 < std::numeric_limits<std::size_t>::max()) ? new (std::nothrow) char[GetSize()+1] : nullptr; + if (Buffer == nullptr) { + // impossible to read, skip it + input.setFilePointer(GetSize(), seek_current); + } else { + input.readFully(Buffer, GetSize()); + if (Buffer[GetSize()-1] != 0) { + Buffer[GetSize()] = 0; } + + Value.SetUTF8(Buffer); // implicit conversion to std::string + delete [] Buffer; + SetValueIsSet(); } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.1/src/EbmlVersion.cpp new/libebml-1.4.2/src/EbmlVersion.cpp --- old/libebml-1.4.1/src/EbmlVersion.cpp 2021-01-04 15:18:57.000000000 +0100 +++ new/libebml-1.4.2/src/EbmlVersion.cpp 2021-02-18 12:42:59.000000000 +0100 @@ -38,7 +38,7 @@ START_LIBEBML_NAMESPACE -const std::string EbmlCodeVersion = "1.4.1"; +const std::string EbmlCodeVersion = "1.4.2"; // Up to version 1.3.3 this library exported a build date string. As // this made the build non-reproducible, replace it by a placeholder to