Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package gpac Moritz has kindly pointed out and backported the relevant patches from upstream that fixes this issue. Here is the relevant part of debian/changelog: * Bug fix: "CVE-2019-11222: Buffer-overflow in gf_bin128_parse", thanks to Salvatore Bonaccorso (Closes: #926961). * Bug fix: "CVE-2019-11221: buffer-overflow issue in gf_import_message() in media_import.c", thanks to Salvatore Bonaccorso (Closes: #926963). unblock gpac/gpac 0.5.2-426-gc5ad4e4+dfsg5-5 Thanks for considering. -rt diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog --- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog 2019-04-01 17:07:02.000000000 -0400 +++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog 2019-04-13 16:41:15.000000000 -0400 @@ -1,3 +1,13 @@ +gpac (0.5.2-426-gc5ad4e4+dfsg5-5) unstable; urgency=medium + + [ Moritz Muehlenhoff ] + * Bug fix: "CVE-2019-11222: Buffer-overflow in gf_bin128_parse", thanks + to Salvatore Bonaccorso (Closes: #926961). + * Bug fix: "CVE-2019-11221: buffer-overflow issue in gf_import_message() + in media_import.c", thanks to Salvatore Bonaccorso (Closes: #926963). + + -- Reinhard Tartler <siret...@tauware.de> Sat, 13 Apr 2019 16:41:15 -0400 + gpac (0.5.2-426-gc5ad4e4+dfsg5-4.1) unstable; urgency=medium * CVE-2018-7752 (Closes: #892526) diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11221.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11221.patch --- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11221.patch 1969-12-31 19:00:00.000000000 -0500 +++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11221.patch 2019-04-13 16:41:15.000000000 -0400 @@ -0,0 +1,180 @@ +From f4616202e5578e65746cf7e7ceeba63bee1b094b Mon Sep 17 00:00:00 2001 +From: Aurelien David <aurelien.da...@telecom-paristech.fr> +Date: Thu, 11 Apr 2019 14:18:58 +0200 +Subject: [PATCH] fix a bunch of vsprintf -> vsnprintf + +closes #1203 +--- + applications/mp4client/main.c | 2 +- + applications/osmo4_sym/osmo4_view.cpp | 2 +- + src/media_tools/media_export.c | 2 +- + src/media_tools/media_import.c | 2 +- + src/scene_manager/loader_bt.c | 4 ++-- + src/scene_manager/loader_isom.c | 2 +- + src/scene_manager/loader_qt.c | 2 +- + src/scene_manager/loader_svg.c | 8 ++++---- + src/scene_manager/loader_xmt.c | 14 +++++++------- + src/scene_manager/swf_parse.c | 6 +++--- + src/scene_manager/swf_svg.c | 2 +- + src/scenegraph/xbl_process.c | 2 +- + src/utils/alloc.c | 2 +- + src/utils/xml_parser.c | 24 +++++++++++++----------- + 15 files changed, 49 insertions(+), 47 deletions(-) + +--- a/applications/mp4client/main.c ++++ b/applications/mp4client/main.c +@@ -1023,7 +1023,7 @@ static void on_gpac_log(void *cbk, u32 l + + if (rti_logs && (lm & GF_LOG_RTI)) { + char szMsg[2048]; +- vsprintf(szMsg, fmt, list); ++ vsnprintf(szMsg, 2048, fmt, list); + UpdateRTInfo(szMsg + 6 /*"[RTI] "*/); + } else { + if (log_time_start) { +--- a/src/media_tools/media_export.c ++++ b/src/media_tools/media_export.c +@@ -57,7 +57,7 @@ static GF_Err gf_export_message(GF_Media + va_list args; + char szMsg[1024]; + va_start(args, format); +- vsprintf(szMsg, format, args); ++ vsnprintf(szMsg, 1024, format, args); + va_end(args); + GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_AUTHOR, ("%s\n", szMsg) ); + } +--- a/src/media_tools/media_import.c ++++ b/src/media_tools/media_import.c +@@ -50,7 +50,7 @@ GF_Err gf_import_message(GF_MediaImporte + va_list args; + char szMsg[1024]; + va_start(args, format); +- vsprintf(szMsg, format, args); ++ vsnprintf(szMsg, 1024, format, args); + va_end(args); + GF_LOG((u32) (e ? GF_LOG_WARNING : GF_LOG_INFO), GF_LOG_AUTHOR, ("%s\n", szMsg) ); + } +--- a/src/scene_manager/loader_bt.c ++++ b/src/scene_manager/loader_bt.c +@@ -121,7 +121,7 @@ static GF_Err gf_bt_report(GF_BTParser * + char szMsg[2048]; + va_list args; + va_start(args, format); +- vsprintf(szMsg, format, args); ++ vsnprintf(szMsg, 2048, format, args); + va_end(args); + GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[BT/WRL Parsing] %s (line %d)\n", szMsg, parser->line)); + } +--- a/src/scene_manager/loader_isom.c ++++ b/src/scene_manager/loader_isom.c +@@ -144,7 +144,7 @@ static void mp4_report(GF_SceneLoader *l + char szMsg[1024]; + va_list args; + va_start(args, format); +- vsprintf(szMsg, format, args); ++ vsnprintf(szMsg, 1024, format, args); + va_end(args); + GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[MP4 Loading] %s\n", szMsg) ); + } +--- a/src/scene_manager/loader_qt.c ++++ b/src/scene_manager/loader_qt.c +@@ -40,7 +40,7 @@ static GF_Err gf_qt_report(GF_SceneLoade + char szMsg[1024]; + va_list args; + va_start(args, format); +- vsprintf(szMsg, format, args); ++ vsnprintf(szMsg, 1024, format, args); + va_end(args); + GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[QT Parsing] %s\n", szMsg) ); + } +--- a/src/scene_manager/loader_svg.c ++++ b/src/scene_manager/loader_svg.c +@@ -134,7 +134,7 @@ static GF_Err svg_report(GF_SVG_Parser * + char szMsg[2048]; + va_list args; + va_start(args, format); +- vsprintf(szMsg, format, args); ++ vsnprintf(szMsg, 2048, format, args); + va_end(args); + GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[SVG Parsing] line %d - %s\n", gf_xml_sax_get_line(parser->sax_parser), szMsg)); + } +--- a/src/scene_manager/loader_xmt.c ++++ b/src/scene_manager/loader_xmt.c +@@ -144,7 +144,7 @@ static GF_Err xmt_report(GF_XMTParser *p + char szMsg[2048]; + va_list args; + va_start(args, format); +- vsprintf(szMsg, format, args); ++ vsnprintf(szMsg, 2048, format, args); + va_end(args); + GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[XMT Parsing] %s (line %d)\n", szMsg, gf_xml_sax_get_line(parser->sax_parser)) ); + } +--- a/src/scene_manager/swf_parse.c ++++ b/src/scene_manager/swf_parse.c +@@ -2410,7 +2410,7 @@ void swf_report(SWFReader *read, GF_Err + char szMsg[2048]; + va_list args; + va_start(args, format); +- vsprintf(szMsg, format, args); ++ vsnprintf(szMsg, 2048, format, args); + va_end(args); + GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[SWF Parsing] %s (frame %d)\n", szMsg, read->current_frame+1) ); + } +--- a/src/scene_manager/swf_svg.c ++++ b/src/scene_manager/swf_svg.c +@@ -51,7 +51,7 @@ static void swf_svg_print(SWFReader *rea + + /* print the line */ + va_start(args, format); +- vsprintf(line, format, args); ++ vsnprintf(line, 2000, format, args); + va_end(args); + /* add the line to the buffer */ + line_length = (u32)strlen(line); +--- a/src/scenegraph/xbl_process.c ++++ b/src/scenegraph/xbl_process.c +@@ -61,7 +61,7 @@ static GF_Err xbl_parse_report(GF_XBL_Pa + char szMsg[2048]; + va_list args; + va_start(args, format); +- vsprintf(szMsg, format, args); ++ vsnprintf(szMsg, 2048, format, args); + va_end(args); + GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[XBL Parsing] line %d - %s\n", gf_xml_sax_get_line(parser->sax_parser), szMsg)); + } +--- a/src/utils/alloc.c ++++ b/src/utils/alloc.c +@@ -658,7 +658,7 @@ static void gf_memory_log(unsigned int l + char msg[1024]; + assert(strlen(fmt) < 200); + va_start(vl, fmt); +- vsprintf(msg, fmt, vl); ++ vsnprintf(msg, 1024, fmt, vl); + GF_LOG(level, GF_LOG_MEMORY, (msg)); + va_end(vl); + } +--- a/src/utils/xml_parser.c ++++ b/src/utils/xml_parser.c +@@ -218,14 +218,16 @@ static void format_sax_error(GF_SAXParse + char szM[20]; + + va_start(args, fmt); +- vsprintf(parser->err_msg, fmt, args); ++ vsnprintf(parser->err_msg, ARRAY_LENGTH(parser->err_msg), fmt, args); + va_end(args); + +- sprintf(szM, " - Line %d: ", parser->line + 1); +- strcat(parser->err_msg, szM); +- len = (u32) strlen(parser->err_msg); +- strncpy(parser->err_msg + len, parser->buffer+ (linepos ? linepos : parser->current_pos), 10); +- parser->err_msg[len + 10] = 0; ++ if (strlen(parser->err_msg)+30 < ARRAY_LENGTH(parser->err_msg)) { ++ snprintf(szM, 20, " - Line %d: ", parser->line + 1); ++ strcat(parser->err_msg, szM); ++ len = (u32) strlen(parser->err_msg); ++ strncpy(parser->err_msg + len, parser->buffer+ (linepos ? linepos : parser->current_pos), 10); ++ parser->err_msg[len + 10] = 0; ++ } + parser->sax_state = SAX_STATE_SYNTAX_ERROR; + } + diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11222.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11222.patch --- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11222.patch 1969-12-31 19:00:00.000000000 -0500 +++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11222.patch 2019-04-13 16:41:15.000000000 -0400 @@ -0,0 +1,25 @@ +From f36525c5beafb78959c3a07d6622c9028de348da Mon Sep 17 00:00:00 2001 +From: Aurelien David <aurelien.da...@telecom-paristech.fr> +Date: Thu, 11 Apr 2019 14:54:53 +0200 +Subject: [PATCH] fix buffer overrun in gf_bin128_parse + +closes #1204 +closes #1205 +--- + src/utils/os_divers.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/src/utils/os_divers.c ++++ b/src/utils/os_divers.c +@@ -1958,6 +1958,11 @@ GF_Err gf_bin128_parse(char *string, bin + sscanf(szV, "%x", &v); + value[i] = v; + i++; ++ if (i > 15) { ++ // force error check below ++ i++; ++ break; ++ } + } + } + if (i != 16) { diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series --- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series 2019-04-01 17:06:55.000000000 -0400 +++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series 2019-04-13 16:41:15.000000000 -0400 @@ -11,3 +11,5 @@ CVE-2018-20760.patch CVE-2018-20761_CVE-2018-20762.patch CVE-2018-20763.patch +CVE-2019-11221.patch +CVE-2019-11222.patch -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled