commit: d2261786b3997b6ce70aae655928c625abc305f3 Author: John Helmert III <jchelmert3 <AT> posteo <DOT> net> AuthorDate: Mon Jul 6 03:38:48 2020 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sun Jul 19 23:38:33 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2261786
media-sound/milkytracker: Add 1.02.00 (security) Bug: https://bugs.gentoo.org/711280 Closes: https://bugs.gentoo.org/711564 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: John Helmert III <jchelmert3 <AT> posteo.net> Signed-off-by: Sam James <sam <AT> gentoo.org> media-sound/milkytracker/Manifest | 2 + .../milkytracker-1.02.00-CVE-2019-14464.patch | 26 ++++++ .../milkytracker-1.02.00-CVE-2019-1449x.patch | 104 +++++++++++++++++++++ .../milkytracker-1.02.00-CVE-2020-15569.patch | 35 +++++++ .../milkytracker/milkytracker-1.02.00.ebuild | 53 +++++++++++ 5 files changed, 220 insertions(+) diff --git a/media-sound/milkytracker/Manifest b/media-sound/milkytracker/Manifest index 1400b0f2a7e..34a0214ebc1 100644 --- a/media-sound/milkytracker/Manifest +++ b/media-sound/milkytracker/Manifest @@ -1 +1,3 @@ DIST milkytracker-1.0.0.tar.gz 3749140 BLAKE2B 5bf1e374c8d51e7f65a222c46b4cb3e26dd88ba5be304af540d3af4f5123179a2496d0b5eb87021d2dc0f12e7fab3f55e9ad06573aa5fb3a8842d9b743e6c948 SHA512 a96e8b015a4e3b38f3ad44756fc79cb062f91ab193b7428a6abde042aa4e51c8fb45757cba0504283410d714eefffdee57d3e3bf42e7991d1f9581ab8d2ab1c4 +DIST milkytracker-1.02.00-cmake.patch 40073 BLAKE2B cef8fc7efff9324c1d628026d650c79e11950b53481686e5dd35ace483839fbdd6b2b1f8ccce2f688beec2c7c28b0fe3b60d0e8d540d6cd163927f4bacf9d396 SHA512 bd4ca0d092229722ca81addaf9eec3ff1b176061da7b44fe3f02fbe020c3820778ed973dde95588b4c9f918728e2c69c24ac23083a2f48c0cbad2e854eeff5ba +DIST milkytracker-1.02.00.tar.gz 3753882 BLAKE2B e9bb4341e016d2a9c518835e8b4620f748da60bca7205302e7500f14f3294e7fa9a20fef203226fffbe22a11a3b4978ea928f0f544eb70e99b5998ecc7c45611 SHA512 479a7b3198d97c68dca4fa772a2aa64d7f740957f5d8038fabfb303e724c85aec0865746a0a5c3ef6b9599b78892dcda22727ab2bb80ae38764bcf81b249e134 diff --git a/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-14464.patch b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-14464.patch new file mode 100644 index 00000000000..d59522d6d1d --- /dev/null +++ b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-14464.patch @@ -0,0 +1,26 @@ +This patch is from upstream: +https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34 + +commit fd607a3439fcdd0992e5efded3c16fc79c804e34 +Author: Christopher O'Neill <c...@chrisoneill.co.uk> +Date: Tue Jul 30 19:11:58 2019 +0100 + + Fix #184: Heap overflow in S3M loader + +diff --git a/src/milkyplay/LoaderS3M.cpp b/src/milkyplay/LoaderS3M.cpp +index 5abf211..edf0fd5 100644 +--- a/src/milkyplay/LoaderS3M.cpp ++++ b/src/milkyplay/LoaderS3M.cpp +@@ -340,7 +340,11 @@ mp_sint32 LoaderS3M::load(XMFileBase& f, XModule* module) + return MP_OUT_OF_MEMORY; + + header->insnum = f.readWord(); // number of instruments +- header->patnum = f.readWord(); // number of patterns ++ if (header->insnum > MP_MAXINS) ++ return MP_LOADER_FAILED; ++ header->patnum = f.readWord(); // number of patterns ++ if (header->patnum > 256) ++ return MP_LOADER_FAILED; + + mp_sint32 flags = f.readWord(); // st3 flags + diff --git a/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-1449x.patch b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-1449x.patch new file mode 100644 index 00000000000..0560cd2b825 --- /dev/null +++ b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-1449x.patch @@ -0,0 +1,104 @@ +This patch is from upstream: +https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7 + +commit ea7772a3fae0a9dd0a322e8fec441d15843703b7 +Author: Christopher O'Neill <c...@chrisoneill.co.uk> +Date: Tue Jul 30 18:40:03 2019 +0100 + + Fixes for buffer overflow issues #182 & #183 + +diff --git a/src/milkyplay/LoaderXM.cpp b/src/milkyplay/LoaderXM.cpp +index 108d915..f87f5c1 100644 +--- a/src/milkyplay/LoaderXM.cpp ++++ b/src/milkyplay/LoaderXM.cpp +@@ -63,8 +63,8 @@ const char* LoaderXM::identifyModule(const mp_ubyte* buffer) + mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module) + { + mp_ubyte insData[230]; +- mp_sint32 smpReloc[96]; +- mp_ubyte nbu[96]; ++ mp_sint32 smpReloc[MP_MAXINSSAMPS]; ++ mp_ubyte nbu[MP_MAXINSSAMPS]; + mp_uint32 fileSize = 0; + + module->cleanUp(); +@@ -117,6 +117,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module) + memcpy(header->ord, hdrBuff+16, 256); + if(header->ordnum > MP_MAXORDERS) + header->ordnum = MP_MAXORDERS; ++ if(header->insnum > MP_MAXINS) ++ return MP_LOADER_FAILED; + + delete[] hdrBuff; + +@@ -143,7 +145,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module) + f.read(&instr[y].type,1,1); + mp_uword numSamples = 0; + f.readWords(&numSamples,1); +- if(numSamples > 96) ++ if(numSamples > MP_MAXINSSAMPS) + return MP_LOADER_FAILED; + instr[y].samp = numSamples; + +@@ -169,8 +171,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module) + if (instr[y].samp) { + mp_ubyte* insDataPtr = insData; + +- memcpy(nbu, insDataPtr, 96); +- insDataPtr+=96; ++ memcpy(nbu, insDataPtr, MP_MAXINSSAMPS); ++ insDataPtr+=MP_MAXINSSAMPS; + + TEnvelope venv; + TEnvelope penv; +@@ -285,7 +287,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module) + + instr[y].samp = g; + +- for (sc = 0; sc < 96; sc++) { ++ for (sc = 0; sc < MP_MAXINSSAMPS; sc++) { + if (smpReloc[nbu[sc]] == -1) + instr[y].snum[sc] = -1; + else +@@ -491,6 +493,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module) + f.read(&instr[y].type,1,1); + f.readWords(&instr[y].samp,1); + } ++ if (instr[y].samp > MP_MAXINSSAMPS) ++ return MP_LOADER_FAILED; + + //printf("%i, %i\n", instr[y].size, instr[y].samp); + +@@ -532,8 +536,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module) + + //f.read(&nbu,1,96); + +- memcpy(nbu, insDataPtr, 96); +- insDataPtr+=96; ++ memcpy(nbu, insDataPtr, MP_MAXINSSAMPS); ++ insDataPtr+=MP_MAXINSSAMPS; + + TEnvelope venv; + TEnvelope penv; +@@ -650,7 +654,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module) + + instr[y].samp = g; + +- for (sc = 0; sc < 96; sc++) { ++ for (sc = 0; sc < MP_MAXINSSAMPS; sc++) { + if (smpReloc[nbu[sc]] == -1) + instr[y].snum[sc] = -1; + else +diff --git a/src/milkyplay/XModule.h b/src/milkyplay/XModule.h +index f42d04b..4f04a2d 100644 +--- a/src/milkyplay/XModule.h ++++ b/src/milkyplay/XModule.h +@@ -40,6 +40,8 @@ + + #define MP_MAXTEXT 32 + #define MP_MAXORDERS 256 ++#define MP_MAXINS 255 ++#define MP_MAXINSSAMPS 96 + + struct TXMHeader + { diff --git a/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2020-15569.patch b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2020-15569.patch new file mode 100644 index 00000000000..59c2f9942ae --- /dev/null +++ b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2020-15569.patch @@ -0,0 +1,35 @@ +Fix is from upstream: +https://github.com/milkytracker/MilkyTracker/commit/7afd55c42ad80d01a339197a2d8b5461d214edaf + +Gentoo Bug: https://bugs.gentoo.org/711280 + +commit 7afd55c42ad80d01a339197a2d8b5461d214edaf +Author: Jeremy Clarke <gecko...@gmail.com> +Date: Mon Apr 13 23:53:51 2020 +0100 + + Fix use-after-free in PlayerGeneric destructor + +diff --git a/src/milkyplay/PlayerGeneric.cpp b/src/milkyplay/PlayerGeneric.cpp +index 8df2c13..59f7cba 100644 +--- a/src/milkyplay/PlayerGeneric.cpp ++++ b/src/milkyplay/PlayerGeneric.cpp +@@ -202,15 +202,16 @@ PlayerGeneric::PlayerGeneric(mp_sint32 frequency, AudioDriverInterface* audioDri + + PlayerGeneric::~PlayerGeneric() + { +- if (mixer) +- delete mixer; + + if (player) + { +- if (mixer->isActive() && !mixer->isDeviceRemoved(player)) ++ if (mixer && mixer->isActive() && !mixer->isDeviceRemoved(player)) + mixer->removeDevice(player); + delete player; + } ++ ++ if (mixer) ++ delete mixer; + + delete[] audioDriverName; + diff --git a/media-sound/milkytracker/milkytracker-1.02.00.ebuild b/media-sound/milkytracker/milkytracker-1.02.00.ebuild new file mode 100644 index 00000000000..d9dc64d7f6e --- /dev/null +++ b/media-sound/milkytracker/milkytracker-1.02.00.ebuild @@ -0,0 +1,53 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit cmake desktop + +# This commit is needed so the milkytrace binary is linked properly, bug 711564 +# It is also ~40kb so it is better to fetch it rather than ship it in-tree +COMMIT="2b145b074581ddf3b4ad78a402cdf5fab500b125" + +DESCRIPTION="FastTracker 2 inspired music tracker" +HOMEPAGE="https://milkytracker.titandemo.org/" +SRC_URI="https://github.com/milkytracker/MilkyTracker/archive/v${PV}.tar.gz -> ${P}.tar.gz + https://github.com/milkytracker/MilkyTracker/commit/${COMMIT}.patch -> ${P}-cmake.patch" + +LICENSE="|| ( GPL-3 MPL-1.1 ) AIFFWriter.m BSD GPL-3 GPL-3+ LGPL-2.1+ MIT" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="alsa jack" + +RDEPEND=" + dev-libs/zziplib + media-libs/libsdl2[X] + sys-libs/zlib + alsa? ( media-libs/alsa-lib ) + jack? ( media-sound/jack-audio-connection-kit )" +DEPEND="${RDEPEND}" + +PATCHES=( + "${DISTDIR}/${P}-cmake.patch" + "${FILESDIR}/${P}-CVE-2019-14464.patch" + "${FILESDIR}/${P}-CVE-2019-1449x.patch" + "${FILESDIR}/${P}-CVE-2020-15569.patch" +) + +S="${WORKDIR}/MilkyTracker-${PV}" + +src_configure() { + local mycmakeargs=( + $(cmake_use_find_package alsa ALSA) + $(cmake_use_find_package jack JACK) + ) + cmake_src_configure +} + +src_install() { + cmake_src_install + + newicon resources/pictures/carton.png ${PN}.png + make_desktop_entry ${PN} MilkyTracker ${PN} \ + "AudioVideo;Audio;Sequencer" +}