08/14: gnu: audiofile: Update to 0.3.6 [security-fix].

Sun, 21 Sep 2025 10:24:37 -0700 

guix_mirror_bot pushed a commit to branch master
in repository guix.

commit f2c3ff8cba6b1cde8edcf1a8f83b325cf5bc9d95
Author: Simeon Prause <[email protected]>
AuthorDate: Sun Sep 21 14:38:34 2025 +0000

    gnu: audiofile: Update to 0.3.6 [security-fix].
    
    * gnu/packages/audio.scm (audiofile): Update to 0.3.6.
    
    Change-Id: I2dda621f60c27e02b1513e2d89a138136a1633ca
    Signed-off-by: Ludovic Courtès <[email protected]>
---
 gnu/local.mk                                       |  1 +
 gnu/packages/audio.scm                             |  3 +-
 .../patches/audiofile-CVE-2022-24599.patch         | 83 ++++++++++++++++++++++
 3 files changed, 86 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index afea357c2c..ab53474192 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1012,6 +1012,7 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/audiofile-CVE-2015-7747.patch           \
   %D%/packages/patches/audiofile-CVE-2018-13440.patch          \
   %D%/packages/patches/audiofile-CVE-2018-17095.patch          \
+  %D%/packages/patches/audiofile-CVE-2022-24599.patch          \
   %D%/packages/patches/audiofile-check-number-of-coefficients.patch \
   %D%/packages/patches/audiofile-Fail-on-error-in-parseFormat.patch \
   %D%/packages/patches/audiofile-Fix-index-overflow-in-IMA.cpp.patch \
diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm
index 03bc811022..19756d23e4 100644
--- a/gnu/packages/audio.scm
+++ b/gnu/packages/audio.scm
@@ -1444,7 +1444,8 @@ tools.")
          ;; CVE-2017-6833:
          "audiofile-division-by-zero.patch"
          "audiofile-CVE-2018-13440.patch"
-         "audiofile-CVE-2018-17095.patch"))))
+         "audiofile-CVE-2018-17095.patch"
+         "audiofile-CVE-2022-24599.patch"))))
     (properties `((lint-hidden-cve . ("CVE-2017-6829"
 
                                       "CVE-2017-6827" "CVE-2017-6828"
diff --git a/gnu/packages/patches/audiofile-CVE-2022-24599.patch 
b/gnu/packages/patches/audiofile-CVE-2022-24599.patch
new file mode 100644
index 0000000000..9299f6ea82
--- /dev/null
+++ b/gnu/packages/patches/audiofile-CVE-2022-24599.patch
@@ -0,0 +1,83 @@
+commit 4d3238843385b9929d7a1ab9034a6fc13949c7b4
+Author: Bastien Roucariès <[email protected]>
+Date:   Sat Nov 11 15:58:50 2023 +0000
+
+    Fix CVE-2022-24599
+    
+    Memory-leak bug in printfileinfo, due to memcpy on an non allocated memory 
buffer
+    with a user declared string.
+    
+    Fix it by calloc(declaredsize+1,1) that zeros the buffer and terminate by 
'\0'
+    for printf
+    
+    Avoid also a buffer overflow by refusing to allocating more than INT_MAX-1.
+    
+    Before under valgrind:
+    libtool --mode=execute valgrind --track-origins=yes  ./sfinfo 
heapleak_poc.aiff
+    
+    Duration       -inf seconds
+    ==896222== Invalid read of size 1
+    ==896222==    at 0x4846794: strlen (vg_replace_strmem.c:494)
+    ==896222==    by 0x49246C8: __printf_buffer (vfprintf-process-arg.c:435)
+    ==896222==    by 0x4924D90: __vfprintf_internal (vfprintf-internal.c:1459)
+    ==896222==    by 0x49DE986: __printf_chk (printf_chk.c:33)
+    ==896222==    by 0x10985C: printf (stdio2.h:86)
+    ==896222==    by 0x10985C: printfileinfo (printinfo.c:134)
+    ==896222==    by 0x10930A: main (sfinfo.c:113)
+    ==896222==  Address 0x4e89bd1 is 0 bytes after a block of size 1 alloc'd
+    ==896222==    at 0x48407B4: malloc (vg_replace_malloc.c:381)
+    ==896222==    by 0x109825: copyrightstring (printinfo.c:163)
+    ==896222==    by 0x109825: printfileinfo (printinfo.c:131)
+    ==896222==    by 0x10930A: main (sfinfo.c:113)
+    ==896222==
+    Copyright      C
+    
+    After:
+    Duration       -inf seconds
+    Copyright      C
+
+diff --git a/sfcommands/printinfo.c b/sfcommands/printinfo.c
+index 60e6947..f5cf925 100644
+--- a/sfcommands/printinfo.c
++++ b/sfcommands/printinfo.c
+@@ -37,6 +37,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <limits.h>
+ 
+ static char *copyrightstring (AFfilehandle file);
+ 
+@@ -147,7 +148,11 @@ static char *copyrightstring (AFfilehandle file)
+       int             i, misccount;
+ 
+       misccount = afGetMiscIDs(file, NULL);
+-      miscids = (int *) malloc(sizeof (int) * misccount);
++      if(!misccount)
++              return NULL;
++      miscids = (int *) calloc(misccount, sizeof(int));
++      if(!miscids)
++              return NULL;
+       afGetMiscIDs(file, miscids);
+ 
+       for (i=0; i<misccount; i++)
+@@ -159,13 +164,16 @@ static char *copyrightstring (AFfilehandle file)
+                       If this code executes, the miscellaneous chunk is a
+                       copyright chunk.
+               */
+-              int datasize = afGetMiscSize(file, miscids[i]);
+-              char *data = (char *) malloc(datasize);
++              size_t datasize = afGetMiscSize(file, miscids[i]);
++              if(datasize >= INT_MAX -1 ) {
++                      goto error;
++              }
++              char *data = (char *) calloc(datasize + 1, 1);
+               afReadMisc(file, miscids[i], data, datasize);
+               copyright = data;
+               break;
+       }
+-
++error:
+       free(miscids);
+ 
+       return copyright;

Reply via email to