Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2017-12-21 11:27:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvorbis" Thu Dec 21 11:27:31 2017 rev:48 rq:558541 version:1.3.5 Changes: -------- --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2016-12-02 16:38:12.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2017-12-21 11:27:32.348828337 +0100 @@ -1,0 +2,11 @@ +Tue Dec 19 14:32:18 CET 2017 - ti...@suse.de + +- Fix VUL-0: out-of-bounds array read vulnerability exists in + function mapping0_forward() (CVE-2017-14633, bsc#1059811): + 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch +- Fix VUL-0: Remote Code Execution upon freeing uninitialized + memory in function vorbis_analysis_headerout(CVE-2017-14632, + bsc#1059809): + 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch + +------------------------------------------------------------------- New: ---- 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvorbis.spec ++++++ --- /var/tmp/diff_new_pack.9IaHYV/_old 2017-12-21 11:27:33.184787576 +0100 +++ /var/tmp/diff_new_pack.9IaHYV/_new 2017-12-21 11:27:33.188787381 +0100 @@ -1,7 +1,7 @@ # # spec file for package libvorbis # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,6 +32,8 @@ # PATCH-FIX-UPSTREAM libvorbis-pkgconfig.patch https://trac.xiph.org/ticket/1759 reddw...@opensuse.org -- Use Requires/Libs.private to avoid overlinking Patch11: vorbis-fix-linking.patch Patch12: vorbis-ocloexec.patch +Patch21: 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch +Patch22: 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch BuildRequires: fdupes BuildRequires: libogg-devel BuildRequires: libtool @@ -53,9 +55,9 @@ %package -n libvorbis0 Summary: The Vorbis General Audio Compression Codec -Group: System/Libraries # # libvorbis was last used in openSUSE 11.3 +Group: System/Libraries Provides: %{name} = 1.3.2 Obsoletes: %{name} < 1.3.2 # bug437293 (SLES10 -> SLES11 upgrade path) @@ -133,6 +135,8 @@ fi %patch11 -p1 %patch12 +%patch21 -p1 +%patch22 -p1 %build # Fix optimization level ++++++ 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch ++++++ >From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Guido=20G=C3=BCnther?= <a...@sigxcpu.org> Date: Tue, 31 Oct 2017 18:32:46 +0100 Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels Otherwise for(i=0;i<vi->channels;i++){ /* the encoder setup assumes that all the modes used by any specific bitrate tweaking use the same floor */ int submap=info->chmuxlist[i]; overreads later in mapping0_forward since chmuxlist is a fixed array of 256 elements max. --- lib/info.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/lib/info.c +++ b/lib/info.c @@ -583,7 +583,7 @@ int vorbis_analysis_headerout(vorbis_dsp oggpack_buffer opb; private_state *b=v->backend_state; - if(!b||vi->channels<=0){ + if(!b||vi->channels<=0||vi->channels>256){ ret=OV_EFAULT; goto err_out; } ++++++ 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch ++++++ >From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Guido=20G=C3=BCnther?= <a...@sigxcpu.org> Date: Wed, 15 Nov 2017 18:22:59 +0100 Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb if not initialized If the number of channels is not within the allowed range we call oggback_writeclear altough it's not initialized yet. This fixes =23371== Invalid free() / delete / delete[] / realloc() ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530) ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2) ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652) ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) ==23371== by 0x10D82A: open_output_file (sox.c:1556) ==23371== by 0x10D82A: process (sox.c:1753) ==23371== by 0x10D82A: main (sox.c:3012) ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298) ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785) ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) ==23371== by 0x10D82A: open_output_file (sox.c:1556) ==23371== by 0x10D82A: process (sox.c:1753) ==23371== by 0x10D82A: main (sox.c:3012) as seen when using the testcase from CVE-2017-11333 with 008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was there before. --- lib/info.c | 1 + 1 file changed, 1 insertion(+) --- a/lib/info.c +++ b/lib/info.c @@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp private_state *b=v->backend_state; if(!b||vi->channels<=0||vi->channels>256){ + b = NULL; ret=OV_EFAULT; goto err_out; }