Hello community, here is the log from the commit of package libvpx for openSUSE:Leap:15.2 checked in at 2020-02-04 17:53:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/libvpx (Old) and /work/SRC/openSUSE:Leap:15.2/.libvpx.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvpx" Tue Feb 4 17:53:37 2020 rev:22 rq:766060 version:1.6.1 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/libvpx/libvpx.changes 2020-01-15 15:25:40.662585145 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.libvpx.new.26092/libvpx.changes 2020-02-04 17:53:59.424733727 +0100 @@ -1,0 +2,11 @@ +Fri Jan 10 12:11:16 UTC 2020 - Adrian Schröter <adr...@suse.com> + +- backport security fixes: + CVE-2019-2126.patch bsc#1160611: double free in ParseContentEncodingEntry() + CVE-2019-9325.patch bsc#1160612: out-of-bounds read + CVE-2019-9232.patch bsc#1160613: Fix OOB memory access on fuzzed data + CVE-2019-9433.patch bsc#1160614: use-after-free in vp8_deblock() + CVE-2019-9371.patch bsc#1160615: resource exhaustion after memory leak +- executed test suite before submit + +------------------------------------------------------------------- New: ---- CVE-2019-2126.patch CVE-2019-9232.patch CVE-2019-9325.patch CVE-2019-9371.patch CVE-2019-9433.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvpx.spec ++++++ --- /var/tmp/diff_new_pack.EZJI8H/_old 2020-02-04 17:54:00.132734154 +0100 +++ /var/tmp/diff_new_pack.EZJI8H/_new 2020-02-04 17:54:00.140734159 +0100 @@ -30,6 +30,12 @@ Patch1: libvpx-define-config_pic.patch Patch2: libvpx-configure-add-s390.patch Patch4: libvpx-armv7-use-hard-float.patch +Patch5: CVE-2019-9325.patch +Patch6: CVE-2019-9232.patch +Patch7: CVE-2019-9433.patch +# libwebm: +Patch100: CVE-2019-9371.patch +Patch101: CVE-2019-2126.patch # Needed to be able to create pkgconfig() provides. BuildRequires: pkgconfig BuildRequires: yasm @@ -97,6 +103,13 @@ %patch1 -p1 %patch2 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +# libwebm +%patch100 -p0 +%patch101 -p0 + %build %if 0%{?suse_version} < 1310 ++++++ CVE-2019-2126.patch ++++++ commit 562301346008c30d4a9bfc4e516d675320d4a55a Author: Frank Galligan <fgalli...@google.com> Date: Fri May 3 16:13:45 2019 -0700 Fixes a double free in ContentEncoding BUG=b/127702368 Change-Id: Ifa958d72f8e2e75bae4cddd5c6d3625882da7c2b Index: libwebm/mkvparser/mkvparser.cc =================================================================== --- third_party/libwebm/mkvparser/mkvparser.cc +++ third_party/libwebm/mkvparser/mkvparser.cc @@ -4225,6 +4225,7 @@ long ContentEncoding::ParseContentEncodi new (std::nothrow) ContentEncryption*[encryption_count]; if (!encryption_entries_) { delete[] compression_entries_; + compression_entries_ = NULL; return -1; } encryption_entries_end_ = encryption_entries_; ++++++ CVE-2019-9232.patch ++++++ commit 46e17f0cb4a80b36755c84b8bf15731d3386c08f Author: Fyodor Kyslov <kys...@google.com> Date: Fri Jan 4 17:04:09 2019 -0800 Fix OOB memory access on fuzzed data vp8_norm table has 256 elements while index to it can be higher on fuzzed data. Typecasting it to unsigned char will ensure valid range and will trigger proper error later. Also declaring "shift" as unsigned char to avoid UB sanitizer warning BUG=b/122373286,b/122373822,b/122371119 Change-Id: I3cef1d07f107f061b1504976a405fa0865afe9f5 Index: libvpx-1.6.1/vp8/decoder/dboolhuff.h =================================================================== --- libvpx-1.6.1.orig/vp8/decoder/dboolhuff.h +++ libvpx-1.6.1/vp8/decoder/dboolhuff.h @@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODE } { - register int shift = vp8_norm[range]; + const unsigned char shift = vp8_norm[(unsigned char)range]; range <<= shift; value <<= shift; count -= shift; Index: libvpx-1.6.1/vpx_dsp/bitreader.h =================================================================== --- libvpx-1.6.1.orig/vpx_dsp/bitreader.h +++ libvpx-1.6.1/vpx_dsp/bitreader.h @@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r } { - register int shift = vpx_norm[range]; + const unsigned char shift = vpx_norm[(unsigned char)range]; range <<= shift; value <<= shift; count -= shift; ++++++ CVE-2019-9325.patch ++++++ commit 0681cff1ad36b3ef8ec242f59b5a6c4234ccfb88 Author: James Zern <jz...@google.com> Date: Tue Jul 24 21:36:50 2018 -0700 vp9: fix OOB read in decoder_peek_si_internal Profile 1 or 3 bitstreams may require 11 bytes for the header in the intra-only case. Additionally add a check on the bit reader's error handler callback to ensure it's non-NULL before calling to avoid future regressions. This has existed since at least (pre-1.4.0): 09bf1d61c Changes hdr for profiles > 1 for intraonly frames BUG=webm:1543 Change-Id: I23901e6e3a219170e8ea9efecc42af0be2e5c378 Index: libvpx-1.6.1/test/decode_api_test.cc =================================================================== --- libvpx-1.6.1.orig/test/decode_api_test.cc +++ libvpx-1.6.1/test/decode_api_test.cc @@ -138,8 +138,30 @@ TEST(DecodeAPI, Vp9InvalidDecode) { EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec)); } -TEST(DecodeAPI, Vp9PeekSI) { +void TestPeekInfo(const uint8_t *const data, uint32_t data_sz, + uint32_t peek_size) { const vpx_codec_iface_t *const codec = &vpx_codec_vp9_dx_algo; + // Verify behavior of vpx_codec_decode. vpx_codec_decode doesn't even get + // to decoder_peek_si_internal on frames of size < 8. + if (data_sz >= 8) { + vpx_codec_ctx_t dec; + EXPECT_EQ(VPX_CODEC_OK, vpx_codec_dec_init(&dec, codec, NULL, 0)); + EXPECT_EQ((data_sz < peek_size) ? VPX_CODEC_UNSUP_BITSTREAM + : VPX_CODEC_CORRUPT_FRAME, + vpx_codec_decode(&dec, data, data_sz, NULL, 0)); + vpx_codec_iter_t iter = NULL; + EXPECT_EQ(NULL, vpx_codec_get_frame(&dec, &iter)); + EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec)); + } + + // Verify behavior of vpx_codec_peek_stream_info. + vpx_codec_stream_info_t si; + si.sz = sizeof(si); + EXPECT_EQ((data_sz < peek_size) ? VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_OK, + vpx_codec_peek_stream_info(codec, data, data_sz, &si)); +} + +TEST(DecodeAPI, Vp9PeekStreamInfo) { // The first 9 bytes are valid and the rest of the bytes are made up. Until // size 10, this should return VPX_CODEC_UNSUP_BITSTREAM and after that it // should return VPX_CODEC_CORRUPT_FRAME. @@ -150,24 +172,18 @@ TEST(DecodeAPI, Vp9PeekSI) { }; for (uint32_t data_sz = 1; data_sz <= 32; ++data_sz) { - // Verify behavior of vpx_codec_decode. vpx_codec_decode doesn't even get - // to decoder_peek_si_internal on frames of size < 8. - if (data_sz >= 8) { - vpx_codec_ctx_t dec; - EXPECT_EQ(VPX_CODEC_OK, vpx_codec_dec_init(&dec, codec, NULL, 0)); - EXPECT_EQ( - (data_sz < 10) ? VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_CORRUPT_FRAME, - vpx_codec_decode(&dec, data, data_sz, NULL, 0)); - vpx_codec_iter_t iter = NULL; - EXPECT_EQ(NULL, vpx_codec_get_frame(&dec, &iter)); - EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec)); - } - - // Verify behavior of vpx_codec_peek_stream_info. - vpx_codec_stream_info_t si; - si.sz = sizeof(si); - EXPECT_EQ((data_sz < 10) ? VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_OK, - vpx_codec_peek_stream_info(codec, data, data_sz, &si)); + TestPeekInfo(data, data_sz, 10); + } +} + +TEST(DecodeAPI, Vp9PeekStreamInfoTruncated) { + // This profile 1 header requires 10.25 bytes, ensure + // vpx_codec_peek_stream_info doesn't over read. + const uint8_t profile1_data[10] = { 0xa4, 0xe9, 0x30, 0x68, 0x53, + 0xe9, 0x30, 0x68, 0x53, 0x04 }; + + for (uint32_t data_sz = 1; data_sz <= 10; ++data_sz) { + TestPeekInfo(profile1_data, data_sz, 11); } } #endif // CONFIG_VP9_DECODER Index: libvpx-1.6.1/vp9/vp9_dx_iface.c =================================================================== --- libvpx-1.6.1.orig/vp9/vp9_dx_iface.c +++ libvpx-1.6.1/vp9/vp9_dx_iface.c @@ -129,7 +129,7 @@ static vpx_codec_err_t decoder_peek_si_i const uint8_t *data, unsigned int data_sz, vpx_codec_stream_info_t *si, int *is_intra_only, vpx_decrypt_cb decrypt_cb, void *decrypt_state) { int intra_only_flag = 0; - uint8_t clear_buffer[10]; + uint8_t clear_buffer[11]; if (data + data_sz <= data) return VPX_CODEC_INVALID_PARAM; @@ -190,6 +190,9 @@ static vpx_codec_err_t decoder_peek_si_i if (profile > PROFILE_0) { if (!parse_bitdepth_colorspace_sampling(profile, &rb)) return VPX_CODEC_UNSUP_BITSTREAM; + // The colorspace info may cause vp9_read_frame_size() to need 11 + // bytes. + if (data_sz < 11) return VPX_CODEC_UNSUP_BITSTREAM; } rb.bit_offset += REF_FRAMES; // refresh_frame_flags vp9_read_frame_size(&rb, (int *)&si->w, (int *)&si->h); Index: libvpx-1.6.1/vpx_dsp/bitreader_buffer.c =================================================================== --- libvpx-1.6.1.orig/vpx_dsp/bitreader_buffer.c +++ libvpx-1.6.1/vpx_dsp/bitreader_buffer.c @@ -23,7 +23,7 @@ int vpx_rb_read_bit(struct vpx_read_bit_ rb->bit_offset = off + 1; return bit; } else { - rb->error_handler(rb->error_handler_data); + if (rb->error_handler != NULL) rb->error_handler(rb->error_handler_data); return 0; } } ++++++ CVE-2019-9371.patch ++++++ commit cb5a9477073cf7ae4a28356d6e3e5638aba78dc9 Author: Angie Chiang <angieb...@google.com> Date: Tue Nov 20 14:41:20 2018 -0800 Fix a potential memory leak in mkvparser.cc BUG=webm:1575 Change-Id: Id9a903e14daaab7b93df3a2f443d2f196dbe9104 Index: third_party/libwebm/mkvparser/mkvparser.cc =================================================================== --- third_party/libwebm/mkvparser/mkvparser.cc.orig +++ third_party/libwebm/mkvparser/mkvparser.cc @@ -5296,8 +5296,8 @@ long VideoTrack::Parse(Segment* pSegment const long long stop = pos + s.size; - Colour* colour = NULL; - Projection* projection = NULL; + std::unique_ptr<Colour> colour_ptr; + std::unique_ptr<Projection> projection_ptr; while (pos < stop) { long long id, size; @@ -5346,13 +5346,22 @@ long VideoTrack::Parse(Segment* pSegment if (rate <= 0) return E_FILE_FORMAT_INVALID; } else if (id == libwebm::kMkvColour) { - if (!Colour::Parse(pReader, pos, size, &colour)) + Colour* colour = NULL; + if (!Colour::Parse(pReader, pos, size, &colour)) { return E_FILE_FORMAT_INVALID; + } else { + colour_ptr.reset(colour); + } } else if (id == libwebm::kMkvProjection) { - if (!Projection::Parse(pReader, pos, size, &projection)) + Projection* projection = NULL; + if (!Projection::Parse(pReader, pos, size, &projection)) { return E_FILE_FORMAT_INVALID; + } else { + projection_ptr.reset(projection); + } } + pos += size; // consume payload if (pos > stop) return E_FILE_FORMAT_INVALID; @@ -5381,8 +5390,8 @@ long VideoTrack::Parse(Segment* pSegment pTrack->m_display_unit = display_unit; pTrack->m_stereo_mode = stereo_mode; pTrack->m_rate = rate; - pTrack->m_colour = colour; - pTrack->m_projection = projection; + pTrack->m_colour = colour_ptr.release(); + pTrack->m_projection = projection_ptr.release(); pResult = pTrack; return 0; // success ++++++ CVE-2019-9433.patch ++++++ commit 52add5896661d186dec284ed646a4b33b607d2c7 Author: Jerome Jiang <ji...@google.com> Date: Wed May 23 15:43:00 2018 -0700 VP8: Fix use-after-free in postproc. The pointer in vp8 postproc refers to show_frame_mi which is only updated on show frame. However, when there is a no-show frame which also changes the size (thus new frame buffers allocated), show_frame_mi is not updated with new frame buffer memory. Change the pointer in postproc to mi which is always updated. Bug: 842265 Change-Id: I33874f2112b39f74562cba528432b5f239e6a7bd diff --git a/vp8/common/postproc.c b/vp8/common/postproc.c index d67ee8a57..8c292d616 100644 --- a/vp8/common/postproc.c +++ b/vp8/common/postproc.c @@ -65,7 +65,7 @@ void vp8_deblock(VP8_COMMON *cm, YV12_BUFFER_CONFIG *source, double level = 6.0e-05 * q * q * q - .0067 * q * q + .306 * q + .0065; int ppl = (int)(level + .5); - const MODE_INFO *mode_info_context = cm->show_frame_mi; + const MODE_INFO *mode_info_context = cm->mi; int mbr, mbc; /* The pixel thresholds are adjusted according to if or not the macroblock ++++++ libvpx-armv7-use-hard-float.patch ++++++ --- /var/tmp/diff_new_pack.EZJI8H/_old 2020-02-04 17:54:00.188734187 +0100 +++ /var/tmp/diff_new_pack.EZJI8H/_new 2020-02-04 17:54:00.188734187 +0100 @@ -1,6 +1,8 @@ ---- a/build/make/configure.sh -+++ b/build/make/configure.sh -@@ -940,8 +940,8 @@ process_common_toolchain() { +Index: libvpx-1.6.1/build/make/configure.sh +=================================================================== +--- libvpx-1.6.1.orig/build/make/configure.sh ++++ libvpx-1.6.1/build/make/configure.sh +@@ -907,8 +907,8 @@ process_common_toolchain() { #endif EOF fi ++++++ libvpx-configure-add-s390.patch ++++++ --- /var/tmp/diff_new_pack.EZJI8H/_old 2020-02-04 17:54:00.192734191 +0100 +++ /var/tmp/diff_new_pack.EZJI8H/_new 2020-02-04 17:54:00.192734191 +0100 @@ -1,6 +1,8 @@ ---- a/build/make/configure.sh -+++ b/build/make/configure.sh -@@ -697,6 +697,12 @@ process_common_toolchain() { +Index: libvpx-1.6.1/build/make/configure.sh +=================================================================== +--- libvpx-1.6.1.orig/build/make/configure.sh ++++ libvpx-1.6.1/build/make/configure.sh +@@ -694,6 +694,12 @@ process_common_toolchain() { *i[3456]86*) tgt_isa=x86 ;; @@ -13,9 +15,11 @@ *sparc*) tgt_isa=sparc ;; ---- a/configure -+++ b/configure -@@ -114,6 +114,8 @@ all_platforms="${all_platforms} armv7s-d +Index: libvpx-1.6.1/configure +=================================================================== +--- libvpx-1.6.1.orig/configure ++++ libvpx-1.6.1/configure +@@ -113,6 +113,8 @@ all_platforms="${all_platforms} armv7s-d all_platforms="${all_platforms} armv8-linux-gcc" all_platforms="${all_platforms} mips32-linux-gcc" all_platforms="${all_platforms} mips64-linux-gcc"