Re: [OE-core] [poky][sumo][PATCH 4/4] libsndfile1: fix CVE-2019-3832
On Thu, 2021-01-07 at 11:21 +0100, Quentin Schulz wrote: > Hi Sana, > > Unless I'm mistaken, sumo is EOL and not supported anymore. > > The latest version that is still maintained by the community is zeus > (3.0). The latest version officially maintained is dunfell (3.1), > meaning this one will still receive dot releases, not the community one > though commits can be pushed to the "community-maintained" branch. > > Please stop sending patches for sumo. Maintain it on your own, ask to > become a community maintainer or upgrade to current/maintained versions. I think if someone wanted to step up and collect sumo patches, we'd be ok with that. There is nobody who's doing that at present though. We did go through some effort to get sumo building again on the infrastructure too but again, nobody stepped forward to look after it and I suspect it would be broken again now. To be clear, we cannot merge patches without testing and we need builds on the infrastructure to do that which is why it was important. It would be good to understand why the patches are being posted. Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146471): https://lists.openembedded.org/g/openembedded-core/message/146471 Mute This Topic: https://lists.openembedded.org/mt/79495952/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [poky][sumo][PATCH 4/4] libsndfile1: fix CVE-2019-3832
Hi Sana,
Unless I'm mistaken, sumo is EOL and not supported anymore.
The latest version that is still maintained by the community is zeus
(3.0). The latest version officially maintained is dunfell (3.1),
meaning this one will still receive dot releases, not the community one
though commits can be pushed to the "community-maintained" branch.
Please stop sending patches for sumo. Maintain it on your own, ask to
become a community maintainer or upgrade to current/maintained versions.
Best regards,
Quentin
On Thu, Jan 07, 2021 at 03:41:01PM +0530, Sana Kazi wrote:
> From: Ross Burton
>
> The previous fix for CVE-2018-19758 wasn't complete, so backport another patch
> to solve it properly.
>
> (From OE-Core rev: aeaca9bb1b1c8bf44818945dc4b2cbd6d4b5cef2)
>
> Signed-off-by: Ross Burton
> Signed-off-by: Richard Purdie
> Signed-off-by: Sana Kazi
> ---
> .../libsndfile1/CVE-2019-3832.patch | 37 +++
> .../libsndfile/libsndfile1_1.0.28.bb | 5 +++
> 2 files changed, 42 insertions(+)
> create mode 100644
> meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
>
> diff --git
> a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
> b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
> new file mode 100644
> index 00..ab37211399
> --- /dev/null
> +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
> @@ -0,0 +1,37 @@
> +From 43886efc408c21e1e329086ef70c88860310f25b Mon Sep 17 00:00:00 2001
> +From: Emilio Pozuelo Monfort
> +Date: Tue, 5 Mar 2019 11:27:17 +0100
> +Subject: [PATCH] wav_write_header: don't read past the array end
> +
> +CVE-2018-19758 wasn't entirely fixed in the fix, so fix it harder.
> +
> +CVE: CVE-2019-3832
> +Upstream-Status: Backport [7408c4c788ce047d4e652b60a04e7796bcd7267e]
> +Signed-off-by: Ross Burton
> +
> +If loop_count is bigger than the array, truncate it to the array
> +length (and not to 32k).
> +
> +CVE-2019-3832
> +
> +---
> + src/wav.c | 6 --
> + 1 file changed, 4 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/wav.c b/src/wav.c
> +index daae3cc..8851549 100644
> +--- a/src/wav.c
> b/src/wav.c
> +@@ -1094,8 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
> + psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
> + psf_binheader_writef (psf, "44", psf->instrument->loop_count,
> 0) ;
> +
> +- /* Loop count is signed 16 bit number so we limit it range to
> something sensible. */
> +- psf->instrument->loop_count &= 0x7fff ;
> ++ /* Make sure we don't read past the loops array end. */
> ++ if (psf->instrument->loop_count > ARRAY_LEN
> (psf->instrument->loops))
> ++ psf->instrument->loop_count = ARRAY_LEN
> (psf->instrument->loops) ;
> ++
> + for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
> + { int type ;
> +
> diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
> b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
> index b28f675286..e52105fa2b 100644
> --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
> +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
> @@ -13,6 +13,11 @@ SRC_URI =
> "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
> file://CVE-2017-14245-14246.patch \
> file://CVE-2017-14634.patch \
> file://CVE-2018-13139.patch \
> + file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
> + file://CVE-2018-19432.patch \
> + file://CVE-2017-12562.patch \
> + file://CVE-2018-19758.patch \
> + file://CVE-2019-3832.patch \
>"
>
> SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and
> is the property of the KPIT Technologies Ltd. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain copy, disseminate, distribute, or
> use this message or any part thereof. If you receive this message in error,
> please notify the sender immediately and delete all copies of this message.
> KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
>
>
--
StreamUnlimited Engineering GmbH
High Tech Campus Vienna, Gutheil-Schoder-Gasse 10, 1100 Vienna, Austria
Fax: +43 1 667 20 02 4401
quentin.sch...@streamunlimited.com, www.streamunlimited.com
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#146467):
https://lists.openembedded.org/g/openembedded-core/message/146467
Mute This Topic: https://lists.openembedded.org/mt/79495952/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[OE-core] [poky][sumo][PATCH 4/4] libsndfile1: fix CVE-2019-3832
From: Ross Burton
The previous fix for CVE-2018-19758 wasn't complete, so backport another patch
to solve it properly.
(From OE-Core rev: aeaca9bb1b1c8bf44818945dc4b2cbd6d4b5cef2)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Sana Kazi
---
.../libsndfile1/CVE-2019-3832.patch | 37 +++
.../libsndfile/libsndfile1_1.0.28.bb | 5 +++
2 files changed, 42 insertions(+)
create mode 100644
meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
new file mode 100644
index 00..ab37211399
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
@@ -0,0 +1,37 @@
+From 43886efc408c21e1e329086ef70c88860310f25b Mon Sep 17 00:00:00 2001
+From: Emilio Pozuelo Monfort
+Date: Tue, 5 Mar 2019 11:27:17 +0100
+Subject: [PATCH] wav_write_header: don't read past the array end
+
+CVE-2018-19758 wasn't entirely fixed in the fix, so fix it harder.
+
+CVE: CVE-2019-3832
+Upstream-Status: Backport [7408c4c788ce047d4e652b60a04e7796bcd7267e]
+Signed-off-by: Ross Burton
+
+If loop_count is bigger than the array, truncate it to the array
+length (and not to 32k).
+
+CVE-2019-3832
+
+---
+ src/wav.c | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/wav.c b/src/wav.c
+index daae3cc..8851549 100644
+--- a/src/wav.c
b/src/wav.c
+@@ -1094,8 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
+ psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
+ psf_binheader_writef (psf, "44", psf->instrument->loop_count,
0) ;
+
+- /* Loop count is signed 16 bit number so we limit it range to
something sensible. */
+- psf->instrument->loop_count &= 0x7fff ;
++ /* Make sure we don't read past the loops array end. */
++ if (psf->instrument->loop_count > ARRAY_LEN
(psf->instrument->loops))
++ psf->instrument->loop_count = ARRAY_LEN
(psf->instrument->loops) ;
++
+ for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
+ { int type ;
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index b28f675286..e52105fa2b 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -13,6 +13,11 @@ SRC_URI =
"http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
file://CVE-2017-14245-14246.patch \
file://CVE-2017-14634.patch \
file://CVE-2018-13139.patch \
+ file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \
+ file://CVE-2018-19432.patch \
+ file://CVE-2017-12562.patch \
+ file://CVE-2018-19758.patch \
+ file://CVE-2019-3832.patch \
"
SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
--
2.17.1
This message contains information that may be privileged or confidential and is
the property of the KPIT Technologies Ltd. It is intended only for the person
to whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain copy, disseminate, distribute, or use this
message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message. KPIT
Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#146466):
https://lists.openembedded.org/g/openembedded-core/message/146466
Mute This Topic: https://lists.openembedded.org/mt/79495952/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
