From 01c7afde1d5683342a691344dab95ebf3db0a9ce Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 6 Nov 2015 10:29:15 +0100 Subject: [PATCH] fix CVE-2015-7805: Heap overflow vulnerability when parsing specially crafted AIFF header --- ...7385c1ca1d72918e9a2875d24f202a5093e8.patch | 90 +++++++++++++++++++ libsndfile.spec | 9 +- 2 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 libsndfile-1.0.25-d2a87385c1ca1d72918e9a2875d24f202a5093e8.patch diff --git a/libsndfile-1.0.25-d2a87385c1ca1d72918e9a2875d24f202a5093e8.patch b/libsndfile-1.0.25-d2a87385c1ca1d72918e9a2875d24f202a5093e8.patch new file mode 100644 index 0000000..2b1ff54 --- /dev/null +++ b/libsndfile-1.0.25-d2a87385c1ca1d72918e9a2875d24f202a5093e8.patch @@ -0,0 +1,90 @@ +From d2a87385c1ca1d72918e9a2875d24f202a5093e8 Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo +Date: Sat, 7 Feb 2015 15:45:10 +1100 +Subject: [PATCH] src/common.c : Fix a header parsing bug. + +When the file header is bigger that SF_HEADER_LEN, the code would seek +instead of reading causing file parse errors. + +The current header parsing and writing code *badly* needs a re-write. +--- + src/common.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +diff --git a/src/common.c b/src/common.c +index dd4edb7..c6b88cc 100644 +--- a/src/common.c ++++ b/src/common.c +@@ -1,5 +1,5 @@ + /* +-** Copyright (C) 1999-2011 Erik de Castro Lopo ++** Copyright (C) 1999-2015 Erik de Castro Lopo + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU Lesser General Public License as published by +@@ -800,21 +800,16 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes) + { int count = 0 ; + + if (psf->headindex >= SIGNED_SIZEOF (psf->header)) +- { memset (ptr, 0, SIGNED_SIZEOF (psf->header) - psf->headindex) ; +- +- /* This is the best that we can do. */ +- psf_fseek (psf, bytes, SEEK_CUR) ; +- return bytes ; +- } ; ++ return psf_fread (ptr, 1, bytes, psf) ; + + if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header)) + { int most ; + + most = SIGNED_SIZEOF (psf->header) - psf->headindex ; + psf_fread (psf->header + psf->headend, 1, most, psf) ; +- memset ((char *) ptr + most, 0, bytes - most) ; +- +- psf_fseek (psf, bytes - most, SEEK_CUR) ; ++ memcpy (ptr, psf->header + psf->headend, most) ; ++ psf->headend = psf->headindex += most ; ++ psf_fread ((char *) ptr + most, bytes - most, 1, psf) ; + return bytes ; + } ; + +@@ -822,7 +817,7 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes) + { count = psf_fread (psf->header + psf->headend, 1, bytes - (psf->headend - psf->headindex), psf) ; + if (count != bytes - (int) (psf->headend - psf->headindex)) + { psf_log_printf (psf, "Error : psf_fread returned short count.\n") ; +- return 0 ; ++ return count ; + } ; + psf->headend += count ; + } ; +@@ -836,7 +831,6 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes) + static void + header_seek (SF_PRIVATE *psf, sf_count_t position, int whence) + { +- + switch (whence) + { case SEEK_SET : + if (position > SIGNED_SIZEOF (psf->header)) +@@ -885,8 +879,7 @@ header_seek (SF_PRIVATE *psf, sf_count_t position, int whence) + + static int + header_gets (SF_PRIVATE *psf, char *ptr, int bufsize) +-{ +- int k ; ++{ int k ; + + for (k = 0 ; k < bufsize - 1 ; k++) + { if (psf->headindex < psf->headend) +@@ -1073,8 +1066,10 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case 'j' : + /* Get the seek position first. */ + count = va_arg (argptr, size_t) ; +- header_seek (psf, count, SEEK_CUR) ; +- byte_count += count ; ++ if (count) ++ { header_seek (psf, count, SEEK_CUR) ; ++ byte_count += count ; ++ } ; + break ; + + default : diff --git a/libsndfile.spec b/libsndfile.spec index a8e133a..6acf7e5 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.0.25 -Release: 17%{?dist} +Release: 18%{?dist} License: LGPLv2+ and GPLv2+ and BSD Group: System Environment/Libraries URL: http://www.mega-nerd.com/libsndfile/ @@ -9,6 +9,8 @@ Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz Patch0: %{name}-1.0.25-system-gsm.patch Patch1: libsndfile-1.0.25-zerodivfix.patch Patch2: libsndfile-1.0.25-cve2014_9496.patch +# from upstream, for <= 1.0.25, rhbz#1277899 +Patch3: libsndfile-1.0.25-d2a87385c1ca1d72918e9a2875d24f202a5093e8.patch BuildRequires: alsa-lib-devel BuildRequires: flac-devel @@ -57,6 +59,7 @@ This package contains command line utilities for libsndfile. %patch0 -p1 %patch1 -p1 -b .zerodivfix %patch2 -p1 -b .cve2014_9496 +%patch3 -p1 -b .d2a87385c1ca1d72918e9a2875d24f202a5093e8 rm -r src/GSM610 %build @@ -150,6 +153,10 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %changelog +* Fri Nov 06 2015 Michal Hlavinka - 1.0.25-18 +- fix CVE-2015-7805: Heap overflow vulnerability when parsing specially + crafted AIFF header + * Thu Aug 27 2015 Marcin Juszkiewicz - 1.0.25-17 - Use __isa_bits macro instead of list of 64-bit architectures