CVE-2017-12678 taglib: Incorrect cast in rebuildAggregateFrames function (#1483960,#1483959)

2017-08-22 06:58:18 -05:00 · 2017-08-22 06:58:18 -05:00 · 3863668fc5
commit 3863668fc5
parent 891709fa9b
2 changed files with 42 additions and 7 deletions
--- a/0001-Don-t-assume-TDRC-is-an-instance-of-TextIdentificati.patch
+++ b/0001-Don-t-assume-TDRC-is-an-instance-of-TextIdentificati.patch
@ -0,0 +1,33 @@
+From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001
+From: "Stephen F. Booth" <me@sbooth.org>
+Date: Sun, 23 Jul 2017 10:11:09 -0400
+Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame
+
+If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame
+which causes problems in rebuildAggregateFrames() when it is assumed
+that TDRC is a TextIdentificationFrame
+---
+ taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp
+index 759a9b7b..9347ab86 100644
+--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp
+++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp
+@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const
+      tag->frameList("TDAT").size() == 1)
+   {
+     TextIdentificationFrame *tdrc =
+-      static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+      dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+     UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front());
+ 
+-    if(tdrc->fieldList().size() == 1 &&
+    if(tdrc &&
+       tdrc->fieldList().size() == 1 &&
+        tdrc->fieldList().front().size() == 4 &&
+        tdat->data().size() >= 5)
+     {
+-- 
+2.13.5
+
--- a/taglib.spec
+++ b/taglib.spec
@ -7,7 +7,7 @@
 Name:       taglib	
 Summary:    Audio Meta-Data Library
 Version:    1.11.1
-Release:    4%{?dist}
+Release:    5%{?dist}

 License:    LGPLv2 or MPLv1.1
 #URL:       http://launchpad.net/taglib
@ -21,9 +21,12 @@ Source0:    http://taglib.github.io/releases/taglib-%{version}%{?beta}.tar.gz
 Source1:    taglib-snapshot.sh

 # http://bugzilla.redhat.com/343241
-Patch2:     taglib-1.5rc1-multilib.patch
+Patch102:   taglib-1.5rc1-multilib.patch

 ## upstream patches
+# sbooth fork/pull-request
+# https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6
+Patch1: 0001-Don-t-assume-TDRC-is-an-instance-of-TextIdentificati.patch

 BuildRequires: cmake
 BuildRequires: pkgconfig
@ -59,11 +62,7 @@ Files needed when building software with %{name}.


 %prep
-%setup -q -n taglib-%{version}%{?beta}
-
-# patch1 not applied
-## omit for now
-%patch2 -p1 -b .multilib
+%autosetup -n taglib-%{version}%{?beta} -p1


 %build
@ -130,6 +129,9 @@ make check -C %{_target_platform}


 %changelog
+* Tue Aug 22 2017 Rex Dieter <rdieter@fedoraproject.org> - 1.11.1-5
+-  CVE-2017-12678 taglib: Incorrect cast in rebuildAggregateFrames function (#1483960,#1483959)
+
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.11.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild