From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Gilles Talis <gilles.talis@gmail.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/opusfile: fix CVE-2022-47021
Date: Sun, 5 Feb 2023 15:28:44 +0100 [thread overview]
Message-ID: <20230205142844.GL2960@scaer> (raw)
In-Reply-To: <20230205130600.18051-1-fontaine.fabrice@gmail.com>
Fabrice, All,
On 2023-02-05 14:06 +0100, Fabrice Fontaine spake thusly:
> A null pointer dereference issue was discovered in functions op_get_data
> and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows
> attackers to cause denial of service or other unspecified impacts.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...ocation-failure-from-ogg_sync_buffer.patch | 44 +++++++++++++++++++
> package/opusfile/opusfile.mk | 3 ++
> 2 files changed, 47 insertions(+)
> create mode 100644 package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
>
> diff --git a/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch b/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
> new file mode 100644
> index 0000000000..2ef08502ab
> --- /dev/null
> +++ b/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
> @@ -0,0 +1,44 @@
> +From 0a4cd796df5b030cb866f3f4a5e41a4b92caddf5 Mon Sep 17 00:00:00 2001
> +From: Ralph Giles <giles@thaumas.net>
> +Date: Tue, 6 Sep 2022 19:04:31 -0700
> +Subject: [PATCH] Propagate allocation failure from ogg_sync_buffer.
> +
> +Instead of segfault, report OP_EFAULT if ogg_sync_buffer returns
> +a null pointer. This allows more graceful recovery by the caller
> +in the unlikely event of a fallible ogg_malloc call.
> +
> +We do check the return value elsewhere in the code, so the new
> +checks make the code more consistent.
> +
> +Thanks to https://github.com/xiph/opusfile/issues/36 for reporting.
> +
> +Signed-off-by: Timothy B. Terriberry <tterribe@xiph.org>
> +Signed-off-by: Mark Harris <mark.hsj@gmail.com>
> +
> +[Retrieved from:
> +https://github.com/xiph/opusfile/commit/0a4cd796df5b030cb866f3f4a5e41a4b92caddf5]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + src/opusfile.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/src/opusfile.c b/src/opusfile.c
> +index ca219b2..3c3c81e 100644
> +--- a/src/opusfile.c
> ++++ b/src/opusfile.c
> +@@ -148,6 +148,7 @@ static int op_get_data(OggOpusFile *_of,int _nbytes){
> + int nbytes;
> + OP_ASSERT(_nbytes>0);
> + buffer=(unsigned char *)ogg_sync_buffer(&_of->oy,_nbytes);
> ++ if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT;
> + nbytes=(int)(*_of->callbacks.read)(_of->stream,buffer,_nbytes);
> + OP_ASSERT(nbytes<=_nbytes);
> + if(OP_LIKELY(nbytes>0))ogg_sync_wrote(&_of->oy,nbytes);
> +@@ -1527,6 +1528,7 @@ static int op_open1(OggOpusFile *_of,
> + if(_initial_bytes>0){
> + char *buffer;
> + buffer=ogg_sync_buffer(&_of->oy,(long)_initial_bytes);
> ++ if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT;
> + memcpy(buffer,_initial_data,_initial_bytes*sizeof(*buffer));
> + ogg_sync_wrote(&_of->oy,(long)_initial_bytes);
> + }
> diff --git a/package/opusfile/opusfile.mk b/package/opusfile/opusfile.mk
> index 72ae82e801..63553a81e7 100644
> --- a/package/opusfile/opusfile.mk
> +++ b/package/opusfile/opusfile.mk
> @@ -11,6 +11,9 @@ OPUSFILE_LICENSE = BSD-3-Clause
> OPUSFILE_LICENSE_FILES = COPYING
> OPUSFILE_INSTALL_STAGING = YES
>
> +# 0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
> +OPUSFILE_IGNORE_CVES += CVE-2022-47021
> +
> ifeq ($(BR2_PACKAGE_OPENSSL),y)
> OPUSFILE_DEPENDENCIES += openssl
> else
> --
> 2.39.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2023-02-05 14:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-05 13:06 [Buildroot] [PATCH 1/1] package/opusfile: fix CVE-2022-47021 Fabrice Fontaine
2023-02-05 14:28 ` Yann E. MORIN [this message]
2023-02-21 20:32 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230205142844.GL2960@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=fontaine.fabrice@gmail.com \
--cc=gilles.talis@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.