* [Buildroot] [PATCH 1/2] package/libvorbis: fix CVE-2018-10392
@ 2020-03-01 18:02 Fabrice Fontaine
2020-03-01 18:02 ` [Buildroot] [PATCH 2/2] package/libvorbis: annote CVE-2018-10393 Fabrice Fontaine
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2020-03-01 18:02 UTC (permalink / raw)
To: buildroot
mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not
validate the number of channels, which allows remote attackers to cause
a denial of service (heap-based buffer overflow or over-read) or
possibly have unspecified other impact via a crafted file.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...ty-check-number-of-channels-in-setup.patch | 28 +++++++++++++++++++
package/libvorbis/libvorbis.mk | 3 ++
2 files changed, 31 insertions(+)
create mode 100644 package/libvorbis/0002-Sanity-check-number-of-channels-in-setup.patch
diff --git a/package/libvorbis/0002-Sanity-check-number-of-channels-in-setup.patch b/package/libvorbis/0002-Sanity-check-number-of-channels-in-setup.patch
new file mode 100644
index 0000000000..1208839a20
--- /dev/null
+++ b/package/libvorbis/0002-Sanity-check-number-of-channels-in-setup.patch
@@ -0,0 +1,28 @@
+From 112d3bd0aaacad51305e1464d4b381dabad0e88b Mon Sep 17 00:00:00 2001
+From: Thomas Daede <daede003@umn.edu>
+Date: Thu, 17 May 2018 16:19:19 -0700
+Subject: [PATCH] Sanity check number of channels in setup.
+
+Fixes #2335.
+[Retrieved from:
+https://gitlab.xiph.org/xiph/vorbis/commit/112d3bd0aaacad51305e1464d4b381dabad0e88b]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ lib/vorbisenc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/vorbisenc.c b/lib/vorbisenc.c
+index 4fc7b62..64a51b5 100644
+--- a/lib/vorbisenc.c
++++ b/lib/vorbisenc.c
+@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info *vi){
+ highlevel_encode_setup *hi=&ci->hi;
+
+ if(ci==NULL)return(OV_EINVAL);
++ if(vi->channels<1||vi->channels>255)return(OV_EINVAL);
+ if(!hi->impulse_block_p)i0=1;
+
+ /* too low/high an ATH floater is nonsensical, but doesn't break anything */
+--
+2.24.1
+
diff --git a/package/libvorbis/libvorbis.mk b/package/libvorbis/libvorbis.mk
index ae2c1efffe..bf479a3900 100644
--- a/package/libvorbis/libvorbis.mk
+++ b/package/libvorbis/libvorbis.mk
@@ -13,4 +13,7 @@ LIBVORBIS_DEPENDENCIES = host-pkgconf libogg
LIBVORBIS_LICENSE = BSD-3-Clause
LIBVORBIS_LICENSE_FILES = COPYING
+# 0002-Sanity-check-number-of-channels-in-setup.patch
+LIBVORBIS_IGNORE_CVES += CVE-2018-10392
+
$(eval $(autotools-package))
--
2.25.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 2/2] package/libvorbis: annote CVE-2018-10393
2020-03-01 18:02 [Buildroot] [PATCH 1/2] package/libvorbis: fix CVE-2018-10392 Fabrice Fontaine
@ 2020-03-01 18:02 ` Fabrice Fontaine
2020-03-14 18:39 ` Peter Korsgaard
2020-03-01 18:15 ` [Buildroot] [PATCH 1/2] package/libvorbis: fix CVE-2018-10392 Yann E. MORIN
2020-03-14 18:39 ` Peter Korsgaard
2 siblings, 1 reply; 5+ messages in thread
From: Fabrice Fontaine @ 2020-03-01 18:02 UTC (permalink / raw)
To: buildroot
bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a
stack-based buffer over-read.
Same patch as for CVE-2017-14160
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/libvorbis/libvorbis.mk | 3 +++
1 file changed, 3 insertions(+)
diff --git a/package/libvorbis/libvorbis.mk b/package/libvorbis/libvorbis.mk
index bf479a3900..708f3364ec 100644
--- a/package/libvorbis/libvorbis.mk
+++ b/package/libvorbis/libvorbis.mk
@@ -13,6 +13,9 @@ LIBVORBIS_DEPENDENCIES = host-pkgconf libogg
LIBVORBIS_LICENSE = BSD-3-Clause
LIBVORBIS_LICENSE_FILES = COPYING
+# 0001-CVE-2017-14160-fix-bounds-check-on-very-low-sample-rates.patch
+LIBVORBIS_IGNORE_CVES += CVE-2018-10393
+
# 0002-Sanity-check-number-of-channels-in-setup.patch
LIBVORBIS_IGNORE_CVES += CVE-2018-10392
--
2.25.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/2] package/libvorbis: fix CVE-2018-10392
2020-03-01 18:02 [Buildroot] [PATCH 1/2] package/libvorbis: fix CVE-2018-10392 Fabrice Fontaine
2020-03-01 18:02 ` [Buildroot] [PATCH 2/2] package/libvorbis: annote CVE-2018-10393 Fabrice Fontaine
@ 2020-03-01 18:15 ` Yann E. MORIN
2020-03-14 18:39 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Yann E. MORIN @ 2020-03-01 18:15 UTC (permalink / raw)
To: buildroot
Fabrice, All,
On 2020-03-01 19:02 +0100, Fabrice Fontaine spake thusly:
> mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not
> validate the number of channels, which allows remote attackers to cause
> a denial of service (heap-based buffer overflow or over-read) or
> possibly have unspecified other impact via a crafted file.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...ty-check-number-of-channels-in-setup.patch | 28 +++++++++++++++++++
> package/libvorbis/libvorbis.mk | 3 ++
> 2 files changed, 31 insertions(+)
> create mode 100644 package/libvorbis/0002-Sanity-check-number-of-channels-in-setup.patch
>
> diff --git a/package/libvorbis/0002-Sanity-check-number-of-channels-in-setup.patch b/package/libvorbis/0002-Sanity-check-number-of-channels-in-setup.patch
> new file mode 100644
> index 0000000000..1208839a20
> --- /dev/null
> +++ b/package/libvorbis/0002-Sanity-check-number-of-channels-in-setup.patch
> @@ -0,0 +1,28 @@
> +From 112d3bd0aaacad51305e1464d4b381dabad0e88b Mon Sep 17 00:00:00 2001
> +From: Thomas Daede <daede003@umn.edu>
> +Date: Thu, 17 May 2018 16:19:19 -0700
> +Subject: [PATCH] Sanity check number of channels in setup.
> +
> +Fixes #2335.
> +[Retrieved from:
> +https://gitlab.xiph.org/xiph/vorbis/commit/112d3bd0aaacad51305e1464d4b381dabad0e88b]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + lib/vorbisenc.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/lib/vorbisenc.c b/lib/vorbisenc.c
> +index 4fc7b62..64a51b5 100644
> +--- a/lib/vorbisenc.c
> ++++ b/lib/vorbisenc.c
> +@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info *vi){
> + highlevel_encode_setup *hi=&ci->hi;
> +
> + if(ci==NULL)return(OV_EINVAL);
> ++ if(vi->channels<1||vi->channels>255)return(OV_EINVAL);
> + if(!hi->impulse_block_p)i0=1;
> +
> + /* too low/high an ATH floater is nonsensical, but doesn't break anything */
> +--
> +2.24.1
> +
> diff --git a/package/libvorbis/libvorbis.mk b/package/libvorbis/libvorbis.mk
> index ae2c1efffe..bf479a3900 100644
> --- a/package/libvorbis/libvorbis.mk
> +++ b/package/libvorbis/libvorbis.mk
> @@ -13,4 +13,7 @@ LIBVORBIS_DEPENDENCIES = host-pkgconf libogg
> LIBVORBIS_LICENSE = BSD-3-Clause
> LIBVORBIS_LICENSE_FILES = COPYING
>
> +# 0002-Sanity-check-number-of-channels-in-setup.patch
> +LIBVORBIS_IGNORE_CVES += CVE-2018-10392
> +
> $(eval $(autotools-package))
> --
> 2.25.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/2] package/libvorbis: fix CVE-2018-10392
2020-03-01 18:02 [Buildroot] [PATCH 1/2] package/libvorbis: fix CVE-2018-10392 Fabrice Fontaine
2020-03-01 18:02 ` [Buildroot] [PATCH 2/2] package/libvorbis: annote CVE-2018-10393 Fabrice Fontaine
2020-03-01 18:15 ` [Buildroot] [PATCH 1/2] package/libvorbis: fix CVE-2018-10392 Yann E. MORIN
@ 2020-03-14 18:39 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2020-03-14 18:39 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not
> validate the number of channels, which allows remote attackers to cause
> a denial of service (heap-based buffer overflow or over-read) or
> possibly have unspecified other impact via a crafted file.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2019.02.x and 2019.11.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 2/2] package/libvorbis: annote CVE-2018-10393
2020-03-01 18:02 ` [Buildroot] [PATCH 2/2] package/libvorbis: annote CVE-2018-10393 Fabrice Fontaine
@ 2020-03-14 18:39 ` Peter Korsgaard
0 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2020-03-14 18:39 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a
> stack-based buffer over-read.
> Same patch as for CVE-2017-14160
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2019.02.x and 2019.11.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-03-14 18:39 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-03-01 18:02 [Buildroot] [PATCH 1/2] package/libvorbis: fix CVE-2018-10392 Fabrice Fontaine
2020-03-01 18:02 ` [Buildroot] [PATCH 2/2] package/libvorbis: annote CVE-2018-10393 Fabrice Fontaine
2020-03-14 18:39 ` Peter Korsgaard
2020-03-01 18:15 ` [Buildroot] [PATCH 1/2] package/libvorbis: fix CVE-2018-10392 Yann E. MORIN
2020-03-14 18:39 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox