From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Gilles Talis <gilles.talis@gmail.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/opusfile: fix CVE-2022-47021
Date: Sun, 5 Feb 2023 15:28:44 +0100 [thread overview]
Message-ID: <20230205142844.GL2960@scaer> (raw)
In-Reply-To: <20230205130600.18051-1-fontaine.fabrice@gmail.com>
Fabrice, All,
On 2023-02-05 14:06 +0100, Fabrice Fontaine spake thusly:
> A null pointer dereference issue was discovered in functions op_get_data
> and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows
> attackers to cause denial of service or other unspecified impacts.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...ocation-failure-from-ogg_sync_buffer.patch | 44 +++++++++++++++++++
> package/opusfile/opusfile.mk | 3 ++
> 2 files changed, 47 insertions(+)
> create mode 100644 package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
>
> diff --git a/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch b/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
> new file mode 100644
> index 0000000000..2ef08502ab
> --- /dev/null
> +++ b/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
> @@ -0,0 +1,44 @@
> +From 0a4cd796df5b030cb866f3f4a5e41a4b92caddf5 Mon Sep 17 00:00:00 2001
> +From: Ralph Giles <giles@thaumas.net>
> +Date: Tue, 6 Sep 2022 19:04:31 -0700
> +Subject: [PATCH] Propagate allocation failure from ogg_sync_buffer.
> +
> +Instead of segfault, report OP_EFAULT if ogg_sync_buffer returns
> +a null pointer. This allows more graceful recovery by the caller
> +in the unlikely event of a fallible ogg_malloc call.
> +
> +We do check the return value elsewhere in the code, so the new
> +checks make the code more consistent.
> +
> +Thanks to https://github.com/xiph/opusfile/issues/36 for reporting.
> +
> +Signed-off-by: Timothy B. Terriberry <tterribe@xiph.org>
> +Signed-off-by: Mark Harris <mark.hsj@gmail.com>
> +
> +[Retrieved from:
> +https://github.com/xiph/opusfile/commit/0a4cd796df5b030cb866f3f4a5e41a4b92caddf5]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + src/opusfile.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/src/opusfile.c b/src/opusfile.c
> +index ca219b2..3c3c81e 100644
> +--- a/src/opusfile.c
> ++++ b/src/opusfile.c
> +@@ -148,6 +148,7 @@ static int op_get_data(OggOpusFile *_of,int _nbytes){
> + int nbytes;
> + OP_ASSERT(_nbytes>0);
> + buffer=(unsigned char *)ogg_sync_buffer(&_of->oy,_nbytes);
> ++ if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT;
> + nbytes=(int)(*_of->callbacks.read)(_of->stream,buffer,_nbytes);
> + OP_ASSERT(nbytes<=_nbytes);
> + if(OP_LIKELY(nbytes>0))ogg_sync_wrote(&_of->oy,nbytes);
> +@@ -1527,6 +1528,7 @@ static int op_open1(OggOpusFile *_of,
> + if(_initial_bytes>0){
> + char *buffer;
> + buffer=ogg_sync_buffer(&_of->oy,(long)_initial_bytes);
> ++ if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT;
> + memcpy(buffer,_initial_data,_initial_bytes*sizeof(*buffer));
> + ogg_sync_wrote(&_of->oy,(long)_initial_bytes);
> + }
> diff --git a/package/opusfile/opusfile.mk b/package/opusfile/opusfile.mk
> index 72ae82e801..63553a81e7 100644
> --- a/package/opusfile/opusfile.mk
> +++ b/package/opusfile/opusfile.mk
> @@ -11,6 +11,9 @@ OPUSFILE_LICENSE = BSD-3-Clause
> OPUSFILE_LICENSE_FILES = COPYING
> OPUSFILE_INSTALL_STAGING = YES
>
> +# 0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
> +OPUSFILE_IGNORE_CVES += CVE-2022-47021
> +
> ifeq ($(BR2_PACKAGE_OPENSSL),y)
> OPUSFILE_DEPENDENCIES += openssl
> else
> --
> 2.39.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2023-02-05 14:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-05 13:06 [Buildroot] [PATCH 1/1] package/opusfile: fix CVE-2022-47021 Fabrice Fontaine
2023-02-05 14:28 ` Yann E. MORIN [this message]
2023-02-21 20:32 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230205142844.GL2960@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=fontaine.fabrice@gmail.com \
--cc=gilles.talis@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox