* [PATCH 0/2] Upgrade libav and fix one qemu cve issue
@ 2015-05-26 7:14 Kai Kang
2015-05-26 7:14 ` [PATCH 1/2] qemu: fix CVE-2015-3456 Kai Kang
2015-05-26 7:14 ` [PATCH 2/2] libav: upgrade to 9.18 Kai Kang
0 siblings, 2 replies; 5+ messages in thread
From: Kai Kang @ 2015-05-26 7:14 UTC (permalink / raw)
To: openembedded-core
The following changes since commit 971ce829df02cf6970d2a4af377704b8930feee9:
bitbake: data: Move warning code to the first loop for performance (2015-05-25 09:00:58 +0100)
are available in the git repository at:
git://git.yoctoproject.org/poky-contrib kangkai/CVEs
http://git.yoctoproject.org/cgit.cgi//log/?h=kangkai/CVEs
Kai Kang (2):
qemu: fix CVE-2015-3456
libav: upgrade to 9.18
.../qemu/qemu/qemu-CVE-2015-3456.patch | 92 ++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.3.0.bb | 1 +
meta/recipes-multimedia/libav/libav.inc | 2 -
.../libav/libav/libav-fix-CVE-2014-9676.patch | 98 ++++++++++++++++++++++
meta/recipes-multimedia/libav/libav_9.16.bb | 4 -
meta/recipes-multimedia/libav/libav_9.18.bb | 6 ++
6 files changed, 197 insertions(+), 6 deletions(-)
create mode 100644 meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch
delete mode 100644 meta/recipes-multimedia/libav/libav_9.16.bb
create mode 100644 meta/recipes-multimedia/libav/libav_9.18.bb
--
1.9.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] qemu: fix CVE-2015-3456
2015-05-26 7:14 [PATCH 0/2] Upgrade libav and fix one qemu cve issue Kai Kang
@ 2015-05-26 7:14 ` Kai Kang
2015-05-26 7:14 ` [PATCH 2/2] libav: upgrade to 9.18 Kai Kang
1 sibling, 0 replies; 5+ messages in thread
From: Kai Kang @ 2015-05-26 7:14 UTC (permalink / raw)
To: openembedded-core
Backport patch to fix qemuc CVE issue CVE-2015-3456.
Refs:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
.../qemu/qemu/qemu-CVE-2015-3456.patch | 92 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.3.0.bb | 1 +
2 files changed, 93 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
new file mode 100644
index 0000000..f05441f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
@@ -0,0 +1,92 @@
+qemu: CVE-2015-3456
+
+the patch comes from:
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
+http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
+
+fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+Signed-off-by: Li Wang <li.wang@windriver.com>
+
+Upstream-Status: Backport
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ hw/block/fdc.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 490d127..045459e 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+ FDrive *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+ FDrive *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+ FDrive *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
+--
+1.7.9.5
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.3.0.bb b/meta/recipes-devtools/qemu/qemu_2.3.0.bb
index 25c5e4d..4782941 100644
--- a/meta/recipes-devtools/qemu/qemu_2.3.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.3.0.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \
SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
file://qemu-enlarge-env-entry-size.patch \
file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
+ file://qemu-CVE-2015-3456.patch \
"
SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
SRC_URI[md5sum] = "2fab3ea4460de9b57192e5b8b311f221"
--
1.9.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] libav: upgrade to 9.18
2015-05-26 7:14 [PATCH 0/2] Upgrade libav and fix one qemu cve issue Kai Kang
2015-05-26 7:14 ` [PATCH 1/2] qemu: fix CVE-2015-3456 Kai Kang
@ 2015-05-26 7:14 ` Kai Kang
2015-05-27 1:24 ` Randy MacLeod
1 sibling, 1 reply; 5+ messages in thread
From: Kai Kang @ 2015-05-26 7:14 UTC (permalink / raw)
To: openembedded-core
Upgrade libav from version 9.16 to 9.18. Remove unused var INC_PR and
backport patch to fix CVE-2014-9676.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
meta/recipes-multimedia/libav/libav.inc | 2 -
.../libav/libav/libav-fix-CVE-2014-9676.patch | 98 ++++++++++++++++++++++
meta/recipes-multimedia/libav/libav_9.16.bb | 4 -
meta/recipes-multimedia/libav/libav_9.18.bb | 6 ++
4 files changed, 104 insertions(+), 6 deletions(-)
create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch
delete mode 100644 meta/recipes-multimedia/libav/libav_9.16.bb
create mode 100644 meta/recipes-multimedia/libav/libav_9.18.bb
diff --git a/meta/recipes-multimedia/libav/libav.inc b/meta/recipes-multimedia/libav/libav.inc
index cac836f..6ef273b 100644
--- a/meta/recipes-multimedia/libav/libav.inc
+++ b/meta/recipes-multimedia/libav/libav.inc
@@ -24,8 +24,6 @@ ARM_INSTRUCTION_SET = "arm"
DEPENDS = "alsa-lib zlib libogg yasm-native"
-INC_PR = "r8"
-
inherit autotools pkgconfig
B = "${S}/build.${HOST_SYS}.${TARGET_SYS}"
diff --git a/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch
new file mode 100644
index 0000000..1e31caa
--- /dev/null
+++ b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch
@@ -0,0 +1,98 @@
+Upstream-Status: Backport
+
+Backport patch to fix CVE-2014-9676.
+
+https://security-tracker.debian.org/tracker/CVE-2014-9676
+https://git.libav.org/?p=libav.git;a=commit;h=b3f04657368a32a9903406395f865e230b1de348
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From b3f04657368a32a9903406395f865e230b1de348 Mon Sep 17 00:00:00 2001
+From: Luca Barbato <lu_zero@gentoo.org>
+Date: Mon, 5 Jan 2015 10:40:41 +0100
+Subject: [PATCH] segment: Fix the failure paths
+
+A failure in segment_end() or segment_start() would lead to freeing
+a dangling pointer and in general further calls to seg_write_packet()
+or to seg_write_trailer() would have the same faulty behaviour.
+
+CC: libav-stable@libav.org
+Reported-By: luodalongde@gmail.com
+---
+ libavformat/segment.c | 32 ++++++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/libavformat/segment.c b/libavformat/segment.c
+index 52da6b9..bcfd1f9 100644
+--- a/libavformat/segment.c
++++ b/libavformat/segment.c
+@@ -184,6 +184,13 @@ static void close_null_ctx(AVIOContext *pb)
+ av_free(pb);
+ }
+
++static void seg_free_context(SegmentContext *seg)
++{
++ avio_closep(&seg->pb);
++ avformat_free_context(seg->avf);
++ seg->avf = NULL;
++}
++
+ static int seg_write_header(AVFormatContext *s)
+ {
+ SegmentContext *seg = s->priv_data;
+@@ -265,12 +272,9 @@ static int seg_write_header(AVFormatContext *s)
+ }
+
+ fail:
+- if (ret) {
+- if (seg->list)
+- avio_close(seg->pb);
+- if (seg->avf)
+- avformat_free_context(seg->avf);
+- }
++ if (ret < 0)
++ seg_free_context(seg);
++
+ return ret;
+ }
+
+@@ -282,6 +286,9 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt)
+ int64_t end_pts = seg->recording_time * seg->number;
+ int ret, can_split = 1;
+
++ if (!oc)
++ return AVERROR(EINVAL);
++
+ if (seg->has_video) {
+ can_split = st->codec->codec_type == AVMEDIA_TYPE_VIDEO &&
+ pkt->flags & AV_PKT_FLAG_KEY;
+@@ -322,11 +329,8 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt)
+ ret = ff_write_chained(oc, pkt->stream_index, pkt, s);
+
+ fail:
+- if (ret < 0) {
+- if (seg->list)
+- avio_close(seg->pb);
+- avformat_free_context(oc);
+- }
++ if (ret < 0)
++ seg_free_context(seg);
+
+ return ret;
+ }
+@@ -335,7 +339,11 @@ static int seg_write_trailer(struct AVFormatContext *s)
+ {
+ SegmentContext *seg = s->priv_data;
+ AVFormatContext *oc = seg->avf;
+- int ret;
++ int ret = 0;
++
++ if (!oc)
++ goto fail;
++
+ if (!seg->write_header_trailer) {
+ if ((ret = segment_end(oc, 0)) < 0)
+ goto fail;
+--
+2.4.1.314.g9532ead
+
diff --git a/meta/recipes-multimedia/libav/libav_9.16.bb b/meta/recipes-multimedia/libav/libav_9.16.bb
deleted file mode 100644
index 79ff3f8..0000000
--- a/meta/recipes-multimedia/libav/libav_9.16.bb
+++ /dev/null
@@ -1,4 +0,0 @@
-require libav.inc
-
-SRC_URI[md5sum] = "7b44b75cec24b8e7545e5029e76917e0"
-SRC_URI[sha256sum] = "ca846473b0b8ed8e3404c52e5e92df6d35cb5fa487eec498525de3ffda4367a0"
diff --git a/meta/recipes-multimedia/libav/libav_9.18.bb b/meta/recipes-multimedia/libav/libav_9.18.bb
new file mode 100644
index 0000000..210a649
--- /dev/null
+++ b/meta/recipes-multimedia/libav/libav_9.18.bb
@@ -0,0 +1,6 @@
+require libav.inc
+
+SRC_URI[md5sum] = "75e838068a75fb88e1b4ea0546bc16f0"
+SRC_URI[sha256sum] = "0875e835da683eef1a7bac75e1884634194149d7479d1538ba9fbe1614d066d7"
+
+SRC_URI += "file://libav-fix-CVE-2014-9676.patch"
--
1.9.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] libav: upgrade to 9.18
2015-05-26 7:14 ` [PATCH 2/2] libav: upgrade to 9.18 Kai Kang
@ 2015-05-27 1:24 ` Randy MacLeod
2015-05-27 1:59 ` Kang Kai
0 siblings, 1 reply; 5+ messages in thread
From: Randy MacLeod @ 2015-05-27 1:24 UTC (permalink / raw)
To: Kai Kang, openembedded-core
On 2015-05-26 03:14 AM, Kai Kang wrote:
> Upgrade libav from version 9.16 to 9.18. Remove unused var INC_PR and
> backport patch to fix CVE-2014-9676.
We can keep that version if people want it but it's almost pretty old.
Version 11.3 is the latest branch.
Libav 11.3
https://libav.org/releases/libav-11.3.release
Oh and on the 11 branch, the CVE fix is in commit:
libav.git $ git branch --contains f6c82b34
* release/11
found by looking at your commit b3f0465, then finding a new
function seg_free_context and then:
$ git blame libavformat/segment.c | grep seg_free_context
There are some pacakges that depend on libav:
libav/libpostproc_git.bb
gstreamer
alsa-plugins
From:
$ grep -r libav meta/recipes* | grep DEPENDS | grep -v libavahi
meta/recipes-multimedia/libav/libpostproc_git.bb:DEPENDS = "libav"
$ grep -r libav meta/ | grep PACKAGECONFIG | grep libav
meta/recipes-multimedia/gstreamer/gstreamer1.0-libav.inc:\
PACKAGECONFIG[libav] = "--with-system-libav,,libav"
meta/recipes-multimedia/alsa/alsa-plugins_1.0.29.bb:\
PACKAGECONFIG[avcodec] = "--enable-avcodec,--disable-avcodec,libav"
I think the upgrade should be okay but please do test it.
../Randy
>
> Signed-off-by: Kai Kang <kai.kang@windriver.com>
> ---
> meta/recipes-multimedia/libav/libav.inc | 2 -
> .../libav/libav/libav-fix-CVE-2014-9676.patch | 98 ++++++++++++++++++++++
> meta/recipes-multimedia/libav/libav_9.16.bb | 4 -
> meta/recipes-multimedia/libav/libav_9.18.bb | 6 ++
> 4 files changed, 104 insertions(+), 6 deletions(-)
> create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch
> delete mode 100644 meta/recipes-multimedia/libav/libav_9.16.bb
> create mode 100644 meta/recipes-multimedia/libav/libav_9.18.bb
>
> diff --git a/meta/recipes-multimedia/libav/libav.inc b/meta/recipes-multimedia/libav/libav.inc
> index cac836f..6ef273b 100644
> --- a/meta/recipes-multimedia/libav/libav.inc
> +++ b/meta/recipes-multimedia/libav/libav.inc
> @@ -24,8 +24,6 @@ ARM_INSTRUCTION_SET = "arm"
>
> DEPENDS = "alsa-lib zlib libogg yasm-native"
>
> -INC_PR = "r8"
> -
> inherit autotools pkgconfig
>
> B = "${S}/build.${HOST_SYS}.${TARGET_SYS}"
> diff --git a/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch
> new file mode 100644
> index 0000000..1e31caa
> --- /dev/null
> +++ b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch
> @@ -0,0 +1,98 @@
> +Upstream-Status: Backport
> +
> +Backport patch to fix CVE-2014-9676.
> +
> +https://security-tracker.debian.org/tracker/CVE-2014-9676
> +https://git.libav.org/?p=libav.git;a=commit;h=b3f04657368a32a9903406395f865e230b1de348
> +
> +Signed-off-by: Kai Kang <kai.kang@windriver.com>
> +---
> +From b3f04657368a32a9903406395f865e230b1de348 Mon Sep 17 00:00:00 2001
> +From: Luca Barbato <lu_zero@gentoo.org>
> +Date: Mon, 5 Jan 2015 10:40:41 +0100
> +Subject: [PATCH] segment: Fix the failure paths
> +
> +A failure in segment_end() or segment_start() would lead to freeing
> +a dangling pointer and in general further calls to seg_write_packet()
> +or to seg_write_trailer() would have the same faulty behaviour.
> +
> +CC: libav-stable@libav.org
> +Reported-By: luodalongde@gmail.com
> +---
> + libavformat/segment.c | 32 ++++++++++++++++++++------------
> + 1 file changed, 20 insertions(+), 12 deletions(-)
> +
> +diff --git a/libavformat/segment.c b/libavformat/segment.c
> +index 52da6b9..bcfd1f9 100644
> +--- a/libavformat/segment.c
> ++++ b/libavformat/segment.c
> +@@ -184,6 +184,13 @@ static void close_null_ctx(AVIOContext *pb)
> + av_free(pb);
> + }
> +
> ++static void seg_free_context(SegmentContext *seg)
> ++{
> ++ avio_closep(&seg->pb);
> ++ avformat_free_context(seg->avf);
> ++ seg->avf = NULL;
> ++}
> ++
> + static int seg_write_header(AVFormatContext *s)
> + {
> + SegmentContext *seg = s->priv_data;
> +@@ -265,12 +272,9 @@ static int seg_write_header(AVFormatContext *s)
> + }
> +
> + fail:
> +- if (ret) {
> +- if (seg->list)
> +- avio_close(seg->pb);
> +- if (seg->avf)
> +- avformat_free_context(seg->avf);
> +- }
> ++ if (ret < 0)
> ++ seg_free_context(seg);
> ++
> + return ret;
> + }
> +
> +@@ -282,6 +286,9 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt)
> + int64_t end_pts = seg->recording_time * seg->number;
> + int ret, can_split = 1;
> +
> ++ if (!oc)
> ++ return AVERROR(EINVAL);
> ++
> + if (seg->has_video) {
> + can_split = st->codec->codec_type == AVMEDIA_TYPE_VIDEO &&
> + pkt->flags & AV_PKT_FLAG_KEY;
> +@@ -322,11 +329,8 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt)
> + ret = ff_write_chained(oc, pkt->stream_index, pkt, s);
> +
> + fail:
> +- if (ret < 0) {
> +- if (seg->list)
> +- avio_close(seg->pb);
> +- avformat_free_context(oc);
> +- }
> ++ if (ret < 0)
> ++ seg_free_context(seg);
> +
> + return ret;
> + }
> +@@ -335,7 +339,11 @@ static int seg_write_trailer(struct AVFormatContext *s)
> + {
> + SegmentContext *seg = s->priv_data;
> + AVFormatContext *oc = seg->avf;
> +- int ret;
> ++ int ret = 0;
> ++
> ++ if (!oc)
> ++ goto fail;
> ++
> + if (!seg->write_header_trailer) {
> + if ((ret = segment_end(oc, 0)) < 0)
> + goto fail;
> +--
> +2.4.1.314.g9532ead
> +
> diff --git a/meta/recipes-multimedia/libav/libav_9.16.bb b/meta/recipes-multimedia/libav/libav_9.16.bb
> deleted file mode 100644
> index 79ff3f8..0000000
> --- a/meta/recipes-multimedia/libav/libav_9.16.bb
> +++ /dev/null
> @@ -1,4 +0,0 @@
> -require libav.inc
> -
> -SRC_URI[md5sum] = "7b44b75cec24b8e7545e5029e76917e0"
> -SRC_URI[sha256sum] = "ca846473b0b8ed8e3404c52e5e92df6d35cb5fa487eec498525de3ffda4367a0"
> diff --git a/meta/recipes-multimedia/libav/libav_9.18.bb b/meta/recipes-multimedia/libav/libav_9.18.bb
> new file mode 100644
> index 0000000..210a649
> --- /dev/null
> +++ b/meta/recipes-multimedia/libav/libav_9.18.bb
> @@ -0,0 +1,6 @@
> +require libav.inc
> +
> +SRC_URI[md5sum] = "75e838068a75fb88e1b4ea0546bc16f0"
> +SRC_URI[sha256sum] = "0875e835da683eef1a7bac75e1884634194149d7479d1538ba9fbe1614d066d7"
> +
> +SRC_URI += "file://libav-fix-CVE-2014-9676.patch"
>
--
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON,
Canada, K2K 2W5
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] libav: upgrade to 9.18
2015-05-27 1:24 ` Randy MacLeod
@ 2015-05-27 1:59 ` Kang Kai
0 siblings, 0 replies; 5+ messages in thread
From: Kang Kai @ 2015-05-27 1:59 UTC (permalink / raw)
To: Randy MacLeod, openembedded-core
On 2015年05月27日 09:24, Randy MacLeod wrote:
> On 2015-05-26 03:14 AM, Kai Kang wrote:
>> Upgrade libav from version 9.16 to 9.18. Remove unused var INC_PR and
>> backport patch to fix CVE-2014-9676.
>
> We can keep that version if people want it but it's almost pretty old.
>
> Version 11.3 is the latest branch.
> Libav 11.3
> https://libav.org/releases/libav-11.3.release
>
> Oh and on the 11 branch, the CVE fix is in commit:
>
> libav.git $ git branch --contains f6c82b34
> * release/11
>
> found by looking at your commit b3f0465, then finding a new
> function seg_free_context and then:
> $ git blame libavformat/segment.c | grep seg_free_context
>
>
> There are some pacakges that depend on libav:
> libav/libpostproc_git.bb
> gstreamer
> alsa-plugins
>
> From:
> $ grep -r libav meta/recipes* | grep DEPENDS | grep -v libavahi
> meta/recipes-multimedia/libav/libpostproc_git.bb:DEPENDS = "libav"
>
>
> $ grep -r libav meta/ | grep PACKAGECONFIG | grep libav
> meta/recipes-multimedia/gstreamer/gstreamer1.0-libav.inc:\
> PACKAGECONFIG[libav] = "--with-system-libav,,libav"
> meta/recipes-multimedia/alsa/alsa-plugins_1.0.29.bb:\
> PACKAGECONFIG[avcodec] = "--enable-avcodec,--disable-avcodec,libav"
>
>
> I think the upgrade should be okay but please do test it.
I'll add recipe for serial 11. If the old version recipe is kept, I
suppose it is nesscessary to update it to the latest version for serial 9.
--Kai
>
> ../Randy
>
>>
>> Signed-off-by: Kai Kang <kai.kang@windriver.com>
>> ---
>> meta/recipes-multimedia/libav/libav.inc | 2 -
>> .../libav/libav/libav-fix-CVE-2014-9676.patch | 98
>> ++++++++++++++++++++++
>> meta/recipes-multimedia/libav/libav_9.16.bb | 4 -
>> meta/recipes-multimedia/libav/libav_9.18.bb | 6 ++
>> 4 files changed, 104 insertions(+), 6 deletions(-)
>> create mode 100644
>> meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch
>> delete mode 100644 meta/recipes-multimedia/libav/libav_9.16.bb
>> create mode 100644 meta/recipes-multimedia/libav/libav_9.18.bb
>>
>> diff --git a/meta/recipes-multimedia/libav/libav.inc
>> b/meta/recipes-multimedia/libav/libav.inc
>> index cac836f..6ef273b 100644
>> --- a/meta/recipes-multimedia/libav/libav.inc
>> +++ b/meta/recipes-multimedia/libav/libav.inc
>> @@ -24,8 +24,6 @@ ARM_INSTRUCTION_SET = "arm"
>>
>> DEPENDS = "alsa-lib zlib libogg yasm-native"
>>
>> -INC_PR = "r8"
>> -
>> inherit autotools pkgconfig
>>
>> B = "${S}/build.${HOST_SYS}.${TARGET_SYS}"
>> diff --git
>> a/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch
>> b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch
>> new file mode 100644
>> index 0000000..1e31caa
>> --- /dev/null
>> +++ b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2014-9676.patch
>> @@ -0,0 +1,98 @@
>> +Upstream-Status: Backport
>> +
>> +Backport patch to fix CVE-2014-9676.
>> +
>> +https://security-tracker.debian.org/tracker/CVE-2014-9676
>> +https://git.libav.org/?p=libav.git;a=commit;h=b3f04657368a32a9903406395f865e230b1de348
>>
>> +
>> +Signed-off-by: Kai Kang <kai.kang@windriver.com>
>> +---
>> +From b3f04657368a32a9903406395f865e230b1de348 Mon Sep 17 00:00:00 2001
>> +From: Luca Barbato <lu_zero@gentoo.org>
>> +Date: Mon, 5 Jan 2015 10:40:41 +0100
>> +Subject: [PATCH] segment: Fix the failure paths
>> +
>> +A failure in segment_end() or segment_start() would lead to freeing
>> +a dangling pointer and in general further calls to seg_write_packet()
>> +or to seg_write_trailer() would have the same faulty behaviour.
>> +
>> +CC: libav-stable@libav.org
>> +Reported-By: luodalongde@gmail.com
>> +---
>> + libavformat/segment.c | 32 ++++++++++++++++++++------------
>> + 1 file changed, 20 insertions(+), 12 deletions(-)
>> +
>> +diff --git a/libavformat/segment.c b/libavformat/segment.c
>> +index 52da6b9..bcfd1f9 100644
>> +--- a/libavformat/segment.c
>> ++++ b/libavformat/segment.c
>> +@@ -184,6 +184,13 @@ static void close_null_ctx(AVIOContext *pb)
>> + av_free(pb);
>> + }
>> +
>> ++static void seg_free_context(SegmentContext *seg)
>> ++{
>> ++ avio_closep(&seg->pb);
>> ++ avformat_free_context(seg->avf);
>> ++ seg->avf = NULL;
>> ++}
>> ++
>> + static int seg_write_header(AVFormatContext *s)
>> + {
>> + SegmentContext *seg = s->priv_data;
>> +@@ -265,12 +272,9 @@ static int seg_write_header(AVFormatContext *s)
>> + }
>> +
>> + fail:
>> +- if (ret) {
>> +- if (seg->list)
>> +- avio_close(seg->pb);
>> +- if (seg->avf)
>> +- avformat_free_context(seg->avf);
>> +- }
>> ++ if (ret < 0)
>> ++ seg_free_context(seg);
>> ++
>> + return ret;
>> + }
>> +
>> +@@ -282,6 +286,9 @@ static int seg_write_packet(AVFormatContext *s,
>> AVPacket *pkt)
>> + int64_t end_pts = seg->recording_time * seg->number;
>> + int ret, can_split = 1;
>> +
>> ++ if (!oc)
>> ++ return AVERROR(EINVAL);
>> ++
>> + if (seg->has_video) {
>> + can_split = st->codec->codec_type == AVMEDIA_TYPE_VIDEO &&
>> + pkt->flags & AV_PKT_FLAG_KEY;
>> +@@ -322,11 +329,8 @@ static int seg_write_packet(AVFormatContext *s,
>> AVPacket *pkt)
>> + ret = ff_write_chained(oc, pkt->stream_index, pkt, s);
>> +
>> + fail:
>> +- if (ret < 0) {
>> +- if (seg->list)
>> +- avio_close(seg->pb);
>> +- avformat_free_context(oc);
>> +- }
>> ++ if (ret < 0)
>> ++ seg_free_context(seg);
>> +
>> + return ret;
>> + }
>> +@@ -335,7 +339,11 @@ static int seg_write_trailer(struct
>> AVFormatContext *s)
>> + {
>> + SegmentContext *seg = s->priv_data;
>> + AVFormatContext *oc = seg->avf;
>> +- int ret;
>> ++ int ret = 0;
>> ++
>> ++ if (!oc)
>> ++ goto fail;
>> ++
>> + if (!seg->write_header_trailer) {
>> + if ((ret = segment_end(oc, 0)) < 0)
>> + goto fail;
>> +--
>> +2.4.1.314.g9532ead
>> +
>> diff --git a/meta/recipes-multimedia/libav/libav_9.16.bb
>> b/meta/recipes-multimedia/libav/libav_9.16.bb
>> deleted file mode 100644
>> index 79ff3f8..0000000
>> --- a/meta/recipes-multimedia/libav/libav_9.16.bb
>> +++ /dev/null
>> @@ -1,4 +0,0 @@
>> -require libav.inc
>> -
>> -SRC_URI[md5sum] = "7b44b75cec24b8e7545e5029e76917e0"
>> -SRC_URI[sha256sum] =
>> "ca846473b0b8ed8e3404c52e5e92df6d35cb5fa487eec498525de3ffda4367a0"
>> diff --git a/meta/recipes-multimedia/libav/libav_9.18.bb
>> b/meta/recipes-multimedia/libav/libav_9.18.bb
>> new file mode 100644
>> index 0000000..210a649
>> --- /dev/null
>> +++ b/meta/recipes-multimedia/libav/libav_9.18.bb
>> @@ -0,0 +1,6 @@
>> +require libav.inc
>> +
>> +SRC_URI[md5sum] = "75e838068a75fb88e1b4ea0546bc16f0"
>> +SRC_URI[sha256sum] =
>> "0875e835da683eef1a7bac75e1884634194149d7479d1538ba9fbe1614d066d7"
>> +
>> +SRC_URI += "file://libav-fix-CVE-2014-9676.patch"
>>
>
>
--
Regards,
Neil | Kai Kang
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-05-27 1:59 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-26 7:14 [PATCH 0/2] Upgrade libav and fix one qemu cve issue Kai Kang
2015-05-26 7:14 ` [PATCH 1/2] qemu: fix CVE-2015-3456 Kai Kang
2015-05-26 7:14 ` [PATCH 2/2] libav: upgrade to 9.18 Kai Kang
2015-05-27 1:24 ` Randy MacLeod
2015-05-27 1:59 ` Kang Kai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox