GNU bug report logs - #26739
[PATCH 1/1] gnu: libsndfile: Fix CVE-2017-{8361,8362,8363,8365}.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 26739 in the body.
You can then email your comments to 26739 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH 1/1] gnu: libsndfile: Fix CVE-2017-{8361,8362,8363,8365}.
Date: Mon,  1 May 2017 14:26:43 -0400

* gnu/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch,
gnu/packages/patches/libsndfile-CVE-2017-8362.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
[libsndfile/fixed]: Use them.
---
 gnu/local.mk                                       |  2 +
 .../libsndfile-CVE-2017-8361-8363-8365.patch       | 77 ++++++++++++++++++++++
 .../patches/libsndfile-CVE-2017-8362.patch         | 61 +++++++++++++++++
 gnu/packages/pulseaudio.scm                        | 13 ++++
 4 files changed, 153 insertions(+)
 create mode 100644 gnu/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch
 create mode 100644 gnu/packages/patches/libsndfile-CVE-2017-8362.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index f5574ecd8..52000a2c5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -719,6 +719,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libmad-frame-length.patch		\
   %D%/packages/patches/libmad-mips-newgcc.patch			\
   %D%/packages/patches/libsndfile-armhf-type-checks.patch	\
+  %D%/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch	\
+  %D%/packages/patches/libsndfile-CVE-2017-8362.patch		\
   %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch	\
   %D%/packages/patches/libtar-CVE-2013-4420.patch \
   %D%/packages/patches/libtheora-config-guess.patch		\
diff --git a/gnu/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch b/gnu/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch
new file mode 100644
index 000000000..5f63231af
--- /dev/null
+++ b/gnu/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch
@@ -0,0 +1,77 @@
+Fix CVE-2017-{8361,8363,8365}:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8361
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8363
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8365
+
+Patch copied from upstream source repository:
+
+https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3
+
+From fd0484aba8e51d16af1e3a880f9b8b857b385eb3 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd <at> mega-nerd.com>
+Date: Wed, 12 Apr 2017 19:45:30 +1000
+Subject: [PATCH] FLAC: Fix a buffer read overrun
+
+Buffer read overrun occurs when reading a FLAC file that switches
+from 2 channels to one channel mid-stream. Only option is to
+abort the read.
+
+Closes: https://github.com/erikd/libsndfile/issues/230
+---
+ src/common.h  |  1 +
+ src/flac.c    | 13 +++++++++++++
+ src/sndfile.c |  1 +
+ 3 files changed, 15 insertions(+)
+
+diff --git a/src/common.h b/src/common.h
+index 0bd810c3..e2669b6a 100644
+--- a/src/common.h
++++ b/src/common.h
+@@ -725,6 +725,7 @@ enum
+ 	SFE_FLAC_INIT_DECODER,
+ 	SFE_FLAC_LOST_SYNC,
+ 	SFE_FLAC_BAD_SAMPLE_RATE,
++	SFE_FLAC_CHANNEL_COUNT_CHANGED,
+ 	SFE_FLAC_UNKOWN_ERROR,
+ 
+ 	SFE_WVE_NOT_WVE,
+diff --git a/src/flac.c b/src/flac.c
+index 84de0e26..986a7b8f 100644
+--- a/src/flac.c
++++ b/src/flac.c
+@@ -434,6 +434,19 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_
+ 
+ 	switch (metadata->type)
+ 	{	case FLAC__METADATA_TYPE_STREAMINFO :
++			if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
++			{	psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
++									"Nothing to be but to error out.\n" ,
++									psf->sf.channels, metadata->data.stream_info.channels) ;
++				psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
++				return ;
++				} ;
++
++			if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate)
++			{	psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n"
++									"Carrying on as if nothing happened.",
++									psf->sf.samplerate, metadata->data.stream_info.sample_rate) ;
++				} ;
+ 			psf->sf.channels = metadata->data.stream_info.channels ;
+ 			psf->sf.samplerate = metadata->data.stream_info.sample_rate ;
+ 			psf->sf.frames = metadata->data.stream_info.total_samples ;
+diff --git a/src/sndfile.c b/src/sndfile.c
+index 41875610..e2a87be8 100644
+--- a/src/sndfile.c
++++ b/src/sndfile.c
+@@ -245,6 +245,7 @@ ErrorStruct SndfileErrors [] =
+ 	{	SFE_FLAC_INIT_DECODER	, "Error : problem with initialization of the flac decoder." },
+ 	{	SFE_FLAC_LOST_SYNC		, "Error : flac decoder lost sync." },
+ 	{	SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." },
++	{	SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." },
+ 	{	SFE_FLAC_UNKOWN_ERROR	, "Error : unknown error in flac decoder." },
+ 
+ 	{	SFE_WVE_NOT_WVE			, "Error : not a WVE file." },
+-- 
+2.12.2
+
diff --git a/gnu/packages/patches/libsndfile-CVE-2017-8362.patch b/gnu/packages/patches/libsndfile-CVE-2017-8362.patch
new file mode 100644
index 000000000..5fc52a377
--- /dev/null
+++ b/gnu/packages/patches/libsndfile-CVE-2017-8362.patch
@@ -0,0 +1,61 @@
+Fix CVE-2017-8362:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8362
+
+Patch copied from upstream source repository:
+
+https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808
+
+From ef1dbb2df1c0e741486646de40bd638a9c4cd808 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd <at> mega-nerd.com>
+Date: Fri, 14 Apr 2017 15:19:16 +1000
+Subject: [PATCH] src/flac.c: Fix a buffer read overflow
+
+A file (generated by a fuzzer) which increased the number of channels
+from one frame to the next could cause a read beyond the end of the
+buffer provided by libFLAC. Only option is to abort the read.
+
+Closes: https://github.com/erikd/libsndfile/issues/231
+---
+ src/flac.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/flac.c b/src/flac.c
+index 5a4f8c21..e4f9aaa0 100644
+--- a/src/flac.c
++++ b/src/flac.c
+@@ -169,6 +169,14 @@ flac_buffer_copy (SF_PRIVATE *psf)
+ 	const int32_t* const *buffer = pflac->wbuffer ;
+ 	unsigned i = 0, j, offset, channels, len ;
+ 
++	if (psf->sf.channels != (int) frame->header.channels)
++	{	psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n"
++									"Nothing to do but to error out.\n" ,
++									psf->sf.channels, frame->header.channels) ;
++		psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
++		return 0 ;
++		} ;
++
+ 	/*
+ 	**	frame->header.blocksize is variable and we're using a constant blocksize
+ 	**	of FLAC__MAX_BLOCK_SIZE.
+@@ -202,7 +210,6 @@ flac_buffer_copy (SF_PRIVATE *psf)
+ 		return 0 ;
+ 		} ;
+ 
+-
+ 	len = SF_MIN (pflac->len, frame->header.blocksize) ;
+ 
+ 	if (pflac->remain % channels != 0)
+@@ -436,7 +443,7 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_
+ 	{	case FLAC__METADATA_TYPE_STREAMINFO :
+ 			if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
+ 			{	psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
+-									"Nothing to be but to error out.\n" ,
++									"Nothing to do but to error out.\n" ,
+ 									psf->sf.channels, metadata->data.stream_info.channels) ;
+ 				psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
+ 				return ;
+-- 
+2.12.2
+
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index c52f265cc..92ebe6f3e 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -45,6 +45,7 @@
 (define-public libsndfile
   (package
     (name "libsndfile")
+    (replacement libsndfile/fixed)
     (version "1.0.28")
     (source (origin
              (method url-fetch)
@@ -76,6 +77,18 @@ SPARC.  Hopefully the design of the library will also make it easy to extend
 for reading and writing new sound file formats.")
     (license l:gpl2+)))
 
+(define libsndfile/fixed
+  (package
+    (inherit libsndfile)
+    (source
+      (origin
+        (inherit (package-source libsndfile))
+        (patches
+          (append
+            (origin-patches (package-source libsndfile))
+            (search-patches "libsndfile-CVE-2017-8361-8363-8365.patch"
+                            "libsndfile-CVE-2017-8362.patch")))))))
+
 (define-public libsamplerate
   (package
     (name "libsamplerate")                     ; aka. Secret Rabbit Code (SRC)
-- 
2.12.2

Message #8 received at 26739 <at> debbugs.gnu.org (full text, mbox):

From: Kei Kebreau <kei <at> openmailbox.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 26739 <at> debbugs.gnu.org
Subject: Re: bug#26739: [PATCH 1/1] gnu: libsndfile: Fix CVE-2017-{8361, 8362,
 8363, 8365}.
Date: Mon, 01 May 2017 15:20:39 -0400

[Message part 1 (text/plain, inline)]

Leo Famulari <leo <at> famulari.name> writes:

> * gnu/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch,
> gnu/packages/patches/libsndfile-CVE-2017-8362.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
> [libsndfile/fixed]: Use them.
> ---
>  gnu/local.mk                                       |  2 +
>  .../libsndfile-CVE-2017-8361-8363-8365.patch       | 77 ++++++++++++++++++++++
>  .../patches/libsndfile-CVE-2017-8362.patch         | 61 +++++++++++++++++
>  gnu/packages/pulseaudio.scm                        | 13 ++++
>  4 files changed, 153 insertions(+)
>  create mode 100644 gnu/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch
>  create mode 100644 gnu/packages/patches/libsndfile-CVE-2017-8362.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index f5574ecd8..52000a2c5 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -719,6 +719,8 @@ dist_patch_DATA =						\
>    %D%/packages/patches/libmad-frame-length.patch		\
>    %D%/packages/patches/libmad-mips-newgcc.patch			\
>    %D%/packages/patches/libsndfile-armhf-type-checks.patch	\
> +  %D%/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch	\
> +  %D%/packages/patches/libsndfile-CVE-2017-8362.patch		\
>    %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch	\
>    %D%/packages/patches/libtar-CVE-2013-4420.patch \
>    %D%/packages/patches/libtheora-config-guess.patch		\
> diff --git a/gnu/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch b/gnu/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch
> new file mode 100644
> index 000000000..5f63231af
> --- /dev/null
> +++ b/gnu/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch
> @@ -0,0 +1,77 @@
> +Fix CVE-2017-{8361,8363,8365}:
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8361
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8363
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8365
> +
> +Patch copied from upstream source repository:
> +
> +https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3
> +
> +From fd0484aba8e51d16af1e3a880f9b8b857b385eb3 Mon Sep 17 00:00:00 2001
> +From: Erik de Castro Lopo <erikd <at> mega-nerd.com>
> +Date: Wed, 12 Apr 2017 19:45:30 +1000
> +Subject: [PATCH] FLAC: Fix a buffer read overrun
> +
> +Buffer read overrun occurs when reading a FLAC file that switches
> +from 2 channels to one channel mid-stream. Only option is to
> +abort the read.
> +
> +Closes: https://github.com/erikd/libsndfile/issues/230
> +---
> + src/common.h  |  1 +
> + src/flac.c    | 13 +++++++++++++
> + src/sndfile.c |  1 +
> + 3 files changed, 15 insertions(+)
> +
> +diff --git a/src/common.h b/src/common.h
> +index 0bd810c3..e2669b6a 100644
> +--- a/src/common.h
> ++++ b/src/common.h
> +@@ -725,6 +725,7 @@ enum
> + 	SFE_FLAC_INIT_DECODER,
> + 	SFE_FLAC_LOST_SYNC,
> + 	SFE_FLAC_BAD_SAMPLE_RATE,
> ++	SFE_FLAC_CHANNEL_COUNT_CHANGED,
> + 	SFE_FLAC_UNKOWN_ERROR,
> + 
> + 	SFE_WVE_NOT_WVE,
> +diff --git a/src/flac.c b/src/flac.c
> +index 84de0e26..986a7b8f 100644
> +--- a/src/flac.c
> ++++ b/src/flac.c
> +@@ -434,6 +434,19 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_
> + 
> + 	switch (metadata->type)
> + 	{	case FLAC__METADATA_TYPE_STREAMINFO :
> ++			if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
> ++			{	psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
> ++									"Nothing to be but to error out.\n" ,
> ++									psf->sf.channels, metadata->data.stream_info.channels) ;
> ++				psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
> ++				return ;
> ++				} ;
> ++
> ++			if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate)
> ++			{	psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n"
> ++									"Carrying on as if nothing happened.",
> ++									psf->sf.samplerate, metadata->data.stream_info.sample_rate) ;
> ++				} ;
> + 			psf->sf.channels = metadata->data.stream_info.channels ;
> + 			psf->sf.samplerate = metadata->data.stream_info.sample_rate ;
> + 			psf->sf.frames = metadata->data.stream_info.total_samples ;
> +diff --git a/src/sndfile.c b/src/sndfile.c
> +index 41875610..e2a87be8 100644
> +--- a/src/sndfile.c
> ++++ b/src/sndfile.c
> +@@ -245,6 +245,7 @@ ErrorStruct SndfileErrors [] =
> + 	{	SFE_FLAC_INIT_DECODER	, "Error : problem with initialization of the flac decoder." },
> + 	{	SFE_FLAC_LOST_SYNC		, "Error : flac decoder lost sync." },
> + 	{	SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." },
> ++	{	SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." },
> + 	{	SFE_FLAC_UNKOWN_ERROR	, "Error : unknown error in flac decoder." },
> + 
> + 	{	SFE_WVE_NOT_WVE			, "Error : not a WVE file." },
> +-- 
> +2.12.2
> +
> diff --git a/gnu/packages/patches/libsndfile-CVE-2017-8362.patch b/gnu/packages/patches/libsndfile-CVE-2017-8362.patch
> new file mode 100644
> index 000000000..5fc52a377
> --- /dev/null
> +++ b/gnu/packages/patches/libsndfile-CVE-2017-8362.patch
> @@ -0,0 +1,61 @@
> +Fix CVE-2017-8362:
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8362
> +
> +Patch copied from upstream source repository:
> +
> +https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808
> +
> +From ef1dbb2df1c0e741486646de40bd638a9c4cd808 Mon Sep 17 00:00:00 2001
> +From: Erik de Castro Lopo <erikd <at> mega-nerd.com>
> +Date: Fri, 14 Apr 2017 15:19:16 +1000
> +Subject: [PATCH] src/flac.c: Fix a buffer read overflow
> +
> +A file (generated by a fuzzer) which increased the number of channels
> +from one frame to the next could cause a read beyond the end of the
> +buffer provided by libFLAC. Only option is to abort the read.
> +
> +Closes: https://github.com/erikd/libsndfile/issues/231
> +---
> + src/flac.c | 11 +++++++++--
> + 1 file changed, 9 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/flac.c b/src/flac.c
> +index 5a4f8c21..e4f9aaa0 100644
> +--- a/src/flac.c
> ++++ b/src/flac.c
> +@@ -169,6 +169,14 @@ flac_buffer_copy (SF_PRIVATE *psf)
> + 	const int32_t* const *buffer = pflac->wbuffer ;
> + 	unsigned i = 0, j, offset, channels, len ;
> + 
> ++	if (psf->sf.channels != (int) frame->header.channels)
> ++	{	psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n"
> ++									"Nothing to do but to error out.\n" ,
> ++									psf->sf.channels, frame->header.channels) ;
> ++		psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
> ++		return 0 ;
> ++		} ;
> ++
> + 	/*
> + 	**	frame->header.blocksize is variable and we're using a constant blocksize
> + 	**	of FLAC__MAX_BLOCK_SIZE.
> +@@ -202,7 +210,6 @@ flac_buffer_copy (SF_PRIVATE *psf)
> + 		return 0 ;
> + 		} ;
> + 
> +-
> + 	len = SF_MIN (pflac->len, frame->header.blocksize) ;
> + 
> + 	if (pflac->remain % channels != 0)
> +@@ -436,7 +443,7 @@ sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC_
> + 	{	case FLAC__METADATA_TYPE_STREAMINFO :
> + 			if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels)
> + 			{	psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n"
> +-									"Nothing to be but to error out.\n" ,
> ++									"Nothing to do but to error out.\n" ,
> + 									psf->sf.channels, metadata->data.stream_info.channels) ;
> + 				psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ;
> + 				return ;
> +-- 
> +2.12.2
> +
> diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
> index c52f265cc..92ebe6f3e 100644
> --- a/gnu/packages/pulseaudio.scm
> +++ b/gnu/packages/pulseaudio.scm
> @@ -45,6 +45,7 @@
>  (define-public libsndfile
>    (package
>      (name "libsndfile")
> +    (replacement libsndfile/fixed)
>      (version "1.0.28")
>      (source (origin
>               (method url-fetch)
> @@ -76,6 +77,18 @@ SPARC.  Hopefully the design of the library will also make it easy to extend
>  for reading and writing new sound file formats.")
>      (license l:gpl2+)))
>  
> +(define libsndfile/fixed
> +  (package
> +    (inherit libsndfile)
> +    (source
> +      (origin
> +        (inherit (package-source libsndfile))
> +        (patches
> +          (append
> +            (origin-patches (package-source libsndfile))
> +            (search-patches "libsndfile-CVE-2017-8361-8363-8365.patch"
> +                            "libsndfile-CVE-2017-8362.patch")))))))
> +
>  (define-public libsamplerate
>    (package
>      (name "libsamplerate")                     ; aka. Secret Rabbit Code (SRC)

LGTM.

[signature.asc (application/pgp-signature, inline)]

Message #13 received at 26739-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Kei Kebreau <kei <at> openmailbox.org>
Cc: 26739-done <at> debbugs.gnu.org
Subject: Re: bug#26739: [PATCH 1/1] gnu: libsndfile: Fix
 CVE-2017-{8361,8362,8363,8365}.
Date: Mon, 1 May 2017 15:53:44 -0400

[Message part 1 (text/plain, inline)]

On Mon, May 01, 2017 at 03:20:39PM -0400, Kei Kebreau wrote:
> Leo Famulari <leo <at> famulari.name> writes:
> 
> > * gnu/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch,
> > gnu/packages/patches/libsndfile-CVE-2017-8362.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
> > * gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
> > [libsndfile/fixed]: Use them.

> LGTM.

Thanks, pushed!

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.