GNU bug report logs -
#30586
[PATCH] gnu: wavpack: Fix CVE-2018-7253 and CVE-2018-7254.
Previous Next
Reported by: Marius Bakke <mbakke <at> fastmail.com>
Date: Fri, 23 Feb 2018 12:25:02 UTC
Severity: normal
Tags: patch
Done: Marius Bakke <mbakke <at> fastmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30586 in the body.
You can then email your comments to 30586 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#30586; Package
guix-patches.
(Fri, 23 Feb 2018 12:25:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Marius Bakke <mbakke <at> fastmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Fri, 23 Feb 2018 12:25:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/wavpack-CVE-2018-7253.patch,
gnu/packages/patches/wavpack-CVE-2018-7254.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
* gnu/packages/audio.scm (wavpack)[source](patches): Use them.
---
gnu/local.mk | 2 +
gnu/packages/audio.scm | 2 +
gnu/packages/patches/wavpack-CVE-2018-7253.patch | 29 +++++++++++
gnu/packages/patches/wavpack-CVE-2018-7254.patch | 62 ++++++++++++++++++++++++
4 files changed, 95 insertions(+)
create mode 100644 gnu/packages/patches/wavpack-CVE-2018-7253.patch
create mode 100644 gnu/packages/patches/wavpack-CVE-2018-7254.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 7744facce..8128da9d1 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1142,6 +1142,8 @@ dist_patch_DATA = \
%D%/packages/patches/vsearch-unbundle-cityhash.patch \
%D%/packages/patches/vte-CVE-2012-2738-pt1.patch \
%D%/packages/patches/vte-CVE-2012-2738-pt2.patch \
+ %D%/packages/patches/wavpack-CVE-2018-7253.patch \
+ %D%/packages/patches/wavpack-CVE-2018-7254.patch \
%D%/packages/patches/weechat-python.patch \
%D%/packages/patches/wicd-bitrate-none-fix.patch \
%D%/packages/patches/wicd-get-selected-profile-fix.patch \
diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm
index 47179aea9..b1a15ed34 100644
--- a/gnu/packages/audio.scm
+++ b/gnu/packages/audio.scm
@@ -2377,6 +2377,8 @@ stretching and pitch scaling of audio. This package contains the library.")
(method url-fetch)
(uri (string-append "http://www.wavpack.com/"
name "-" version ".tar.bz2"))
+ (patches (search-patches "wavpack-CVE-2018-7253.patch"
+ "wavpack-CVE-2018-7254.patch"))
(sha256
(base32
"0i19c6krc0p9krwrqy9s5xahaafigqzxcn31piidmlaqadyn4f8r"))))
diff --git a/gnu/packages/patches/wavpack-CVE-2018-7253.patch b/gnu/packages/patches/wavpack-CVE-2018-7253.patch
new file mode 100644
index 000000000..651755afd
--- /dev/null
+++ b/gnu/packages/patches/wavpack-CVE-2018-7253.patch
@@ -0,0 +1,29 @@
+Fix CVE-2018-7253:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7253
+
+Copied from upstream:
+https://github.com/dbry/WavPack/commit/36a24c7881427d2e1e4dc1cef58f19eee0d13aec
+
+diff --git a/cli/dsdiff.c b/cli/dsdiff.c
+index 410dc1c..c016df9 100644
+--- a/cli/dsdiff.c
++++ b/cli/dsdiff.c
+@@ -153,7 +153,17 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+ error_line ("dsdiff file version = 0x%08x", version);
+ }
+ else if (!strncmp (dff_chunk_header.ckID, "PROP", 4)) {
+- char *prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
++ char *prop_chunk;
++
++ if (dff_chunk_header.ckDataSize < 4 || dff_chunk_header.ckDataSize > 1024) {
++ error_line ("%s is not a valid .DFF file!", infilename);
++ return WAVPACK_SOFT_ERROR;
++ }
++
++ if (debug_logging_mode)
++ error_line ("got PROP chunk of %d bytes total", (int) dff_chunk_header.ckDataSize);
++
++ prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
+
+ if (!DoReadFile (infile, prop_chunk, (uint32_t) dff_chunk_header.ckDataSize, &bcount) ||
+ bcount != dff_chunk_header.ckDataSize) {
diff --git a/gnu/packages/patches/wavpack-CVE-2018-7254.patch b/gnu/packages/patches/wavpack-CVE-2018-7254.patch
new file mode 100644
index 000000000..61db296ec
--- /dev/null
+++ b/gnu/packages/patches/wavpack-CVE-2018-7254.patch
@@ -0,0 +1,62 @@
+Fix CVE-2018-7254:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7254
+
+Copied from upstream:
+https://github.com/dbry/WavPack/commit/8e3fe45a7bac31d9a3b558ae0079e2d92a04799e
+
+diff --git a/cli/caff.c b/cli/caff.c
+index ae57c4b..6248a71 100644
+--- a/cli/caff.c
++++ b/cli/caff.c
+@@ -89,8 +89,8 @@ typedef struct
+
+ #define CAFChannelDescriptionFormat "LLLLL"
+
+-static const char TMH_full [] = { 1,2,3,13,9,10,5,6,12,14,15,16,17,9,4,18,7,8,19,20,21 };
+-static const char TMH_std [] = { 1,2,3,11,8,9,5,6,10,12,13,14,15,7,4,16 };
++static const char TMH_full [] = { 1,2,3,13,9,10,5,6,12,14,15,16,17,9,4,18,7,8,19,20,21,0 };
++static const char TMH_std [] = { 1,2,3,11,8,9,5,6,10,12,13,14,15,7,4,16,0 };
+
+ static struct {
+ uint32_t mChannelLayoutTag; // Core Audio layout, 100 - 146 in high word, num channels in low word
+@@ -274,10 +274,19 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+ }
+ }
+ else if (!strncmp (caf_chunk_header.mChunkType, "chan", 4)) {
+- CAFChannelLayout *caf_channel_layout = malloc ((size_t) caf_chunk_header.mChunkSize);
++ CAFChannelLayout *caf_channel_layout;
+
+- if (caf_chunk_header.mChunkSize < sizeof (CAFChannelLayout) ||
+- !DoReadFile (infile, caf_channel_layout, (uint32_t) caf_chunk_header.mChunkSize, &bcount) ||
++ if (caf_chunk_header.mChunkSize < sizeof (CAFChannelLayout) || caf_chunk_header.mChunkSize > 1024) {
++ error_line ("this .CAF file has an invalid 'chan' chunk!");
++ return WAVPACK_SOFT_ERROR;
++ }
++
++ if (debug_logging_mode)
++ error_line ("'chan' chunk is %d bytes", (int) caf_chunk_header.mChunkSize);
++
++ caf_channel_layout = malloc ((size_t) caf_chunk_header.mChunkSize);
++
++ if (!DoReadFile (infile, caf_channel_layout, (uint32_t) caf_chunk_header.mChunkSize, &bcount) ||
+ bcount != caf_chunk_header.mChunkSize) {
+ error_line ("%s is not a valid .CAF file!", infilename);
+ free (caf_channel_layout);
+@@ -495,8 +504,15 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+ }
+ else { // just copy unknown chunks to output file
+
+- int bytes_to_copy = (uint32_t) caf_chunk_header.mChunkSize;
+- char *buff = malloc (bytes_to_copy);
++ uint32_t bytes_to_copy = (uint32_t) caf_chunk_header.mChunkSize;
++ char *buff;
++
++ if (caf_chunk_header.mChunkSize < 0 || caf_chunk_header.mChunkSize > 1048576) {
++ error_line ("%s is not a valid .CAF file!", infilename);
++ return WAVPACK_SOFT_ERROR;
++ }
++
++ buff = malloc (bytes_to_copy);
+
+ if (debug_logging_mode)
+ error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
--
2.16.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#30586; Package
guix-patches.
(Fri, 23 Feb 2018 18:08:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 30586 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Fri, Feb 23, 2018 at 01:24:16PM +0100, Marius Bakke wrote:
> * gnu/packages/patches/wavpack-CVE-2018-7253.patch,
> gnu/packages/patches/wavpack-CVE-2018-7254.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Register them.
> * gnu/packages/audio.scm (wavpack)[source](patches): Use them.
Thanks, LGTM!
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Marius Bakke <mbakke <at> fastmail.com>:
You have taken responsibility.
(Fri, 23 Feb 2018 19:43:03 GMT)
Full text and
rfc822 format available.
Notification sent
to
Marius Bakke <mbakke <at> fastmail.com>:
bug acknowledged by developer.
(Fri, 23 Feb 2018 19:43:04 GMT)
Full text and
rfc822 format available.
Message #13 received at 30586-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> On Fri, Feb 23, 2018 at 01:24:16PM +0100, Marius Bakke wrote:
>> * gnu/packages/patches/wavpack-CVE-2018-7253.patch,
>> gnu/packages/patches/wavpack-CVE-2018-7254.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register them.
>> * gnu/packages/audio.scm (wavpack)[source](patches): Use them.
>
> Thanks, LGTM!
Pushed as 65f704f3735fa7c979f36629d402b9458cc96ad0.
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 24 Mar 2018 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 90 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.