Hello community, here is the log from the commit of package libsndfile for openSUSE:11.3 checked in at Tue Jul 19 13:07:04 CEST 2011.
-------- --- old-versions/11.3/all/libsndfile/libsndfile.changes 2009-12-16 09:57:48.000000000 +0100 +++ 11.3/libsndfile/libsndfile.changes 2011-07-18 17:39:39.000000000 +0200 @@ -1,0 +2,11 @@ +Mon Jul 18 17:36:03 CEST 2011 - [email protected] + +- Fix VUL-0: libsndfile: Integer overflow by processing certain + PAF files (CVE-2011-2696, bnc#705681) + +------------------------------------------------------------------- +Mon Aug 16 14:00:57 CEST 2010 - [email protected] + +- Fix VUL-1: divide-by-zero (CVE-2009-4835, bnc#631379) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/libsndfile Destination is old-versions/11.3/UPDATES/all/libsndfile calling whatdependson for 11.3-i586 New: ---- libsndfile-1.0.20-CVE-2009-4835.diff libsndfile-CVE-2011-2696.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsndfile-progs.spec ++++++ --- /var/tmp/diff_new_pack.XrwRPV/_old 2011-07-19 13:06:43.000000000 +0200 +++ /var/tmp/diff_new_pack.XrwRPV/_new 2011-07-19 13:06:43.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libsndfile-progs (Version 1.0.20) +# spec file for package libsndfile-progs # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ BuildRequires: alsa-devel flac-devel gcc-c++ libjack-devel libvorbis-devel pkgconfig sqlite-devel Summary: Example Programs for libsndfile Version: 1.0.20 -Release: 3 +Release: 8.<RELEASE2> License: LGPLv2.1+ Group: System/Libraries Source: libsndfile-%{version}.tar.bz2 ++++++ libsndfile.spec ++++++ --- /var/tmp/diff_new_pack.XrwRPV/_old 2011-07-19 13:06:43.000000000 +0200 +++ /var/tmp/diff_new_pack.XrwRPV/_new 2011-07-19 13:06:43.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libsndfile (Version 1.0.20) +# spec file for package libsndfile # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ BuildRequires: alsa-devel flac-devel gcc-c++ libvorbis-devel pkg-config sqlite-devel Summary: A Library to Handle Various Audio File Formats Version: 1.0.20 -Release: 3 +Release: 8.<RELEASE2> License: LGPLv2.1+ Group: System/Libraries Obsoletes: libsnd @@ -34,6 +34,8 @@ Source: libsndfile-%{version}.tar.bz2 Source2: baselibs.conf Patch: libsndfile-example-fix.diff +Patch1: libsndfile-1.0.20-CVE-2009-4835.diff +Patch2: libsndfile-CVE-2011-2696.diff Url: http://www.mega-nerd.com/libsndfile/ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -75,6 +77,8 @@ %prep %setup -q %patch +%patch1 +%patch2 -p1 %build %define warn_flags -W -Wall -Wstrict-prototypes -Wpointer-arith -Wno-unused-parameter ++++++ libsndfile-1.0.20-CVE-2009-4835.diff ++++++ === modified file 'src/alaw.c' --- src/alaw.c | 2 +- src/float32.c | 2 +- src/htk.c | 13 ++++++++++--- src/pcm.c | 2 +- src/sds.c | 33 ++++++++++++++++++++++++++------- src/ulaw.c | 2 +- 6 files changed, 40 insertions(+), 14 deletions(-) --- src/alaw.c.orig +++ src/alaw.c @@ -69,7 +69,7 @@ else psf->datalength = 0 ; - psf->sf.frames = psf->datalength / psf->blockwidth ; + psf->sf.frames = psf->blockwidth > 0 ? psf->datalength / psf->blockwidth : 0 ; return 0 ; } /* alaw_init */ --- src/float32.c.orig +++ src/float32.c @@ -241,7 +241,7 @@ else psf->datalength = 0 ; - psf->sf.frames = psf->datalength / psf->blockwidth ; + psf->sf.frames = psf->blockwidth > 0 ? psf->datalength / psf->blockwidth : 0 ; return 0 ; } /* float32_init */ --- src/htk.c.orig +++ src/htk.c @@ -195,10 +195,17 @@ return SFE_HTK_NOT_WAVEFORM ; psf->sf.channels = 1 ; - psf->sf.samplerate = 10000000 / sample_period ; - psf_log_printf (psf, "HTK Waveform file\n Sample Count : %d\n Sample Period : %d => %d Hz\n", - sample_count, sample_period, psf->sf.samplerate) ; + if (sample_period > 0) + { psf->sf.samplerate = 10000000 / sample_period ; + psf_log_printf (psf, "HTK Waveform file\n Sample Count : %d\n Sample Period : %d => %d Hz\n", + sample_count, sample_period, psf->sf.samplerate) ; + } + else + { psf->sf.samplerate = 16000 ; + psf_log_printf (psf, "HTK Waveform file\n Sample Count : %d\n Sample Period : %d (should be > 0) => Guessed sample rate %d Hz\n", + sample_count, sample_period, psf->sf.samplerate) ; + } ; psf->sf.format = SF_FORMAT_HTK | SF_FORMAT_PCM_16 ; psf->bytewidth = 2 ; --- src/pcm.c.orig +++ src/pcm.c @@ -271,7 +271,7 @@ else psf->datalength = 0 ; - psf->sf.frames = psf->datalength / psf->blockwidth ; + psf->sf.frames = psf->blockwidth > 0 ? psf->datalength / psf->blockwidth : 0 ; return 0 ; } /* pcm_init */ --- src/sds.c.orig +++ src/sds.c @@ -219,21 +219,40 @@ if (marker != 0xF07E || byte != 0x01) return SFE_SDS_NOT_SDS ; - psf_log_printf (psf, "Midi Sample Dump Standard (.sds)\nF07E\n Midi Channel : %d\n", channel) ; + bytesread += psf_binheader_readf (psf, "e2", &sample_no) ; + sample_no = SDS_3BYTE_TO_INT_DECODE (sample_no) ; - bytesread += psf_binheader_readf (psf, "e213", &sample_no, &bitwidth, &samp_period) ; + psf_log_printf (psf, "Midi Sample Dump Standard (.sds)\nF07E\n" + " Midi Channel : %d\n Sample Number : %d\n", + channel, sample_no) ; + + bytesread += psf_binheader_readf (psf, "e13", &bitwidth, &samp_period) ; - sample_no = SDS_3BYTE_TO_INT_DECODE (sample_no) ; samp_period = SDS_3BYTE_TO_INT_DECODE (samp_period) ; psds->bitwidth = bitwidth ; - psf->sf.samplerate = 1000000000 / samp_period ; + if (psds->bitwidth > 1) + psf_log_printf (psf, " Bit Width : %d\n", psds->bitwidth) ; + else + { psf_log_printf (psf, " Bit Width : %d (should be > 1)\n", psds->bitwidth) ; + return SFE_SDS_BAD_BIT_WIDTH ; + } ; + + if (samp_period > 0) + { psf->sf.samplerate = 1000000000 / samp_period ; - psf_log_printf (psf, " Sample Number : %d\n" - " Bit Width : %d\n" + psf_log_printf (psf, " Sample Period : %d\n" " Sample Rate : %d\n", - sample_no, psds->bitwidth, psf->sf.samplerate) ; + samp_period, psf->sf.samplerate) ; + } + else + { psf->sf.samplerate = 16000 ; + + psf_log_printf (psf, " Sample Period : %d (should be > 0)\n" + " Sample Rate : %d (guessed)\n", + samp_period, psf->sf.samplerate) ; + } ; bytesread += psf_binheader_readf (psf, "e3331", &data_length, &sustain_loop_start, &sustain_loop_end, &loop_type) ; --- src/ulaw.c.orig +++ src/ulaw.c @@ -59,7 +59,7 @@ else psf->datalength = 0 ; - psf->sf.frames = psf->datalength / psf->blockwidth ; + psf->sf.frames = psf->blockwidth > 0 ? psf->datalength / psf->blockwidth : 0 ; return 0 ; } /* ulaw_init */ ++++++ libsndfile-CVE-2011-2696.diff ++++++ === modified file 'ChangeLog' --- src/common.h | 1 + src/paf.c | 7 +++++-- src/sndfile.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) --- a/src/common.h +++ b/src/common.h @@ -511,6 +511,7 @@ SFE_PAF_VERSION, SFE_PAF_UNKNOWN_FORMAT, SFE_PAF_SHORT_HEADER, + SFE_PAF_BAD_CHANNELS, SFE_SVX_NO_FORM, SFE_SVX_NO_BODY, --- a/src/paf.c +++ b/src/paf.c @@ -163,6 +163,9 @@ { PAF_FMT paf_fmt ; int marker ; + if (psf->filelength < PAF_HEADER_LENGTH) + return SFE_PAF_SHORT_HEADER ; + memset (&paf_fmt, 0, sizeof (paf_fmt)) ; psf_binheader_readf (psf, "pm", 0, &marker) ; @@ -199,8 +202,8 @@ psf->endian = SF_ENDIAN_BIG ; } ; - if (psf->filelength < PAF_HEADER_LENGTH) - return SFE_PAF_SHORT_HEADER ; + if (paf_fmt.channels > SF_MAX_CHANNELS) + return SFE_PAF_BAD_CHANNELS ; psf->datalength = psf->filelength - psf->dataoffset ; --- a/src/sndfile.c +++ b/src/sndfile.c @@ -170,6 +170,7 @@ { SFE_PAF_VERSION , "Error in PAF file, bad version." }, { SFE_PAF_UNKNOWN_FORMAT , "Error in PAF file, unknown format." }, { SFE_PAF_SHORT_HEADER , "Error in PAF file. File shorter than minimal header." }, + { SFE_PAF_BAD_CHANNELS , "Error in PAF file. Bad channel count." }, { SFE_SVX_NO_FORM , "Error in 8SVX / 16SV file, no 'FORM' marker." }, { SFE_SVX_NO_BODY , "Error in 8SVX / 16SV file, no 'BODY' marker." }, ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
