Hello community, here is the log from the commit of package libmodplug for openSUSE:Factory checked in at 2013-10-23 10:09:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libmodplug (Old) and /work/SRC/openSUSE:Factory/.libmodplug.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libmodplug" Changes: -------- --- /work/SRC/openSUSE:Factory/libmodplug/libmodplug.changes 2012-03-19 10:08:07.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libmodplug.new/libmodplug.changes 2013-10-23 10:09:53.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Oct 22 16:42:30 CEST 2013 - [email protected] + +- Two security fixes (bnc#834483): + * Fix integer overflow (CVE-2013-4233, CVE-2013-4233.patch). + * Fix heap overflows (CVE-2013-4234, CVE-2013-4234.patch). + +------------------------------------------------------------------- New: ---- CVE-2013-4233.patch CVE-2013-4234.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libmodplug.spec ++++++ --- /var/tmp/diff_new_pack.GZjSpK/_old 2013-10-23 10:10:20.000000000 +0200 +++ /var/tmp/diff_new_pack.GZjSpK/_new 2013-10-23 10:10:20.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package libmodplug # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,10 +20,10 @@ Name: libmodplug Summary: A MOD playing library -Version: 0.8.8.4 -Release: 2 -Group: System/Libraries License: SUSE-Public-Domain +Group: System/Libraries +Version: 0.8.8.4 +Release: 0 Url: http://modplug-xmms.sourceforge.net Source: %{name}-%{version}.tar.bz2 Source1: baselibs.conf @@ -31,7 +31,13 @@ Patch1: libmodplug-timidity.patch # PATCH-FIX-OPENSUSE Fix buffer overflow Patch2: libmodplug-overflow.patch -BuildRequires: dos2unix gcc-c++ pkg-config +# PATCH-FIX-UPSTREAM CVE-2013-4233.patch bnc834483 CVE-2013-4233 [email protected] -- Fix integer overflow. +Patch3: CVE-2013-4233.patch +# PATCH-FIX-UPSTREAM CVE-2013-4234.patch bnc834483 CVE-2013-4234 [email protected] -- Fix heap overflows. +Patch4: CVE-2013-4234.patch +BuildRequires: dos2unix +BuildRequires: gcc-c++ +BuildRequires: pkg-config BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -42,7 +48,6 @@ %package -n libmodplug%{soname} -License: SUSE-Public-Domain Summary: Development files for libmodplug Group: Development/Libraries/C and C++ @@ -55,7 +60,6 @@ - plays textfiles written in the ABC music notation (*.abc). %package devel -License: SUSE-Public-Domain Summary: Development files for libmodplug Group: Development/Libraries/C and C++ Requires: libmodplug%{soname} = %{version} @@ -67,6 +71,8 @@ %setup -q %patch1 %patch2 -p1 +%patch3 -p2 +%patch4 -p2 # Fix eol encoding. dos2unix -o ChangeLog ++++++ CVE-2013-4233.patch ++++++ >From c4d4e047862649a75f6dba905c613aff0df81309 Mon Sep 17 00:00:00 2001 From: Konstanty Bialkowski <[email protected]> Date: Wed, 14 Aug 2013 14:15:27 +1000 Subject: [PATCH] CVE-2013-4233 Fix Integer overflow in j variable -- reported by Florian "Agix" Gaultier --- libmodplug/src/load_abc.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp index 9f4b328..ecb7b62 100644 --- a/libmodplug/src/load_abc.cpp +++ b/libmodplug/src/load_abc.cpp @@ -1814,7 +1814,7 @@ static int abc_extract_tempo(const char *p, int invoice) static void abc_set_parts(char **d, char *p) { - int i,j,k,m,n; + int i,j,k,m,n,size; char *q; #ifdef NEWMIKMOD static MM_ALLOC *h; @@ -1852,10 +1852,11 @@ static void abc_set_parts(char **d, char *p) i += n-1; } } - q = (char *)_mm_calloc(h, j+1, sizeof(char)); // enough storage for the worst case + size = (j + 1) > 0 ? j+1 : j; + q = (char *)_mm_calloc(h, size, sizeof(char)); // enough storage for the worst case // now copy bytes from p to *d, taking parens and digits in account j = 0; - for( i=0; p[i] && p[i] != '%'; i++ ) { + for( i=0; p[i] && p[i] != '%' && j < size; i++ ) { if( isdigit(p[i]) || isupper(p[i]) || p[i] == '(' || p[i] == ')' ) { if( p[i] == ')' ) { for( n=j; n > 0 && q[n-1] != '('; n-- ) ; // find open paren in q -- 1.8.4 ++++++ CVE-2013-4234.patch ++++++ >From 5de53a46283e7c463115444a9339978011dab961 Mon Sep 17 00:00:00 2001 From: Konstanty Bialkowski <[email protected]> Date: Wed, 14 Aug 2013 15:15:09 +1000 Subject: [PATCH] CVE-2013-4234 Fix Heap overflow in abc_MIDI_drum + abc_MIDI_gchord -- reported by Florian "Agix" Gaultier --- libmodplug/src/load_abc.cpp | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp index ecb7b62..dd9cc6b 100644 --- a/libmodplug/src/load_abc.cpp +++ b/libmodplug/src/load_abc.cpp @@ -3205,27 +3205,33 @@ static void abc_MIDI_chordname(const char *p) static int abc_MIDI_drum(const char *p, ABCHANDLE *h) { char *q; - int i,n,m; + int i, n, m, len; while( isspace(*p) ) p++; if( !strncmp(p,"on",2) && (isspace(p[2]) || p[2] == '\0') ) return 2; if( !strncmp(p,"off",3) && (isspace(p[3]) || p[3] == '\0') ) return 1; - n = 0; + n = 0; len = 0; for( q = h->drum; *p && !isspace(*p); p++ ) { if( !strchr("dz0123456789",*p) ) break; - *q++ = *p; - if( !isdigit(*p) ) { - if( !isdigit(p[1]) ) *q++ = '1'; + *q++ = *p; len++; + if( !isdigit(*p) && len < sizeof(h->drum)-1 ) { + if( !isdigit(p[1]) ) { *q++ = '1'; len ++; } n++; // count the silences too.... } + if (len >= sizeof(h->drum)-1) { + // consume the rest of the input + // definitely enough "drum last state" stored. + while ( *p && !isspace(*p) ) p++; + break; + } } *q = '\0'; q = h->drumins; for( i = 0; i<n; i++ ) { if( h->drum[i*2] == 'd' ) { - while( isspace(*p) ) p++; + while( *p && isspace(*p) ) p++; if( !isdigit(*p) ) { m = 0; - while( !isspace(*p) ) p++; + while( *p && !isspace(*p) ) p++; } else p += abc_getnumber(p,&m); @@ -3236,10 +3242,10 @@ static int abc_MIDI_drum(const char *p, ABCHANDLE *h) q = h->drumvol; for( i = 0; i<n; i++ ) { if( h->drum[i*2] == 'd' ) { - while( isspace(*p) ) p++; + while( *p && isspace(*p) ) p++; if( !isdigit(*p) ) { m = 0; - while( !isspace(*p) ) p++; + while( *p && !isspace(*p) ) p++; } else p += abc_getnumber(p,&m); @@ -3254,13 +3260,19 @@ static int abc_MIDI_drum(const char *p, ABCHANDLE *h) static int abc_MIDI_gchord(const char *p, ABCHANDLE *h) { char *q; + int len = 0; while( isspace(*p) ) p++; if( !strncmp(p,"on",2) && (isspace(p[2]) || p[2] == '\0') ) return 2; if( !strncmp(p,"off",3) && (isspace(p[3]) || p[3] == '\0') ) return 1; for( q = h->gchord; *p && !isspace(*p); p++ ) { if( !strchr("fbcz0123456789ghijGHIJ",*p) ) break; - *q++ = *p; - if( !isdigit(*p) && !isdigit(p[1]) ) *q++ = '1'; + *q++ = *p; len++; + if( !isdigit(*p) && len < sizeof(h->gchord)-1 && !isdigit(p[1]) ) { *q++ = '1'; len ++; } + if (len >= sizeof(h->gchord)-1) { + // consume the rest of the input + // definitely enough "drum last state" stored. + while ( *p && !isspace(*p) ) p++; + } } *q = '\0'; return 0; -- 1.8.4 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
