Hello community, here is the log from the commit of package vorbis-tools for openSUSE:Factory checked in at 2015-03-16 06:55:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vorbis-tools (Old) and /work/SRC/openSUSE:Factory/.vorbis-tools.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vorbis-tools" Changes: -------- --- /work/SRC/openSUSE:Factory/vorbis-tools/vorbis-tools.changes 2015-01-29 09:54:55.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.vorbis-tools.new/vorbis-tools.changes 2015-03-16 06:55:26.000000000 +0100 @@ -1,0 +2,7 @@ +Fri Mar 6 15:24:00 CET 2015 - [email protected] + +- Fix division by zero and integer overflow by crafted WAV files + (CVE-2014-9638, CVE-2014-9639, bnc#914439, bnc#914441): + vorbis-tools-oggenc-CVE-2014-9639.patch + +------------------------------------------------------------------- New: ---- vorbis-tools-oggenc-CVE-2014-9639.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vorbis-tools.spec ++++++ --- /var/tmp/diff_new_pack.Y1dcHV/_old 2015-03-16 06:55:27.000000000 +0100 +++ /var/tmp/diff_new_pack.Y1dcHV/_new 2015-03-16 06:55:27.000000000 +0100 @@ -32,6 +32,8 @@ Patch2: vcut-fix-segfault.diff # PATCH-FIX-UPSTREAM vorbis-tools-r19117-CVE-2014-9640.patch bsc#914938 CVE-201409640 Patch3: vorbis-tools-r19117-CVE-2014-9640.patch +# PATCH-FIX-SUSE vorbis-tools-oggenc-CVE-2014-9639.patch bnc#914439 bnc#914441 CVE-2014-9638 CVE-2014-9639 +Patch4: vorbis-tools-oggenc-CVE-2014-9639.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: flac-devel @@ -74,6 +76,7 @@ %patch1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # automake 1.13 deprecated AM_CONFIG_HEADER sed -i 's/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' configure.ac ++++++ vorbis-tools-oggenc-CVE-2014-9639.patch ++++++ Fix CVE-2014-9638 (bnc#914439) CVE-2014-9639 (bnc#914441) --- oggenc/audio.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) --- a/oggenc/audio.c +++ b/oggenc/audio.c @@ -13,6 +13,7 @@ #include <config.h> #endif +#include <limits.h> #include <stdlib.h> #include <stdio.h> #include <string.h> @@ -251,6 +252,7 @@ int aiff_open(FILE *in, oe_enc_opt *opt, aiff_fmt format; aifffile *aiff = malloc(sizeof(aifffile)); int i; + long channels; if(buf[11]=='C') aifc=1; @@ -277,11 +279,17 @@ int aiff_open(FILE *in, oe_enc_opt *opt, return 0; } - format.channels = READ_U16_BE(buffer); + format.channels = channels = READ_U16_BE(buffer); format.totalframes = READ_U32_BE(buffer+2); format.samplesize = READ_U16_BE(buffer+6); format.rate = (int)read_IEEE80(buffer+8); + if(channels <= 0L || SHRT_MAX < channels) + { + fprintf(stderr, _("Warning: Unsupported count of channels in AIFF header\n")); + return 0; + } + aiff->bigendian = 1; if(aifc) @@ -412,6 +420,7 @@ int wav_open(FILE *in, oe_enc_opt *opt, wav_fmt format; wavfile *wav = malloc(sizeof(wavfile)); int i; + long channels; /* Ok. At this point, we know we have a WAV file. Now we have to detect * whether we support the subtype, and we have to find the actual data @@ -449,12 +458,18 @@ int wav_open(FILE *in, oe_enc_opt *opt, } format.format = READ_U16_LE(buf); - format.channels = READ_U16_LE(buf+2); + format.channels = channels = READ_U16_LE(buf+2); format.samplerate = READ_U32_LE(buf+4); format.bytespersec = READ_U32_LE(buf+8); format.align = READ_U16_LE(buf+12); format.samplesize = READ_U16_LE(buf+14); + if(channels <= 0L || SHRT_MAX < channels) + { + fprintf(stderr, _("Warning: Unsupported count of channels in WAV header\n")); + return 0; + } + if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */ { if(len<40) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
