Date: Thursday, September 5, 2013 @ 22:03:19 Author: eric Revision: 193908
upgpkg: libmodplug 0.8.8.4-2 Add CVE patches (close FS#36799) Added: libmodplug/trunk/libmodplug-CVE-2013-4233-Fix.patch libmodplug/trunk/libmodplug-CVE-2013-4234-Fix.patch Modified: libmodplug/trunk/PKGBUILD ------------------------------------+ PKGBUILD | 23 +++++--- libmodplug-CVE-2013-4233-Fix.patch | 42 +++++++++++++++ libmodplug-CVE-2013-4234-Fix.patch | 95 +++++++++++++++++++++++++++++++++++ 3 files changed, 152 insertions(+), 8 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2013-09-05 03:24:14 UTC (rev 193907) +++ PKGBUILD 2013-09-05 20:03:19 UTC (rev 193908) @@ -1,11 +1,9 @@ # $Id$ -# Maintainer: -# Contributor: Jan de Groot <[email protected]> -# Contributor: Patrick Leslie Polzer <[email protected]> +# Maintainer: Eric Bélanger <[email protected]> pkgname=libmodplug pkgver=0.8.8.4 -pkgrel=1 +pkgrel=2 pkgdesc="A MOD playing library" arch=('i686' 'x86_64') url="http://modplug-xmms.sourceforge.net/"; @@ -12,17 +10,26 @@ license=('custom') depends=('gcc-libs') options=('!libtool') -source=("http://downloads.sourceforge.net/modplug-xmms/${pkgname}-${pkgver}.tar.gz";) -md5sums=('fddc3c704c5489de2a3cf0fedfec59db') +source=(http://downloads.sourceforge.net/modplug-xmms/${pkgname}-${pkgver}.tar.gz + libmodplug-CVE-2013-4233-Fix.patch libmodplug-CVE-2013-4234-Fix.patch) +sha1sums=('df4deffe542b501070ccb0aee37d875ebb0c9e22' + 'daee7fba80f633236a3d09ad19225c57013140e9' + '2e870747261a86dce5056cbf077c5914e9e8b287') +prepare() { + cd ${pkgname}-${pkgver} + patch -p2 -i "${srcdir}/libmodplug-CVE-2013-4233-Fix.patch" + patch -p2 -i "${srcdir}/libmodplug-CVE-2013-4234-Fix.patch" +} + build() { - cd "${srcdir}/${pkgname}-${pkgver}" + cd ${pkgname}-${pkgver} ./configure --prefix=/usr make } package() { - cd "${srcdir}/${pkgname}-${pkgver}" + cd ${pkgname}-${pkgver} make DESTDIR="${pkgdir}" install install -D -m644 COPYING "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE" } Added: libmodplug-CVE-2013-4233-Fix.patch =================================================================== --- libmodplug-CVE-2013-4233-Fix.patch (rev 0) +++ libmodplug-CVE-2013-4233-Fix.patch 2013-09-05 20:03:19 UTC (rev 193908) @@ -0,0 +1,42 @@ +From c4d4e047862649a75f6dba905c613aff0df81309 Mon Sep 17 00:00:00 2001 +From: Konstanty Bialkowski <[email protected]> +Date: Wed, 14 Aug 2013 14:15:27 +1000 +Subject: [PATCH] CVE-2013-4233 Fix + +Integer overflow in j variable + +-- reported by Florian "Agix" Gaultier +--- + libmodplug/src/load_abc.cpp | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp +index 9f4b328..ecb7b62 100644 +--- a/libmodplug/src/load_abc.cpp ++++ b/libmodplug/src/load_abc.cpp +@@ -1814,7 +1814,7 @@ static int abc_extract_tempo(const char *p, int invoice) + + static void abc_set_parts(char **d, char *p) + { +- int i,j,k,m,n; ++ int i,j,k,m,n,size; + char *q; + #ifdef NEWMIKMOD + static MM_ALLOC *h; +@@ -1852,10 +1852,11 @@ static void abc_set_parts(char **d, char *p) + i += n-1; + } + } +- q = (char *)_mm_calloc(h, j+1, sizeof(char)); // enough storage for the worst case ++ size = (j + 1) > 0 ? j+1 : j; ++ q = (char *)_mm_calloc(h, size, sizeof(char)); // enough storage for the worst case + // now copy bytes from p to *d, taking parens and digits in account + j = 0; +- for( i=0; p[i] && p[i] != '%'; i++ ) { ++ for( i=0; p[i] && p[i] != '%' && j < size; i++ ) { + if( isdigit(p[i]) || isupper(p[i]) || p[i] == '(' || p[i] == ')' ) { + if( p[i] == ')' ) { + for( n=j; n > 0 && q[n-1] != '('; n-- ) ; // find open paren in q +-- +1.8.4 + Added: libmodplug-CVE-2013-4234-Fix.patch =================================================================== --- libmodplug-CVE-2013-4234-Fix.patch (rev 0) +++ libmodplug-CVE-2013-4234-Fix.patch 2013-09-05 20:03:19 UTC (rev 193908) @@ -0,0 +1,95 @@ +From 5de53a46283e7c463115444a9339978011dab961 Mon Sep 17 00:00:00 2001 +From: Konstanty Bialkowski <[email protected]> +Date: Wed, 14 Aug 2013 15:15:09 +1000 +Subject: [PATCH] CVE-2013-4234 Fix + +Heap overflow in abc_MIDI_drum + abc_MIDI_gchord + +-- reported by Florian "Agix" Gaultier +--- + libmodplug/src/load_abc.cpp | 34 +++++++++++++++++++++++----------- + 1 file changed, 23 insertions(+), 11 deletions(-) + +diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp +index ecb7b62..dd9cc6b 100644 +--- a/libmodplug/src/load_abc.cpp ++++ b/libmodplug/src/load_abc.cpp +@@ -3205,27 +3205,33 @@ static void abc_MIDI_chordname(const char *p) + static int abc_MIDI_drum(const char *p, ABCHANDLE *h) + { + char *q; +- int i,n,m; ++ int i, n, m, len; + while( isspace(*p) ) p++; + if( !strncmp(p,"on",2) && (isspace(p[2]) || p[2] == '\0') ) return 2; + if( !strncmp(p,"off",3) && (isspace(p[3]) || p[3] == '\0') ) return 1; +- n = 0; ++ n = 0; len = 0; + for( q = h->drum; *p && !isspace(*p); p++ ) { + if( !strchr("dz0123456789",*p) ) break; +- *q++ = *p; +- if( !isdigit(*p) ) { +- if( !isdigit(p[1]) ) *q++ = '1'; ++ *q++ = *p; len++; ++ if( !isdigit(*p) && len < sizeof(h->drum)-1 ) { ++ if( !isdigit(p[1]) ) { *q++ = '1'; len ++; } + n++; // count the silences too.... + } ++ if (len >= sizeof(h->drum)-1) { ++ // consume the rest of the input ++ // definitely enough "drum last state" stored. ++ while ( *p && !isspace(*p) ) p++; ++ break; ++ } + } + *q = '\0'; + q = h->drumins; + for( i = 0; i<n; i++ ) { + if( h->drum[i*2] == 'd' ) { +- while( isspace(*p) ) p++; ++ while( *p && isspace(*p) ) p++; + if( !isdigit(*p) ) { + m = 0; +- while( !isspace(*p) ) p++; ++ while( *p && !isspace(*p) ) p++; + } + else + p += abc_getnumber(p,&m); +@@ -3236,10 +3242,10 @@ static int abc_MIDI_drum(const char *p, ABCHANDLE *h) + q = h->drumvol; + for( i = 0; i<n; i++ ) { + if( h->drum[i*2] == 'd' ) { +- while( isspace(*p) ) p++; ++ while( *p && isspace(*p) ) p++; + if( !isdigit(*p) ) { + m = 0; +- while( !isspace(*p) ) p++; ++ while( *p && !isspace(*p) ) p++; + } + else + p += abc_getnumber(p,&m); +@@ -3254,13 +3260,19 @@ static int abc_MIDI_drum(const char *p, ABCHANDLE *h) + static int abc_MIDI_gchord(const char *p, ABCHANDLE *h) + { + char *q; ++ int len = 0; + while( isspace(*p) ) p++; + if( !strncmp(p,"on",2) && (isspace(p[2]) || p[2] == '\0') ) return 2; + if( !strncmp(p,"off",3) && (isspace(p[3]) || p[3] == '\0') ) return 1; + for( q = h->gchord; *p && !isspace(*p); p++ ) { + if( !strchr("fbcz0123456789ghijGHIJ",*p) ) break; +- *q++ = *p; +- if( !isdigit(*p) && !isdigit(p[1]) ) *q++ = '1'; ++ *q++ = *p; len++; ++ if( !isdigit(*p) && len < sizeof(h->gchord)-1 && !isdigit(p[1]) ) { *q++ = '1'; len ++; } ++ if (len >= sizeof(h->gchord)-1) { ++ // consume the rest of the input ++ // definitely enough "drum last state" stored. ++ while ( *p && !isspace(*p) ) p++; ++ } + } + *q = '\0'; + return 0; +-- +1.8.4 +
