Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear release-team, the binary package libmysofa0 is used by VLC (the ubiquitous media player) and the ffmpeg framework (the ubiquitous media framework), and consequently has a popcon of 43382. The src:libmysofa package has been assigned a number of CVEs and a cumulative Debian bug #939735. The issues (NULL-pointer access, out-of-bound reads, invalid reads and writes) have been promptly fixed by upstream, who have released a new version (0.8). I've uploaded the new version to 'sid' yesterday (setting urgency=high; I hope this is correct). For buster (which ships 0.6) I need your cooperation in order to get the package uploaded. Since there are a number of CVEs involved, I have first contacted the security team, to coordinate an upload via buster-security. However, their response was: > I have looked at those now from stable update point of view, and I > think they are somehow limited impact (clearly with posibility to lead > to crashes of reverse dependecies), but would not warrant a DSA on its > own. > > I tend to mark those as no-dsa for buster and ask you if you can > schedule an update just for the next buster point release. I agree with their assassment of the impact of these CVEs, so here I am :-) Please see the attached debdiff for my proposed changes. These changes include fixes for the various CVEs and a (small but) cumulative patch for 3 more security issues fixed upstream, which haven't got a CVE assigned. Let me know what I should do. Cheers and thanks for making Debian a better place. fgamsdr IOhannes
diff -Nru libmysofa-0.6~dfsg0/debian/changelog libmysofa-0.6~dfsg0/debian/changelog --- libmysofa-0.6~dfsg0/debian/changelog 2019-04-01 23:25:15.000000000 +0200 +++ libmysofa-0.6~dfsg0/debian/changelog 2019-09-18 13:44:59.000000000 +0200 @@ -1,3 +1,15 @@ +libmysofa (0.6~dfsg0-3+deb10u1) buster; urgency=high + + * Backport security fixes (Closes: #939735) + * CVE-2019-16091 + * CVE-2019-16092 + * CVE-2019-16093 + * CVE-2019-16094 + * CVE-2019-16095 + * misc security fixes that have no CVE assigned + + -- IOhannes m zmölnig (Debian/GNU) <umlae...@debian.org> Wed, 18 Sep 2019 13:44:59 +0200 + libmysofa (0.6~dfsg0-3) unstable; urgency=medium [ IOhannes m zmölnig ] diff -Nru libmysofa-0.6~dfsg0/debian/gbp.conf libmysofa-0.6~dfsg0/debian/gbp.conf --- libmysofa-0.6~dfsg0/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ libmysofa-0.6~dfsg0/debian/gbp.conf 2019-09-18 13:44:59.000000000 +0200 @@ -0,0 +1,4 @@ +[DEFAULT] +pristine-tar = True +#upstream-branch = upstream +debian-branch = buster diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch --- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch 2019-09-18 13:44:59.000000000 +0200 @@ -0,0 +1,99 @@ +Description: Fix for CVE-2019-16091 +Author: IOhannes m zmölnig +Origin: upstream +Bug: https://github.com/hoene/libmysofa/issues/78 +Last-Update: 2019-09-17 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libmysofa.orig/src/hdf/fractalhead.c ++++ libmysofa/src/hdf/fractalhead.c +@@ -10,6 +10,7 @@ + #include <math.h> + #include <errno.h> + #include <assert.h> ++#include <inttypes.h> + #include "reader.h" + + static int log2i(int a) { +@@ -36,7 +37,7 @@ + if (fread(buf, 1, 4, reader->fhd) != 4 || strncmp(buf, "FHDB", 4)) { + log("cannot read signature of fractal heap indirect block\n"); + return MYSOFA_INVALID_FORMAT; +- } log("%08lX %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf); ++ } log("%08" PRIX64 " %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf); + + if (fgetc(reader->fhd) != 0) { + log("object FHDB must have version 0\n"); +@@ -60,7 +61,7 @@ + else + length_size = ceilf(log2f(fractalheap->maximum_size) / 8); + +- log(" %d %ld %d\n",size,block_offset,offset_size); ++ log(" %d %" PRIu64 " %d\n",size,block_offset,offset_size); + + /* + * 00003e00 00 46 48 44 42 00 40 02 00 00 00 00 00 00 00 00 |.FHDB.@.........| +@@ -81,10 +82,10 @@ + typeandversion = (uint8_t)fgetc(reader->fhd); + offset = readValue(reader, offset_size); + length = readValue(reader, length_size); +- if(offset>0x10000000 || length>0x10000000) ++ if(offset>0x10000000 || length>0x10000000 || length == 0) + return MYSOFA_UNSUPPORTED_FORMAT; + +- log(" %d %4lX %ld %8lX\n",typeandversion,offset,length,ftell(reader->fhd)); ++ log(" %d %4" PRIX64 " %" PRIu64 " %8" PRIX64 "\n",typeandversion,offset,length,ftell(reader->fhd)); + + /* TODO: for the following part, the specification is incomplete */ + if (typeandversion == 3) { +@@ -97,12 +98,13 @@ + return MYSOFA_UNSUPPORTED_FORMAT; + } + +- if (!(name = malloc(length))) ++ if (!(name = malloc(length+1))) + return MYSOFA_NO_MEMORY; + if(fread(name, 1, length, reader->fhd)!=length) { + free(name); + return MYSOFA_READ_ERROR; + } ++ name[length]=0; + + if (readValue(reader, 4) != 0x00000013) { + log("FHDB type 3 unsupported values"); +@@ -177,7 +179,7 @@ + heap_header_address = readValue(reader, + reader->superblock.size_of_offsets); + +- log("\nfractal head type 1 length %4lX name %s address %lX\n", length, name, heap_header_address); ++ log("\nfractal head type 1 length %4" PRIX64 " name %s address %" PRIX64 "\n", length, name, heap_header_address); + + dir = malloc(sizeof(struct DIR)); + if(!dir) { +@@ -241,7 +243,7 @@ + if (fread(buf, 1, 4, reader->fhd) != 4 || strncmp(buf, "FHIB", 4)) { + log("cannot read signature of fractal heap indirect block\n"); + return MYSOFA_INVALID_FORMAT; +- } log("%08lX %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf); ++ } log("%08" PRIX64 " %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf); + + if (fgetc(reader->fhd) != 0) { + log("object FHIB must have version 0\n"); +@@ -282,7 +284,7 @@ + size_filtered = readValue(reader, + reader->superblock.size_of_lengths); + filter_mask = readValue(reader, 4); +- } log(">> %d %lX %d\n",k,child_direct_block,size); ++ } log(">> %d %" PRIX64 " %d\n",k,child_direct_block,size); + if (validAddress(reader, child_direct_block)) { + store = ftell(reader->fhd); + if(fseek(reader->fhd, child_direct_block, SEEK_SET)<0) +@@ -347,7 +349,7 @@ + if (fread(buf, 1, 4, reader->fhd) != 4 || strncmp(buf, "FRHP", 4)) { + log("cannot read signature of fractal heap\n"); + return MYSOFA_UNSUPPORTED_FORMAT; +- } log("%08lX %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf); ++ } log("%" PRIX64 " %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf); + + if (fgetc(reader->fhd) != 0) { + log("object fractal heap must have version 0\n"); diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch --- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch 2019-09-18 13:44:59.000000000 +0200 @@ -0,0 +1,21 @@ +Description: Fix for CVE-2019-16092 +Author: IOhannes m zmölnig +Origin: upstream +Bug: https://github.com/hoene/libmysofa/issues/77 +Last-Update: 2019-09-17 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libmysofa.orig/src/hrtf/reader.c ++++ libmysofa/src/hrtf/reader.c +@@ -188,8 +188,9 @@ + + dir = reader->superblock.dataobject.directory; + while (dir) { +- +- if (!strcmp(dir->dataobject.name, "ListenerPosition")) { ++ if(!dir->dataobject.name) { ++ log("SOFA VARIABLE IS NULL.\n"); ++ } else if (!strcmp(dir->dataobject.name, "ListenerPosition")) { + *err = getArray(&hrtf->ListenerPosition, &dir->dataobject); + } else if (!strcmp(dir->dataobject.name, "ReceiverPosition")) { + *err = getArray(&hrtf->ReceiverPosition, &dir->dataobject); diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch --- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch 2019-09-18 13:44:59.000000000 +0200 @@ -0,0 +1,18 @@ +Description: Fix for CVE-2019-16093 +Author: IOhannes m zmölnig +Origin: upstream +Bug: https://github.com/hoene/libmysofa/issues/76 +Last-Update: 2019-09-17 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libmysofa.orig/src/hdf/dataobject.c ++++ libmysofa/src/hdf/dataobject.c +@@ -352,6 +352,8 @@ + + case 2: + dimensionality = (uint8_t)fgetc(reader->fhd); ++ if(dimensionality < 0 || dimensionality >= sizeof(data->datalayout_chunk) / sizeof(data->datalayout_chunk)[0]) ++ return MYSOFA_INVALID_FORMAT; + data_address = readValue(reader, reader->superblock.size_of_offsets); + log(" CHUNK %lX\n", data_address); + for (i = 0; i < dimensionality; i++) { diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch --- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch 2019-09-18 13:44:59.000000000 +0200 @@ -0,0 +1,18 @@ +Description: Fix for CVE-2019-16094 +Author: IOhannes m zmölnig +Origin: upstream +Bug: https://github.com/hoene/libmysofa/issues/75 +Last-Update: 2019-09-17 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libmysofa.orig/src/hdf/dataobject.c ++++ libmysofa/src/hdf/dataobject.c +@@ -371,6 +371,8 @@ + if (fseek(reader->fhd, data_address, SEEK_SET)<0) + return errno; + if (!data->data) { ++ if(size < 0 || size > 0x10000000) ++ return MYSOFA_INVALID_FORMAT; + data->data_len = size; + data->data = malloc(size); + if (!data->data) diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch --- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch 2019-09-18 13:44:59.000000000 +0200 @@ -0,0 +1,17 @@ +Description: Fix for CVE-2019-16095 +Author: IOhannes m zmölnig +Origin: upstream +Bug: https://github.com/hoene/libmysofa/issues/72 +Last-Update: 2019-09-17 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libmysofa.orig/src/hrtf/reader.c ++++ libmysofa/src/hrtf/reader.c +@@ -74,6 +74,7 @@ + log(" %s=%s\n",attr->name,attr->value); + + if (!strcmp(attr->name, "NAME") ++ && attr->value + && !strncmp(attr->value, + "This is a netCDF dimension but not a netCDF variable.", + 53)) { diff -Nru libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch --- libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch 2019-09-18 13:44:59.000000000 +0200 @@ -0,0 +1,45 @@ +Description: misc security fixes without a CVE + backport of some minor fixes that were not assigned a CVE + - don't pass negative size to malloc() + - use calloc() to avoid uninitialized memory + - fix segfault (invalid-read) in the mysofa2json test-application (shipped in + libmysofa-utils) +Author: IOhannes m zmölnig +Origin: upstream +Bug: https://github.com/hoene/libmysofa/issues/79, https://github.com/hoene/libmysofa/issues/67, https://github.com/hoene/libmysofa/issues/74 +Last-Update: 2019-09-17 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libmysofa.orig/src/hdf/btree.c ++++ libmysofa/src/hdf/btree.c +@@ -246,6 +246,8 @@ + + log("elements %d size %d\n",elements,size); + ++ if (elements >= 0x100000 || size > 0x10) ++ return MYSOFA_INVALID_FORMAT; + if (!(output = malloc(elements * size))) { + return MYSOFA_NO_MEMORY; + } +--- libmysofa.orig/src/tests/json.c ++++ libmysofa/src/tests/json.c +@@ -101,7 +101,7 @@ + + fprintf(out, " \"DimensionNames\":["); + s = found->value; +- while (s[0] && dims < 4) { ++ while (s && s[0] && dims < 4) { + switch (s[0]) { + case 'I': + dimensions[dims++] = hrtf->I; +--- libmysofa.orig/src/hdf/dataobject.c ++++ libmysofa/src/hdf/dataobject.c +@@ -374,7 +374,7 @@ + if(size < 0 || size > 0x10000000) + return MYSOFA_INVALID_FORMAT; + data->data_len = size; +- data->data = malloc(size); ++ data->data = calloc(1,size); + if (!data->data) + return MYSOFA_NO_MEMORY; + } diff -Nru libmysofa-0.6~dfsg0/debian/patches/series libmysofa-0.6~dfsg0/debian/patches/series --- libmysofa-0.6~dfsg0/debian/patches/series 2019-04-01 23:25:15.000000000 +0200 +++ libmysofa-0.6~dfsg0/debian/patches/series 2019-09-18 13:44:59.000000000 +0200 @@ -1,2 +1,8 @@ fix_export_symbols.patch CVE-2019-10672.patch +CVE-2019-16091.patch +CVE-2019-16092.patch +CVE-2019-16093.patch +CVE-2019-16094.patch +CVE-2019-16095.patch +misc-security-fixes.patch
