From: Peter Marko <[email protected]> This is inactive project, so no official CVE fix will be available anymore. That however does not mean that there is no fix available. Following tries to prove that patch provided here is valid.
NVD CVE report [1] links issue [2] where this is reported. Based on the report, fix was proposed in [3]. There was some review however the patch autor was not active. [4] was later created trying to adddress the comments, but the project was not active anymore. In this PR the patch was shrunk to a one-liner in discussion. I have tested the poc and it is real. The patch fixes it, while not breaking the execution if good file path is provided as argument. [1] https://nvd.nist.gov/vuln/detail/CVE-2023-43361 [2] https://github.com/xiph/vorbis-tools/issues/41 [3] https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/7 [4] https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/8 Signed-off-by: Peter Marko <[email protected]> --- .../vorbis-tools/CVE-2023-43361.patch | 38 +++++++++++++++++++ .../vorbis-tools/vorbis-tools_1.4.2.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch new file mode 100644 index 0000000000..7f5b634115 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch @@ -0,0 +1,38 @@ +From 6ca16244ba70cd1c0c8d062d1416bdc79bf20898 Mon Sep 17 00:00:00 2001 +From: Peter Marko <[email protected]> +Date: Fri, 17 Jan 2025 18:49:12 +0100 +Subject: [PATCH] oggenc: Don't assume the output path ends in a file name. + +oggenc attempts to create any specified directories in the output +file path if they don't exist. The parser was assuming there was +a final filename after the last directory separator, and so would +try to read off the end of the argument if it was a bare directory +such as `./` or `outdir/`. This adds a check to make sure the +scan isn't starting off the end of the path string. + +Thanks to Frank-Z7 (Zeng Yunxiang) at Huazhong University of Science +and Technology (cse.hust.edu.cn) for the report. + +CVE: CVE-2023-43361 +Upstream-Status: Submitted [https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/7] +Signed-off-by: Peter Marko <[email protected]> +--- + oggenc/platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/oggenc/platform.c b/oggenc/platform.c +index 6d9f4ef..1ff02ca 100644 +--- a/oggenc/platform.c ++++ b/oggenc/platform.c +@@ -147,7 +147,7 @@ int create_directories(char *fn, int isutf8) + start = start+2; + #endif + +- while((end = strpbrk(start+1, PATH_SEPS)) != NULL) ++ while((end = strpbrk(start + strspn(start, PATH_SEPS), PATH_SEPS)) != NULL) + { + int rv; + memcpy(segment, fn, end-fn); +-- +2.30.2 + diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb index 61a4aedb85..2cbd840138 100644 --- a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb +++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb @@ -13,6 +13,7 @@ DEPENDS = "libogg libvorbis" SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.gz \ file://gettext.patch \ file://0001-ogginfo-Include-utf8.h-for-missing-utf8_decode.patch \ + file://CVE-2023-43361.patch \ " SRC_URI[md5sum] = "998fca293bd4e4bdc2b96fb70f952f4e" -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#114921): https://lists.openembedded.org/g/openembedded-devel/message/114921 Mute This Topic: https://lists.openembedded.org/mt/110671543/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
