Details: https://nvd.nist.gov/vuln/detail/CVE-2015-8791
Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../libebml/libebml/CVE-2015-8791.patch | 29 +++++++++++++++++++ .../recipes-mkv/libebml/libebml_1.3.0.bb | 10 +++---- 2 files changed, 34 insertions(+), 5 deletions(-) create mode 100644 meta-multimedia/recipes-mkv/libebml/libebml/CVE-2015-8791.patch diff --git a/meta-multimedia/recipes-mkv/libebml/libebml/CVE-2015-8791.patch b/meta-multimedia/recipes-mkv/libebml/libebml/CVE-2015-8791.patch new file mode 100644 index 0000000000..e007e2fb92 --- /dev/null +++ b/meta-multimedia/recipes-mkv/libebml/libebml/CVE-2015-8791.patch @@ -0,0 +1,29 @@ +From 22b87d8217606d891e73fc59a598bae830e61d65 Mon Sep 17 00:00:00 2001 +From: Moritz Bunkus <[email protected]> +Date: Tue, 20 Oct 2015 14:49:44 +0200 +Subject: [PATCH] EbmlElement: don't read beyond end of buffer when reading + variable length integers + +CVE: CVE-2015-8791 +Upstream-Status: Backport [https://github.com/Matroska-Org/libebml/commit/24e5cd7c666b1ddd85619d60486db0a5481c1b90] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + src/EbmlElement.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/EbmlElement.cpp b/src/EbmlElement.cpp +index 4b96d06..0969468 100644 +--- a/src/EbmlElement.cpp ++++ b/src/EbmlElement.cpp +@@ -149,6 +149,11 @@ uint64 ReadCodedSizeValue(const binary * InBuffer, uint32 & BufferSize, uint64 & + // ID found + PossibleSizeLength = SizeIdx + 1; + SizeBitMask >>= SizeIdx; ++ ++ // Guard against invalid memory accesses with incomplete IDs. ++ if (PossibleSizeLength > BufferSize) ++ break; ++ + for (SizeIdx = 0; SizeIdx < PossibleSizeLength; SizeIdx++) { + PossibleSize[SizeIdx] = InBuffer[SizeIdx]; + } diff --git a/meta-multimedia/recipes-mkv/libebml/libebml_1.3.0.bb b/meta-multimedia/recipes-mkv/libebml/libebml_1.3.0.bb index 744486fa2a..9caf25205b 100644 --- a/meta-multimedia/recipes-mkv/libebml/libebml_1.3.0.bb +++ b/meta-multimedia/recipes-mkv/libebml/libebml_1.3.0.bb @@ -2,11 +2,11 @@ SUMMARY = "libebml is a C++ libary to parse EBML files" LICENSE = "LGPL-2.1-only" LIC_FILES_CHKSUM = "file://LICENSE.LGPL;md5=7fbc338309ac38fefcd64b04bb903e34" -SRC_URI = "\ - http://dl.matroska.org/downloads/libebml/libebml-${PV}.tar.bz2 \ - file://ldflags.patch \ - file://override-uname.patch \ -" +SRC_URI = "http://dl.matroska.org/downloads/libebml/libebml-${PV}.tar.bz2 \ + file://ldflags.patch \ + file://override-uname.patch \ + file://CVE-2015-8791.patch \ + " SRC_URI[md5sum] = "efec729bf5a51e649e1d9d1f61c0ae7a" SRC_URI[sha256sum] = "83b074d6b62715aa0080406ea84d33df2e44b5d874096640233a4db49b8096de"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124391): https://lists.openembedded.org/g/openembedded-devel/message/124391 Mute This Topic: https://lists.openembedded.org/mt/117794331/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
