Hello community, here is the log from the commit of package sox for openSUSE:Factory checked in at 2018-02-16 21:43:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sox (Old) and /work/SRC/openSUSE:Factory/.sox.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sox" Fri Feb 16 21:43:21 2018 rev:43 rq:576967 version:14.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/sox/sox.changes 2017-12-20 10:39:58.046542677 +0100 +++ /work/SRC/openSUSE:Factory/.sox.new/sox.changes 2018-02-16 21:43:34.321468593 +0100 @@ -1,0 +2,41 @@ +Wed Feb 14 14:38:36 UTC 2018 - [email protected] + +- Added patches: + * CVE-2017-11332.patch: Fixed the startread function in wav.c, which allowed + remote attackers to cause a DoS (divide-by-zero) via a crafted wav file. + (CVE-2017-11332 bsc#1081140) + + * CVE-2017-11358.patch: Fixed the read_samples function in hcom.c, which + allowed remote attackers to cause a DoS (invalid memory read) via a crafted + hcom file. (CVE-2017-11358 bsc#1081141) + + * CVE-2017-11359.patch: Fixed the wavwritehdr function in wav.c, which + allowed remote attackers to cause a DoS (divide-by-zero) when converting a + a crafted snd file to a wav file. (CVE-2017-11359 bsc#1081142) + + * CVE-2017-15370.patch: Fixed a heap-based buffer overflow in the ImaExpandS + function of ima_rw.c, which allowed remote attackers to cause a DoS during + conversion of a crafted audio file. (CVE-2017-15370 bsc#1063439) + + * CVE-2017-15371.patch: Fixed an assertion abort in the function + sox_append_comment() in formats.c, which allowed remote attackers to cause + a DoS during conversion of a crafted audio file. (CVE-2017-15371 + bsc#1063450) + + * CVE-2017-15372.patch: Fixed a stack-based buffer overflow in the + lsx_ms_adpcm_block_expand_i function of adpcm.c, which allowed remote + attackers to cause a DoS during conversion of a crafted audio file. + (CVE-2017-15372 bsc#1063456) + + * CVE-2017-15642.patch: Fixed an Use-After-Free vulnerability in + lsx_aiffstartread in aiff.c, which could be triggered by an attacker by + providing a malformed AIFF file. (CVE-2017-15642 bsc#1064576) + + * CVE-2017-18189.patch: Fixed a NULL pointer dereference triggered by a + corrupt header specifying zero channels in the startread function in + xa.c, which allowed remote attackers to cause a DoS (CVE-2017-18189 + bsc#1081146). + +- Removed sox-doublefree.patch + +------------------------------------------------------------------- Old: ---- sox-doublefree.patch New: ---- CVE-2017-11332.patch CVE-2017-11358.patch CVE-2017-11359.patch CVE-2017-15370.patch CVE-2017-15371.patch CVE-2017-15372.patch CVE-2017-15642.patch CVE-2017-18189.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sox.spec ++++++ --- /var/tmp/diff_new_pack.HDjPri/_old 2018-02-16 21:43:35.169438011 +0100 +++ /var/tmp/diff_new_pack.HDjPri/_new 2018-02-16 21:43:35.173437866 +0100 @@ -1,7 +1,7 @@ # # spec file for package sox # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -62,7 +62,14 @@ Url: http://sox.sourceforge.net Source0: http://downloads.sourceforge.net/project/sox/sox/%{version}/%{name}-%{version}.tar.bz2 Source1: %{name}.changes -Patch0: sox-doublefree.patch +Patch0: CVE-2017-11332.patch +Patch1: CVE-2017-11359.patch +Patch2: CVE-2017-15371.patch +Patch3: CVE-2017-15642.patch +Patch4: CVE-2017-11358.patch +Patch5: CVE-2017-15370.patch +Patch6: CVE-2017-15372.patch +Patch7: CVE-2017-18189.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -95,6 +102,13 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{SOURCE1}")" DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\"" TIME="\"$(date -d "${modified}" "+%%R")\"" ++++++ CVE-2017-11332.patch ++++++ >From 7405bcaacb1ded8c595cb751d407cf738cb26571 Mon Sep 17 00:00:00 2001 From: Mans Rullgard <[email protected]> Date: Sun, 5 Nov 2017 16:29:28 +0000 Subject: [PATCH] wav: fix crash if channel count is zero (CVE-2017-11332) --- src/wav.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/wav.c b/src/wav.c index 3e80e692..3eaebfa7 100644 --- a/src/wav.c +++ b/src/wav.c @@ -712,6 +712,11 @@ static int startread(sox_format_t * ft) else lsx_report("User options overriding channels read in .wav header"); + if (ft->signal.channels == 0) { + lsx_fail_errno(ft, SOX_EHDR, "Channel count is zero"); + return SOX_EOF; + } + if (ft->signal.rate == 0 || ft->signal.rate == dwSamplesPerSecond) ft->signal.rate = dwSamplesPerSecond; else ++++++ CVE-2017-11358.patch ++++++ >From 6cb44a44b9eda6b321ccdbf6483348d4a9798b00 Mon Sep 17 00:00:00 2001 From: Mans Rullgard <[email protected]> Date: Sun, 5 Nov 2017 16:43:35 +0000 Subject: [PATCH] hcom: fix crash on input with corrupt dictionary (CVE-2017-11358) --- src/hcom.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/hcom.c b/src/hcom.c index c62b020c..1b0e09dd 100644 --- a/src/hcom.c +++ b/src/hcom.c @@ -150,6 +150,11 @@ static int startread(sox_format_t * ft) lsx_debug("%d %d", p->dictionary[i].dict_leftson, p->dictionary[i].dict_rightson); + if ((unsigned) p->dictionary[i].dict_leftson >= dictsize || + (unsigned) p->dictionary[i].dict_rightson >= dictsize) { + lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary"); + return SOX_EOF; + } } rc = lsx_skipbytes(ft, (size_t) 1); /* skip pad byte */ if (rc) ++++++ CVE-2017-11359.patch ++++++ >From 8b590b3a52f4ccc4eea3f41b4a067c38b3565b60 Mon Sep 17 00:00:00 2001 From: Mans Rullgard <[email protected]> Date: Sun, 5 Nov 2017 17:02:11 +0000 Subject: [PATCH] wav: fix crash writing header when channel count >64k (CVE-2017-11359) --- src/wav.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/wav.c b/src/wav.c index 3eaebfa7..fad334cf 100644 --- a/src/wav.c +++ b/src/wav.c @@ -1379,6 +1379,12 @@ static int wavwritehdr(sox_format_t * ft, int second_header) long blocksWritten = 0; sox_bool isExtensible = sox_false; /* WAVE_FORMAT_EXTENSIBLE? */ + if (ft->signal.channels > UINT16_MAX) { + lsx_fail_errno(ft, SOX_EOF, "Too many channels (%u)", + ft->signal.channels); + return SOX_EOF; + } + dwSamplesPerSecond = ft->signal.rate; wChannels = ft->signal.channels; wBitsPerSample = ft->encoding.bits_per_sample; ++++++ CVE-2017-15370.patch ++++++ >From ef3d8be0f80cbb650e4766b545d61e10d7a24c9e Mon Sep 17 00:00:00 2001 From: Mans Rullgard <[email protected]> Date: Sun, 5 Nov 2017 16:21:23 +0000 Subject: [PATCH] wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370) Add the same check bad block size as was done for MS adpcm in commit f39c574b ("More checks for invalid MS ADPCM blocks"). --- src/wav.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wav.c b/src/wav.c index 5202556c..3e80e692 100644 --- a/src/wav.c +++ b/src/wav.c @@ -127,7 +127,7 @@ static unsigned short ImaAdpcmReadBlock(sox_format_t * ft) /* work with partial blocks. Specs say it should be null */ /* padded but I guess this is better than trailing quiet. */ samplesThisBlock = lsx_ima_samples_in((size_t)0, (size_t)ft->signal.channels, bytesRead, (size_t) 0); - if (samplesThisBlock == 0) + if (samplesThisBlock == 0 || samplesThisBlock > wav->samplesPerBlock) { lsx_warn("Premature EOF on .wav input file"); return 0; ++++++ CVE-2017-15371.patch ++++++ >From 818bdd0ccc1e5b6cae742c740c17fd414935cf39 Mon Sep 17 00:00:00 2001 From: Mans Rullgard <[email protected]> Date: Sun, 5 Nov 2017 15:57:48 +0000 Subject: [PATCH] flac: fix crash on corrupt metadata (CVE-2017-15371) --- src/flac.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) Index: sox/src/flac.c =================================================================== --- sox.orig/src/flac.c +++ sox/src/flac.c @@ -119,9 +119,10 @@ static void decoder_metadata_callback(FL p->total_samples = metadata->data.stream_info.total_samples; } else if (metadata->type == FLAC__METADATA_TYPE_VORBIS_COMMENT) { + const FLAC__StreamMetadata_VorbisComment *vc = &metadata->data.vorbis_comment; size_t i; - if (metadata->data.vorbis_comment.num_comments == 0) + if (vc->num_comments == 0) return; if (ft->oob.comments != NULL) { @@ -129,8 +130,9 @@ static void decoder_metadata_callback(FL return; } - for (i = 0; i < metadata->data.vorbis_comment.num_comments; ++i) - sox_append_comment(&ft->oob.comments, (char const *) metadata->data.vorbis_comment.comments[i].entry); + for (i = 0; i < vc->num_comments; ++i) + if (vc->comments[i].entry) + sox_append_comment(&ft->oob.comments, (char const *) vc->comments[i].entry); } } ++++++ CVE-2017-15372.patch ++++++ >From 3f7ed312614649e2695b54b398475d32be4f64f3 Mon Sep 17 00:00:00 2001 From: Mans Rullgard <[email protected]> Date: Wed, 8 Nov 2017 00:29:14 +0000 Subject: adpcm: fix stack overflow with >4 channels (CVE-2017-15372) --- src/adpcm.c | 8 +++++++- src/adpcm.h | 3 +++ src/wav.c | 5 ++++- 3 files changed, 14 insertions(+), 2 deletions(-) Index: sox/src/adpcm.c =================================================================== --- sox.orig/src/adpcm.c +++ sox/src/adpcm.c @@ -71,6 +71,11 @@ const short lsx_ms_adpcm_i_coef[7][2] = { 392,-232} }; +extern void *lsx_ms_adpcm_alloc(unsigned chans) +{ + return lsx_malloc(chans * sizeof(MsState_t)); +} + static inline sox_sample_t AdpcmDecode(sox_sample_t c, MsState_t *state, sox_sample_t sample1, sox_sample_t sample2) { @@ -102,6 +107,7 @@ static inline sox_sample_t AdpcmDecode(s /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ const char *lsx_ms_adpcm_block_expand_i( + void *priv, unsigned chans, /* total channels */ int nCoef, const short *coef, @@ -113,7 +119,7 @@ const char *lsx_ms_adpcm_block_expand_i( const unsigned char *ip; unsigned ch; const char *errmsg = NULL; - MsState_t state[4]; /* One decompressor state for each channel */ + MsState_t *state = priv; /* One decompressor state for each channel */ /* Read the four-byte header for each channel */ ip = ibuff; Index: sox/src/adpcm.h =================================================================== --- sox.orig/src/adpcm.h +++ sox/src/adpcm.h @@ -29,8 +29,11 @@ /* default coef sets */ extern const short lsx_ms_adpcm_i_coef[7][2]; +extern void *lsx_ms_adpcm_alloc(unsigned chans); + /* lsx_ms_adpcm_block_expand_i() outputs interleaved samples into one output buffer */ extern const char *lsx_ms_adpcm_block_expand_i( + void *priv, unsigned chans, /* total channels */ int nCoef, const short *coef, Index: sox/src/wav.c =================================================================== --- sox.orig/src/wav.c +++ sox/src/wav.c @@ -82,6 +82,7 @@ typedef struct { /* following used by *ADPCM wav files */ unsigned short nCoefs; /* ADPCM: number of coef sets */ short *lsx_ms_adpcm_i_coefs; /* ADPCM: coef sets */ + void *ms_adpcm_data; /* Private data of adpcm decoder */ unsigned char *packet; /* Temporary buffer for packets */ short *samples; /* interleaved samples buffer */ short *samplePtr; /* Pointer to current sample */ @@ -175,7 +176,7 @@ static unsigned short AdpcmReadBlock(so } } - errmsg = lsx_ms_adpcm_block_expand_i(ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); + errmsg = lsx_ms_adpcm_block_expand_i(wav->ms_adpcm_data, ft->signal.channels, wav->nCoefs, wav->lsx_ms_adpcm_i_coefs, wav->packet, wav->samples, samplesThisBlock); if (errmsg) lsx_warn("%s", errmsg); @@ -791,6 +792,7 @@ static int startread(sox_format_t * ft) /* nCoefs, lsx_ms_adpcm_i_coefs used by adpcm.c */ wav->lsx_ms_adpcm_i_coefs = lsx_malloc(wav->nCoefs * 2 * sizeof(short)); + wav->ms_adpcm_data = lsx_ms_adpcm_alloc(wChannels); { int i, errct=0; for (i=0; len>=2 && i < 2*wav->nCoefs; i++) { @@ -1216,6 +1218,7 @@ static int stopread(sox_format_t * ft) free(wav->packet); free(wav->samples); free(wav->lsx_ms_adpcm_i_coefs); + free(wav->ms_adpcm_data); free(wav->comment); wav->comment = NULL; ++++++ CVE-2017-15642.patch ++++++ Description: This fixes a use after free and double free if an empty comment chunk follows a non-empty one. Author: Mans Rullgard <[email protected]> Forwarded: not-needed --- src/aiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: sox/src/aiff.c =================================================================== --- sox.orig/src/aiff.c +++ sox/src/aiff.c @@ -62,7 +62,6 @@ int lsx_aiffstartread(sox_format_t * ft) size_t ssndsize = 0; char *annotation; char *author; - char *comment = NULL; char *copyright; char *nametext; @@ -270,6 +269,7 @@ int lsx_aiffstartread(sox_format_t * ft) free(annotation); } else if (strncmp(buf, "COMT", (size_t)4) == 0) { + char *comment = NULL; rc = commentChunk(&comment, "Comment:", ft); if (rc) { /* Fail already called in function */ ++++++ CVE-2017-18189.patch ++++++ Description: A corrupt header specifying zero channels would send read_channels() into an infinite loop. Prevent this by sanity checking the channel count in open_read(). Also add an upper bound to prevent overflow in multiplication. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121 Author: Mans Rullgard <[email protected]> Jaromír Mikeš <[email protected]> Forwarded: not-needed --- src/xa.c | 6 ++++++ 1 file changed, 6 insertions(+) Index: sox/src/xa.c =================================================================== --- sox.orig/src/xa.c +++ sox/src/xa.c @@ -143,6 +143,12 @@ static int startread(sox_format_t * ft) lsx_report("User options overriding rate read in .xa header"); } + if (ft->signal.channels == 0 || ft->signal.channels > UINT16_MAX) { + lsx_fail_errno(ft, SOX_EFMT, "invalid channel count %d", + ft->signal.channels); + return SOX_EOF; + } + /* Check for supported formats */ if (ft->encoding.bits_per_sample != 16) { lsx_fail_errno(ft, SOX_EFMT, "%d-bit sample resolution not supported.",
