Hello community, here is the log from the commit of package timidity for openSUSE:Factory checked in at 2018-02-20 17:57:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/timidity (Old) and /work/SRC/openSUSE:Factory/.timidity.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "timidity" Tue Feb 20 17:57:45 2018 rev:40 rq:578388 version:2.14.0 Changes: -------- --- /work/SRC/openSUSE:Factory/timidity/timidity.changes 2017-11-24 10:54:43.995709286 +0100 +++ /work/SRC/openSUSE:Factory/.timidity.new/timidity.changes 2018-02-20 17:59:47.680269935 +0100 @@ -1,0 +2,11 @@ +Tue Feb 20 14:33:10 CET 2018 - [email protected] + +- Fix division-by-zero with malformed MIDI file (CVE-2017-11546, + bsc#1081694): + timidity-readmidi-zero-division-fix.patch +- Fix out-of-bound accesses in the resamplers (CVE-2017-11547, + bsc#1081694): + timidity-resample-frac-overflow-fix.patch +- Drop tcl/tk dependency; it's already broken with Tcl/Tk 8.6 + +------------------------------------------------------------------- New: ---- timidity-readmidi-zero-division-fix.patch timidity-resample-frac-overflow-fix.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ timidity.spec ++++++ --- /var/tmp/diff_new_pack.VVXWc3/_old 2018-02-20 17:59:48.884226604 +0100 +++ /var/tmp/diff_new_pack.VVXWc3/_new 2018-02-20 17:59:48.888226460 +0100 @@ -1,7 +1,7 @@ # # spec file for package timidity # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -40,7 +40,6 @@ BuildRequires: ncurses-devel BuildRequires: slang-devel BuildRequires: speex-devel -BuildRequires: tk-devel BuildRequires: update-desktop-files BuildRequires: xaw3d BuildRequires: xorg-x11 @@ -61,6 +60,8 @@ Patch2: 0002-Fix-alsaseq-polling-at-idle-time.patch Patch100: timidity-no_date.patch Patch101: timidity-add_fluid_cfgs.patch +Patch200: timidity-readmidi-zero-division-fix.patch +Patch201: timidity-resample-frac-overflow-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -74,6 +75,8 @@ %patch2 -p1 %patch100 %patch101 +%patch200 -p1 +%patch201 -p1 for f in ./utils/bitset.c ./utils/bitset.h ./utils/nkflib.c; do iconv -f EUC-JISX0213 -t UTF-8 $f > $f.utf8 && mv $f.utf8 $f done @@ -82,7 +85,7 @@ echo >> autoconf/arts.m4 autoreconf --force --install %configure \ - --enable-dynamic=ncurses,emacs,slang,vt100,xskin,gtk,tcltk,alsaseq,server \ + --enable-dynamic=ncurses,emacs,slang,vt100,xskin,gtk,alsaseq,server \ --enable-audio=alsa,oss,vorbis,jack,ao,flac,speex \ --with-default-output=alsa \ --enable-network \ ++++++ timidity-readmidi-zero-division-fix.patch ++++++ From: Takashi Iwai <[email protected]> Subject: readmidi: Fix division by zero References: CVE-2017-11546 An adhoc fix for division by zero in insert_note_steps(). Signed-off-by: Takashi Iwai <[email protected]> --- timidity/readmidi.c | 2 ++ 1 file changed, 2 insertions(+) --- a/timidity/readmidi.c +++ b/timidity/readmidi.c @@ -4585,6 +4585,8 @@ static void insert_note_steps(void) if (beat != 0) meas++, beat = 0; num = timesig[n].a, denom = timesig[n].b, n++; + if (!denom) + denom = 1; } a = (meas + 1) & 0xff; b = (((meas + 1) >> 8) & 0x0f) + ((beat + 1) << 4); ++++++ timidity-resample-frac-overflow-fix.patch ++++++ From: Takashi Iwai <[email protected]> Subject: resample: Fix out-of-bound access in resamplers References: CVE-2017-11547 An adhoc fix for out-of-bound accesses in resamples. The offset might overflow the given data range. Signed-off-by: Takashi Iwai <[email protected]> --- a/timidity/resample.c +++ b/timidity/resample.c @@ -57,6 +57,8 @@ static resample_t resample_cspline(sample_t *src, splen_t ofs, resample_rec_t *r { int32 ofsi, ofsf, v0, v1, v2, v3, temp; + if (ofs + (1 << FRACTION_BITS) >= rec->data_length) + return src[ofs >> FRACTION_BITS]; ofsi = ofs >> FRACTION_BITS; v1 = src[ofsi]; v2 = src[ofsi + 1]; @@ -96,6 +98,8 @@ static resample_t resample_lagrange(sample_t *src, splen_t ofs, resample_rec_t * { int32 ofsi, ofsf, v0, v1, v2, v3; + if (ofs + (1 << FRACTION_BITS) >= rec->data_length) + return src[ofs >> FRACTION_BITS]; ofsi = ofs >> FRACTION_BITS; v1 = (int32)src[ofsi]; v2 = (int32)src[ofsi + 1]; @@ -154,6 +158,8 @@ static resample_t resample_gauss(sample_t *src, splen_t ofs, resample_rec_t *rec sample_t *sptr; int32 left, right, temp_n; + if (ofs + (1 << FRACTION_BITS) >= rec->data_length) + return src[ofs >> FRACTION_BITS]; left = (ofs>>FRACTION_BITS); right = (rec->data_length>>FRACTION_BITS) - left - 1; temp_n = (right<<1)-1; @@ -261,6 +267,8 @@ static resample_t resample_newton(sample_t *src, splen_t ofs, resample_rec_t *re int32 left, right, temp_n; int ii, jj; + if (ofs + (1 << FRACTION_BITS) >= rec->data_length) + return src[ofs >> FRACTION_BITS]; left = (ofs>>FRACTION_BITS); right = (rec->data_length>>FRACTION_BITS)-(ofs>>FRACTION_BITS)-1; temp_n = (right<<1)-1; @@ -330,6 +338,8 @@ static resample_t resample_linear(sample_t *src, splen_t ofs, resample_rec_t *re { int32 v1, v2, ofsi; + if (ofs + (1 << FRACTION_BITS) >= rec->data_length) + return src[ofs >> FRACTION_BITS]; ofsi = ofs >> FRACTION_BITS; v1 = src[ofsi]; v2 = src[ofsi + 1];
