Hello community, here is the log from the commit of package libid3tag for openSUSE:Factory checked in at 2018-02-22 14:58:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libid3tag (Old) and /work/SRC/openSUSE:Factory/.libid3tag.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libid3tag" Thu Feb 22 14:58:36 2018 rev:25 rq:578699 version:0.15.1b Changes: -------- --- /work/SRC/openSUSE:Factory/libid3tag/libid3tag.changes 2017-10-21 20:20:31.246526612 +0200 +++ /work/SRC/openSUSE:Factory/.libid3tag.new/libid3tag.changes 2018-02-22 14:58:39.198190844 +0100 @@ -1,0 +2,16 @@ +Wed Feb 21 10:59:28 UTC 2018 - [email protected] + +- Added libid3tag-utf16.patch: Fixed id3_utf16_deserialize() in utf16.c, + which previously misparsed ID3v2 tags encoded in UTF-16 with an odd + number of bytes, triggering an endless loop allocating memory until + OOM leading to DoS. (CVE-2004-2779 bsc#1081959 CVE-2017-11551 + bsc#1081961) + +- Added libid3tag-unknown-encoding.patch: Fixed the handling of unknown + encodings when parsing ID3 tags. (CVE-2017-11550 bsc#1081962 + CVE-2008-2109 bsc#387731) + +- Removed libid3tag-0.15.1b-fix_overflow.patch, since it is handled + differently by libid3tag-utf16.patch already. + +------------------------------------------------------------------- Old: ---- libid3tag-0.15.1b-fix_overflow.patch New: ---- libid3tag-unknown-encoding.patch libid3tag-utf16.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libid3tag.spec ++++++ --- /var/tmp/diff_new_pack.0a51iK/_old 2018-02-22 14:58:39.926164651 +0100 +++ /var/tmp/diff_new_pack.0a51iK/_new 2018-02-22 14:58:39.926164651 +0100 @@ -1,7 +1,7 @@ # # spec file for package libid3tag # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -31,10 +31,11 @@ Patch2: libid3tag-0.15.1b-mb.diff Patch3: libid3tag-automake-fix.dif Patch4: libid3tag-optflags.patch -Patch5: libid3tag-0.15.1b-fix_overflow.patch -Patch6: libid3tag-visibility.patch +Patch5: libid3tag-visibility.patch # PATCH-FIX-UPSTREAM fix-build-with-gperf-3.1.diff [email protected] -- Fix build with gperf 3.1 -Patch7: fix-build-with-gperf-3.1.diff +Patch6: fix-build-with-gperf-3.1.diff +Patch7: libid3tag-utf16.patch +Patch8: libid3tag-unknown-encoding.patch BuildRequires: gperf BuildRequires: libtool BuildRequires: pkg-config @@ -74,10 +75,11 @@ %patch3 %patch4 %patch5 -%patch6 %if 0%{?suse_version} > 1320 -%patch7 -p1 +%patch6 -p1 %endif +%patch7 -p1 +%patch8 -p1 %build autoreconf -fiv ++++++ libid3tag-unknown-encoding.patch ++++++ References: https://sources.debian.org/src/libid3tag/0.15.1b-13/debian/patches/11_unknown_encoding.dpatch/ From: Karol Babioch <[email protected]> Date: Wed Feb 21 13:23:47 CET 2018 Upstream: dead Subject: Fix unknown encoding when parsing ID3 tags Fixes the handling of unknown encodings when parsing ID3 tags. (CVE-2017-11550 bsc#1081962 CVE-2008-2109 bsc#387731) --- compat.gperf | 3 +++ parse.c | 4 ++++ 2 files changed, 7 insertions(+) Index: libid3tag-0.15.1b/compat.gperf =================================================================== --- libid3tag-0.15.1b.orig/compat.gperf +++ libid3tag-0.15.1b/compat.gperf @@ -241,6 +241,9 @@ int id3_compat_fixup(struct id3_tag *tag encoding = id3_parse_uint(&data, 1); string = id3_parse_string(&data, end - data, encoding, 0); + if (!string) + continue; + if (id3_ucs4_length(string) < 4) { free(string); continue; Index: libid3tag-0.15.1b/parse.c =================================================================== --- libid3tag-0.15.1b.orig/parse.c +++ libid3tag-0.15.1b/parse.c @@ -165,6 +165,10 @@ id3_ucs4_t *id3_parse_string(id3_byte_t case ID3_FIELD_TEXTENCODING_UTF_8: ucs4 = id3_utf8_deserialize(ptr, length); break; + + default: + /* FIXME: Unknown encoding! Print warning? */ + return NULL; } if (ucs4 && !full) { ++++++ libid3tag-utf16.patch ++++++ From: Karol Babioch <[email protected]> Date: Tue Feb 20 17:52:15 CET 2018 Upstream: dead References: https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch/ Subject: Fixes utf16 handling in case of an odd number of bytes Fixes id3_utf16_deserialize() in utf16.c, which previously misparsed ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until OOM leading to DoS. (CVE-2004-2779 bsc#1081959 CVE-2017-11551 bsc#1081961) --- utf16.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) Index: libid3tag-0.15.1b/utf16.c =================================================================== --- libid3tag-0.15.1b.orig/utf16.c +++ libid3tag-0.15.1b/utf16.c @@ -282,5 +282,18 @@ id3_ucs4_t *id3_utf16_deserialize(id3_by free(utf16); + if (end == *ptr && length % 2 != 0) + { + /* We were called with a bogus length. It should always + * be an even number. We can deal with this in a few ways: + * - Always give an error. + * - Try and parse as much as we can and + * - return an error if we're called again when we + * already tried to parse everything we can. + * - tell that we parsed it, which is what we do here. + */ + (*ptr)++; + } + return ucs4; }
