Hello community,

here is the log from the commit of package libid3tag for openSUSE:Factory 
checked in at 2018-02-22 14:58:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libid3tag (Old)
 and      /work/SRC/openSUSE:Factory/.libid3tag.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libid3tag"

Thu Feb 22 14:58:36 2018 rev:25 rq:578699 version:0.15.1b

Changes:
--------
--- /work/SRC/openSUSE:Factory/libid3tag/libid3tag.changes      2017-10-21 
20:20:31.246526612 +0200
+++ /work/SRC/openSUSE:Factory/.libid3tag.new/libid3tag.changes 2018-02-22 
14:58:39.198190844 +0100
@@ -1,0 +2,16 @@
+Wed Feb 21 10:59:28 UTC 2018 - kbabi...@suse.com
+
+- Added libid3tag-utf16.patch: Fixed id3_utf16_deserialize() in utf16.c,
+  which previously misparsed ID3v2 tags encoded in UTF-16 with an odd
+  number of bytes, triggering an endless loop allocating memory until
+  OOM leading to DoS. (CVE-2004-2779 bsc#1081959 CVE-2017-11551
+  bsc#1081961)
+
+- Added libid3tag-unknown-encoding.patch: Fixed the handling of unknown
+  encodings when parsing ID3 tags. (CVE-2017-11550 bsc#1081962
+  CVE-2008-2109 bsc#387731)
+
+- Removed libid3tag-0.15.1b-fix_overflow.patch, since it is handled
+  differently by libid3tag-utf16.patch already.
+
+-------------------------------------------------------------------

Old:
----
  libid3tag-0.15.1b-fix_overflow.patch

New:
----
  libid3tag-unknown-encoding.patch
  libid3tag-utf16.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libid3tag.spec ++++++
--- /var/tmp/diff_new_pack.0a51iK/_old  2018-02-22 14:58:39.926164651 +0100
+++ /var/tmp/diff_new_pack.0a51iK/_new  2018-02-22 14:58:39.926164651 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package libid3tag
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -31,10 +31,11 @@
 Patch2:         libid3tag-0.15.1b-mb.diff
 Patch3:         libid3tag-automake-fix.dif
 Patch4:         libid3tag-optflags.patch
-Patch5:         libid3tag-0.15.1b-fix_overflow.patch
-Patch6:         libid3tag-visibility.patch
+Patch5:         libid3tag-visibility.patch
 # PATCH-FIX-UPSTREAM fix-build-with-gperf-3.1.diff alarr...@suse.com -- Fix 
build with gperf 3.1
-Patch7:         fix-build-with-gperf-3.1.diff
+Patch6:         fix-build-with-gperf-3.1.diff
+Patch7:         libid3tag-utf16.patch
+Patch8:         libid3tag-unknown-encoding.patch
 BuildRequires:  gperf
 BuildRequires:  libtool
 BuildRequires:  pkg-config
@@ -74,10 +75,11 @@
 %patch3
 %patch4
 %patch5
-%patch6
 %if 0%{?suse_version} > 1320
-%patch7 -p1
+%patch6 -p1
 %endif
+%patch7 -p1
+%patch8 -p1
 
 %build
 autoreconf -fiv

++++++ libid3tag-unknown-encoding.patch ++++++
References: 
https://sources.debian.org/src/libid3tag/0.15.1b-13/debian/patches/11_unknown_encoding.dpatch/
From: Karol Babioch <kbabi...@suse.com>
Date: Wed Feb 21 13:23:47 CET 2018
Upstream: dead
Subject: Fix unknown encoding when parsing ID3 tags

Fixes the handling of unknown encodings when parsing ID3 tags. (CVE-2017-11550 
bsc#1081962 CVE-2008-2109 bsc#387731)

---
 compat.gperf |    3 +++
 parse.c      |    4 ++++
 2 files changed, 7 insertions(+)

Index: libid3tag-0.15.1b/compat.gperf
===================================================================
--- libid3tag-0.15.1b.orig/compat.gperf
+++ libid3tag-0.15.1b/compat.gperf
@@ -241,6 +241,9 @@ int id3_compat_fixup(struct id3_tag *tag
     encoding = id3_parse_uint(&data, 1);
     string   = id3_parse_string(&data, end - data, encoding, 0);
 
+    if (!string)
+       continue;
+
     if (id3_ucs4_length(string) < 4) {
       free(string);
       continue;
Index: libid3tag-0.15.1b/parse.c
===================================================================
--- libid3tag-0.15.1b.orig/parse.c
+++ libid3tag-0.15.1b/parse.c
@@ -165,6 +165,10 @@ id3_ucs4_t *id3_parse_string(id3_byte_t
   case ID3_FIELD_TEXTENCODING_UTF_8:
     ucs4 = id3_utf8_deserialize(ptr, length);
     break;
+
+  default:
+    /* FIXME: Unknown encoding! Print warning? */
+    return NULL;
   }
 
   if (ucs4 && !full) {
++++++ libid3tag-utf16.patch ++++++
From: Karol Babioch <kbabi...@suse.com>
Date: Tue Feb 20 17:52:15 CET 2018
Upstream: dead
References: 
https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch/
Subject: Fixes utf16 handling in case of an odd number of bytes

Fixes id3_utf16_deserialize() in utf16.c, which previously misparsed ID3v2 tags
encoded in UTF-16 with an odd number of bytes, triggering an endless loop
allocating memory until OOM leading to DoS. (CVE-2004-2779 bsc#1081959
CVE-2017-11551 bsc#1081961)

---
 utf16.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

Index: libid3tag-0.15.1b/utf16.c
===================================================================
--- libid3tag-0.15.1b.orig/utf16.c
+++ libid3tag-0.15.1b/utf16.c
@@ -282,5 +282,18 @@ id3_ucs4_t *id3_utf16_deserialize(id3_by
 
   free(utf16);
 
+  if (end == *ptr && length % 2 != 0)
+  {
+     /* We were called with a bogus length.  It should always
+      * be an even number.  We can deal with this in a few ways:
+      * - Always give an error.
+      * - Try and parse as much as we can and
+      *   - return an error if we're called again when we
+      *     already tried to parse everything we can.
+      *   - tell that we parsed it, which is what we do here.
+      */
+     (*ptr)++;
+  }
+
   return ucs4;
 }

Reply via email to