Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2018-05-06 15:00:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvorbis" Sun May 6 15:00:56 2018 rev:50 rq:604034 version:1.3.6 Changes: -------- --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2018-03-22 11:58:42.591458369 +0100 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2018-05-06 15:00:58.138126005 +0200 @@ -1,0 +2,10 @@ +Thu May 3 15:56:28 CEST 2018 - [email protected] + +- Fix out-of-bounds access inside bark_noise_hybridmp function + (CVE-2017-14160, bsc#1059812): + downstream fix: vorbis-CVE-2017-14160.patch +- Fix stack-basedbuffer over-read in bark_noise_hybridm + (CVE-2018-10393, bsc#1091072): + downstream fix: vorbis-CVE-2018-10393.patch + +------------------------------------------------------------------- New: ---- vorbis-CVE-2017-14160.patch vorbis-CVE-2018-10393.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvorbis.spec ++++++ --- /var/tmp/diff_new_pack.bmPoSJ/_old 2018-05-06 15:00:58.934096791 +0200 +++ /var/tmp/diff_new_pack.bmPoSJ/_new 2018-05-06 15:00:58.938096644 +0200 @@ -28,6 +28,8 @@ Patch1: libvorbis-lib64.dif Patch2: libvorbis-m4.dif Patch12: vorbis-ocloexec.patch +Patch101: vorbis-CVE-2017-14160.patch +Patch102: vorbis-CVE-2018-10393.patch BuildRequires: libogg-devel BuildRequires: libtool BuildRequires: pkgconfig @@ -116,6 +118,8 @@ %patch1 fi %patch12 +%patch101 -p1 +%patch102 -p1 %build # Fix optimization level ++++++ vorbis-CVE-2017-14160.patch ++++++ >From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001 Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git....@sigxcpu.org> From: =?UTF-8?q?Guido=20G=C3=BCnther?= <[email protected]> Date: Wed, 15 Nov 2017 13:12:00 +0100 Subject: [PATCH] CVE-2017-14160: make sure we don't overflow --- lib/psy.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) --- a/lib/psy.c +++ b/lib/psy.c @@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,co XY[i] = tXY; } - for (i = 0, x = 0.f;; i++, x += 1.f) { + for (i = 0, x = 0.f; i < n; i++, x += 1.f) { lo = b[i] >> 16; if( lo>=0 ) break; @@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,co noise[i] = R - offset; } - for ( ;; i++, x += 1.f) { + for ( ; i < n; i++, x += 1.f) { lo = b[i] >> 16; hi = b[i] & 0xffff; if(hi>=n)break; - tN = N[hi] - N[lo]; tX = X[hi] - X[lo]; tXX = XX[hi] - XX[lo]; @@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,co if (fixed <= 0) return; - for (i = 0, x = 0.f;; i++, x += 1.f) { + for (i = 0, x = 0.f; i < n; i++, x += 1.f) { hi = i + fixed / 2; lo = hi - fixed; if(lo>=0)break; @@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,co if (R - offset < noise[i]) noise[i] = R - offset; } - for ( ;; i++, x += 1.f) { + for ( ; i < n; i++, x += 1.f) { hi = i + fixed / 2; lo = hi - fixed; ++++++ vorbis-CVE-2018-10393.patch ++++++ --- lib/psy.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/lib/psy.c +++ b/lib/psy.c @@ -604,6 +604,7 @@ static void bark_noise_hybridmp(int n,co lo = b[i] >> 16; if( lo>=0 ) break; hi = b[i] & 0xffff; + if( hi>=n || -lo >=n ) break; tN = N[hi] + N[-lo]; tX = X[hi] - X[-lo]; @@ -625,7 +626,7 @@ static void bark_noise_hybridmp(int n,co lo = b[i] >> 16; hi = b[i] & 0xffff; - if(hi>=n)break; + if( hi>=n || lo >=n ) break; tN = N[hi] - N[lo]; tX = X[hi] - X[lo]; tXX = XX[hi] - XX[lo]; @@ -654,6 +655,7 @@ static void bark_noise_hybridmp(int n,co hi = i + fixed / 2; lo = hi - fixed; if(lo>=0)break; + if( hi>=n || -lo >=n ) break; tN = N[hi] + N[-lo]; tX = X[hi] - X[-lo]; @@ -674,6 +676,7 @@ static void bark_noise_hybridmp(int n,co hi = i + fixed / 2; lo = hi - fixed; if(hi>=n)break; + if( hi>=n || lo >=n ) break; tN = N[hi] - N[lo]; tX = X[hi] - X[lo];
