Hello community, here is the log from the commit of package wavpack for openSUSE:Factory checked in at 2019-01-15 13:14:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wavpack (Old) and /work/SRC/openSUSE:Factory/.wavpack.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wavpack" Tue Jan 15 13:14:36 2019 rev:26 rq:663576 version:5.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/wavpack/wavpack.changes 2018-02-21 14:10:04.665200854 +0100 +++ /work/SRC/openSUSE:Factory/.wavpack.new.28833/wavpack.changes 2019-01-15 13:14:37.988439844 +0100 @@ -1,0 +2,8 @@ +Mon Jan 7 19:29:45 CET 2019 - [email protected] + +- Fix denial-of-service (resource exhaustion caused by an infinite + loop; bsc#1120930, CVE-2018-19840, CVE-2018-19840.patch). +- Fix denial-of-service (out-of-bounds read and application crash; + bsc#1120929, CVE-2018-19841, CVE-2018-19841.patch). + +------------------------------------------------------------------- New: ---- CVE-2018-19840.patch CVE-2018-19841.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wavpack.spec ++++++ --- /var/tmp/diff_new_pack.XgnYBz/_old 2019-01-15 13:14:38.616439352 +0100 +++ /var/tmp/diff_new_pack.XgnYBz/_new 2019-01-15 13:14:38.620439349 +0100 @@ -1,7 +1,7 @@ # # spec file for package wavpack # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -31,6 +31,10 @@ Patch0: wavpack-CVE-2018-6767.patch Patch1: CVE-2018-7253.patch Patch2: CVE-2018-7254.patch +# PATCH-FIX-SECURITY CVE-2018-19840.patch bsc1120930 CVE-2018-19840 [email protected] -- Fix denial-of-service (resource exhaustion caused by an infinite loop). +Patch3: CVE-2018-19840.patch +# PATCH-FIX-SECURITY CVE-2018-19841.patch bsc1120929 CVE-2018-19841 [email protected] -- Fix denial-of-service (out-of-bounds read and application crash). +Patch4: CVE-2018-19841.patch BuildRequires: libtool BuildRequires: pkgconfig @@ -77,6 +81,8 @@ %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build autoreconf -fiv ++++++ CVE-2018-19840.patch ++++++ >From 070ef6f138956d9ea9612e69586152339dbefe51 Mon Sep 17 00:00:00 2001 From: David Bryant <[email protected]> Date: Thu, 29 Nov 2018 21:00:42 -0800 Subject: [PATCH] issue #53: error out on zero sample rate --- src/pack_utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/pack_utils.c b/src/pack_utils.c index 2253f0d..2a83497 100644 --- a/src/pack_utils.c +++ b/src/pack_utils.c @@ -195,6 +195,11 @@ int WavpackSetConfiguration64 (WavpackContext *wpc, WavpackConfig *config, int64 int num_chans = config->num_channels; int i; + if (!config->sample_rate) { + strcpy (wpc->error_message, "sample rate cannot be zero!"); + return FALSE; + } + wpc->stream_version = (config->flags & CONFIG_COMPATIBLE_WRITE) ? CUR_STREAM_VERS : MAX_STREAM_VERS; if ((config->qmode & QMODE_DSD_AUDIO) && config->bytes_per_sample == 1 && config->bits_per_sample == 8) { -- 2.20.1 ++++++ CVE-2018-19841.patch ++++++ >From bba5389dc598a92bdf2b297c3ea34620b6679b5b Mon Sep 17 00:00:00 2001 From: David Bryant <[email protected]> Date: Thu, 29 Nov 2018 21:53:51 -0800 Subject: [PATCH] issue #54: fix potential out-of-bounds heap read --- src/open_utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/open_utils.c b/src/open_utils.c index 80051fc..4fe0d67 100644 --- a/src/open_utils.c +++ b/src/open_utils.c @@ -1258,13 +1258,13 @@ int WavpackVerifySingleBlock (unsigned char *buffer, int verify_checksum) #endif if (meta_bc == 4) { - if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff) || *dp++ != ((csum >> 16) & 0xff) || *dp++ != ((csum >> 24) & 0xff)) + if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff) || dp[2] != ((csum >> 16) & 0xff) || dp[3] != ((csum >> 24) & 0xff)) return FALSE; } else { csum ^= csum >> 16; - if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff)) + if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff)) return FALSE; } -- 2.20.1
