Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package gpac
Moritz has kindly pointed out and backported the relevant patches from upstream
that fixes this issue. Here is the relevant part of debian/changelog:
* Bug fix: "CVE-2019-11222: Buffer-overflow in gf_bin128_parse", thanks
to Salvatore Bonaccorso (Closes: #926961).
* Bug fix: "CVE-2019-11221: buffer-overflow issue in gf_import_message()
in media_import.c", thanks to Salvatore Bonaccorso (Closes: #926963).
unblock gpac/gpac 0.5.2-426-gc5ad4e4+dfsg5-5
Thanks for considering.
-rt
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog
gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog 2019-04-01
17:07:02.000000000 -0400
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog 2019-04-13
16:41:15.000000000 -0400
@@ -1,3 +1,13 @@
+gpac (0.5.2-426-gc5ad4e4+dfsg5-5) unstable; urgency=medium
+
+ [ Moritz Muehlenhoff ]
+ * Bug fix: "CVE-2019-11222: Buffer-overflow in gf_bin128_parse", thanks
+ to Salvatore Bonaccorso (Closes: #926961).
+ * Bug fix: "CVE-2019-11221: buffer-overflow issue in gf_import_message()
+ in media_import.c", thanks to Salvatore Bonaccorso (Closes: #926963).
+
+ -- Reinhard Tartler <siret...@tauware.de> Sat, 13 Apr 2019 16:41:15 -0400
+
gpac (0.5.2-426-gc5ad4e4+dfsg5-4.1) unstable; urgency=medium
* CVE-2018-7752 (Closes: #892526)
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11221.patch
gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11221.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11221.patch
1969-12-31 19:00:00.000000000 -0500
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11221.patch
2019-04-13 16:41:15.000000000 -0400
@@ -0,0 +1,180 @@
+From f4616202e5578e65746cf7e7ceeba63bee1b094b Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.da...@telecom-paristech.fr>
+Date: Thu, 11 Apr 2019 14:18:58 +0200
+Subject: [PATCH] fix a bunch of vsprintf -> vsnprintf
+
+closes #1203
+---
+ applications/mp4client/main.c | 2 +-
+ applications/osmo4_sym/osmo4_view.cpp | 2 +-
+ src/media_tools/media_export.c | 2 +-
+ src/media_tools/media_import.c | 2 +-
+ src/scene_manager/loader_bt.c | 4 ++--
+ src/scene_manager/loader_isom.c | 2 +-
+ src/scene_manager/loader_qt.c | 2 +-
+ src/scene_manager/loader_svg.c | 8 ++++----
+ src/scene_manager/loader_xmt.c | 14 +++++++-------
+ src/scene_manager/swf_parse.c | 6 +++---
+ src/scene_manager/swf_svg.c | 2 +-
+ src/scenegraph/xbl_process.c | 2 +-
+ src/utils/alloc.c | 2 +-
+ src/utils/xml_parser.c | 24 +++++++++++++-----------
+ 15 files changed, 49 insertions(+), 47 deletions(-)
+
+--- a/applications/mp4client/main.c
++++ b/applications/mp4client/main.c
+@@ -1023,7 +1023,7 @@ static void on_gpac_log(void *cbk, u32 l
+
+ if (rti_logs && (lm & GF_LOG_RTI)) {
+ char szMsg[2048];
+- vsprintf(szMsg, fmt, list);
++ vsnprintf(szMsg, 2048, fmt, list);
+ UpdateRTInfo(szMsg + 6 /*"[RTI] "*/);
+ } else {
+ if (log_time_start) {
+--- a/src/media_tools/media_export.c
++++ b/src/media_tools/media_export.c
+@@ -57,7 +57,7 @@ static GF_Err gf_export_message(GF_Media
+ va_list args;
+ char szMsg[1024];
+ va_start(args, format);
+- vsprintf(szMsg, format, args);
++ vsnprintf(szMsg, 1024, format, args);
+ va_end(args);
+ GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING),
GF_LOG_AUTHOR, ("%s\n", szMsg) );
+ }
+--- a/src/media_tools/media_import.c
++++ b/src/media_tools/media_import.c
+@@ -50,7 +50,7 @@ GF_Err gf_import_message(GF_MediaImporte
+ va_list args;
+ char szMsg[1024];
+ va_start(args, format);
+- vsprintf(szMsg, format, args);
++ vsnprintf(szMsg, 1024, format, args);
+ va_end(args);
+ GF_LOG((u32) (e ? GF_LOG_WARNING : GF_LOG_INFO), GF_LOG_AUTHOR,
("%s\n", szMsg) );
+ }
+--- a/src/scene_manager/loader_bt.c
++++ b/src/scene_manager/loader_bt.c
+@@ -121,7 +121,7 @@ static GF_Err gf_bt_report(GF_BTParser *
+ char szMsg[2048];
+ va_list args;
+ va_start(args, format);
+- vsprintf(szMsg, format, args);
++ vsnprintf(szMsg, 2048, format, args);
+ va_end(args);
+ GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING),
GF_LOG_PARSER, ("[BT/WRL Parsing] %s (line %d)\n", szMsg, parser->line));
+ }
+--- a/src/scene_manager/loader_isom.c
++++ b/src/scene_manager/loader_isom.c
+@@ -144,7 +144,7 @@ static void mp4_report(GF_SceneLoader *l
+ char szMsg[1024];
+ va_list args;
+ va_start(args, format);
+- vsprintf(szMsg, format, args);
++ vsnprintf(szMsg, 1024, format, args);
+ va_end(args);
+ GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING),
GF_LOG_PARSER, ("[MP4 Loading] %s\n", szMsg) );
+ }
+--- a/src/scene_manager/loader_qt.c
++++ b/src/scene_manager/loader_qt.c
+@@ -40,7 +40,7 @@ static GF_Err gf_qt_report(GF_SceneLoade
+ char szMsg[1024];
+ va_list args;
+ va_start(args, format);
+- vsprintf(szMsg, format, args);
++ vsnprintf(szMsg, 1024, format, args);
+ va_end(args);
+ GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING),
GF_LOG_PARSER, ("[QT Parsing] %s\n", szMsg) );
+ }
+--- a/src/scene_manager/loader_svg.c
++++ b/src/scene_manager/loader_svg.c
+@@ -134,7 +134,7 @@ static GF_Err svg_report(GF_SVG_Parser *
+ char szMsg[2048];
+ va_list args;
+ va_start(args, format);
+- vsprintf(szMsg, format, args);
++ vsnprintf(szMsg, 2048, format, args);
+ va_end(args);
+ GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING),
GF_LOG_PARSER, ("[SVG Parsing] line %d - %s\n",
gf_xml_sax_get_line(parser->sax_parser), szMsg));
+ }
+--- a/src/scene_manager/loader_xmt.c
++++ b/src/scene_manager/loader_xmt.c
+@@ -144,7 +144,7 @@ static GF_Err xmt_report(GF_XMTParser *p
+ char szMsg[2048];
+ va_list args;
+ va_start(args, format);
+- vsprintf(szMsg, format, args);
++ vsnprintf(szMsg, 2048, format, args);
+ va_end(args);
+ GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING),
GF_LOG_PARSER, ("[XMT Parsing] %s (line %d)\n", szMsg,
gf_xml_sax_get_line(parser->sax_parser)) );
+ }
+--- a/src/scene_manager/swf_parse.c
++++ b/src/scene_manager/swf_parse.c
+@@ -2410,7 +2410,7 @@ void swf_report(SWFReader *read, GF_Err
+ char szMsg[2048];
+ va_list args;
+ va_start(args, format);
+- vsprintf(szMsg, format, args);
++ vsnprintf(szMsg, 2048, format, args);
+ va_end(args);
+ GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING),
GF_LOG_PARSER, ("[SWF Parsing] %s (frame %d)\n", szMsg, read->current_frame+1)
);
+ }
+--- a/src/scene_manager/swf_svg.c
++++ b/src/scene_manager/swf_svg.c
+@@ -51,7 +51,7 @@ static void swf_svg_print(SWFReader *rea
+
+ /* print the line */
+ va_start(args, format);
+- vsprintf(line, format, args);
++ vsnprintf(line, 2000, format, args);
+ va_end(args);
+ /* add the line to the buffer */
+ line_length = (u32)strlen(line);
+--- a/src/scenegraph/xbl_process.c
++++ b/src/scenegraph/xbl_process.c
+@@ -61,7 +61,7 @@ static GF_Err xbl_parse_report(GF_XBL_Pa
+ char szMsg[2048];
+ va_list args;
+ va_start(args, format);
+- vsprintf(szMsg, format, args);
++ vsnprintf(szMsg, 2048, format, args);
+ va_end(args);
+ GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING),
GF_LOG_PARSER, ("[XBL Parsing] line %d - %s\n",
gf_xml_sax_get_line(parser->sax_parser), szMsg));
+ }
+--- a/src/utils/alloc.c
++++ b/src/utils/alloc.c
+@@ -658,7 +658,7 @@ static void gf_memory_log(unsigned int l
+ char msg[1024];
+ assert(strlen(fmt) < 200);
+ va_start(vl, fmt);
+- vsprintf(msg, fmt, vl);
++ vsnprintf(msg, 1024, fmt, vl);
+ GF_LOG(level, GF_LOG_MEMORY, (msg));
+ va_end(vl);
+ }
+--- a/src/utils/xml_parser.c
++++ b/src/utils/xml_parser.c
+@@ -218,14 +218,16 @@ static void format_sax_error(GF_SAXParse
+ char szM[20];
+
+ va_start(args, fmt);
+- vsprintf(parser->err_msg, fmt, args);
++ vsnprintf(parser->err_msg, ARRAY_LENGTH(parser->err_msg), fmt, args);
+ va_end(args);
+
+- sprintf(szM, " - Line %d: ", parser->line + 1);
+- strcat(parser->err_msg, szM);
+- len = (u32) strlen(parser->err_msg);
+- strncpy(parser->err_msg + len, parser->buffer+ (linepos ? linepos :
parser->current_pos), 10);
+- parser->err_msg[len + 10] = 0;
++ if (strlen(parser->err_msg)+30 < ARRAY_LENGTH(parser->err_msg)) {
++ snprintf(szM, 20, " - Line %d: ", parser->line + 1);
++ strcat(parser->err_msg, szM);
++ len = (u32) strlen(parser->err_msg);
++ strncpy(parser->err_msg + len, parser->buffer+ (linepos ?
linepos : parser->current_pos), 10);
++ parser->err_msg[len + 10] = 0;
++ }
+ parser->sax_state = SAX_STATE_SYNTAX_ERROR;
+ }
+
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11222.patch
gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11222.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11222.patch
1969-12-31 19:00:00.000000000 -0500
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11222.patch
2019-04-13 16:41:15.000000000 -0400
@@ -0,0 +1,25 @@
+From f36525c5beafb78959c3a07d6622c9028de348da Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.da...@telecom-paristech.fr>
+Date: Thu, 11 Apr 2019 14:54:53 +0200
+Subject: [PATCH] fix buffer overrun in gf_bin128_parse
+
+closes #1204
+closes #1205
+---
+ src/utils/os_divers.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/src/utils/os_divers.c
++++ b/src/utils/os_divers.c
+@@ -1958,6 +1958,11 @@ GF_Err gf_bin128_parse(char *string, bin
+ sscanf(szV, "%x", &v);
+ value[i] = v;
+ i++;
++ if (i > 15) {
++ // force error check below
++ i++;
++ break;
++ }
+ }
+ }
+ if (i != 16) {
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series
gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series 2019-04-01
17:06:55.000000000 -0400
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series 2019-04-13
16:41:15.000000000 -0400
@@ -11,3 +11,5 @@
CVE-2018-20760.patch
CVE-2018-20761_CVE-2018-20762.patch
CVE-2018-20763.patch
+CVE-2019-11221.patch
+CVE-2019-11222.patch
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
