commit 7f0a7ceabf6a8aa9737dbaca28cd8880c8f15df0 Author: Danny Rawlins <monster.romster@gmail.com> Date: Sat Mar 17 15:32:06 2018 +1100 [notify] libvorbis: 1.3.5 -> 1.3.6 CVE-2018-5146 diff --git a/libvorbis/.md5sum b/libvorbis/.md5sum index 8bbbeef92..314482ad6 100644 --- a/libvorbis/.md5sum +++ b/libvorbis/.md5sum @@ -1,4 +1,2 @@ 943275d84d55dfa072ec3a2566fd9bfa CVE-2017-14160.patch -d32bb2a15cde558464ff6b1a7199d9c6 CVE-2017-14632.patch -d54deff7374d7205441cf5e4dfd32bee CVE-2017-14633.patch -28cb28097c07a735d6af56e598e1c90f libvorbis-1.3.5.tar.xz +b7d1692f275c73e7833ed1cc2697cd65 libvorbis-1.3.6.tar.xz diff --git a/libvorbis/.signature b/libvorbis/.signature index 15a02858a..1d9b2fff7 100644 --- a/libvorbis/.signature +++ b/libvorbis/.signature @@ -1,8 +1,6 @@ untrusted comment: verify with /etc/ports/opt.pub -RWSE3ohX2g5d/XBLjepyAeVAsv0mpvzium7JjPBpyQUlW+ZuPdO7oz0ATE3bC1nBn5EHSwuxsNGum4EOVduL32Cr08X2/7IVtwk= -SHA256 (Pkgfile) = 833e8c8db431ef3375b53fa800a7d06a33a9b6e62913ff5ec6c8dd5d8c1b51ad +RWSE3ohX2g5d/Shy67ruRjEpCHOsfIQxfHr8pwN3DSsHj1YwGc58vD8ZiC+750BoHQGJIKOG587Ac5kBv3pgs9/2ay7c0h5E3gc= +SHA256 (Pkgfile) = 0b19e75e688d1961d2ed901c31906a2bb1af1ee7966e7cbc40b0a16c0a8240df SHA256 (.footprint) = 709e3fdd589a25de7fa9ca41700639d37f7dae5eba48fe6cffa354efd8625b37 -SHA256 (libvorbis-1.3.5.tar.xz) = 54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1 -SHA256 (CVE-2017-14633.patch) = d1a44c7a683b3d1ab2bd645ef4ee21002cb1c7466975073381ed1e533153e328 -SHA256 (CVE-2017-14632.patch) = 2fed965880686a145c0da6abbb08224d0ed26e4bf1b1c3a8f7b5d2d33f6bc8e7 +SHA256 (libvorbis-1.3.6.tar.xz) = af00bb5a784e7c9e69f56823de4637c350643deedaf333d0fa86ecdba6fcb415 SHA256 (CVE-2017-14160.patch) = f93bf45de3a21db0fa9bb9cd25edefb1182bf24d61028a86cbf45fbcd11fbdf5 diff --git a/libvorbis/CVE-2017-14632.patch b/libvorbis/CVE-2017-14632.patch deleted file mode 100644 index 9ff5a8ca1..000000000 --- a/libvorbis/CVE-2017-14632.patch +++ /dev/null @@ -1,51 +0,0 @@ -From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> -Date: Wed, 15 Nov 2017 18:22:59 +0100 -Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb - if not initialized - -If the number of channels is not within the allowed range -we call oggback_writeclear altough it's not initialized yet. - -This fixes - - =23371== Invalid free() / delete / delete[] / realloc() - ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530) - ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2) - ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652) - ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) - ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) - ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) - ==23371== by 0x10D82A: open_output_file (sox.c:1556) - ==23371== by 0x10D82A: process (sox.c:1753) - ==23371== by 0x10D82A: main (sox.c:3012) - ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd - ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298) - ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785) - ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) - ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) - ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) - ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) - ==23371== by 0x10D82A: open_output_file (sox.c:1556) - ==23371== by 0x10D82A: process (sox.c:1753) - ==23371== by 0x10D82A: main (sox.c:3012) - -as seen when using the testcase from CVE-2017-11333 with -008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was -there before. ---- - lib/info.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/info.c b/lib/info.c -index 7bc4ea42..8d0b2edd 100644 ---- a/lib/info.c -+++ b/lib/info.c -@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v, - private_state *b=v->backend_state; - - if(!b||vi->channels<=0||vi->channels>256){ -+ b = NULL; - ret=OV_EFAULT; - goto err_out; - } diff --git a/libvorbis/CVE-2017-14633.patch b/libvorbis/CVE-2017-14633.patch deleted file mode 100644 index 069927c7b..000000000 --- a/libvorbis/CVE-2017-14633.patch +++ /dev/null @@ -1,31 +0,0 @@ -From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> -Date: Tue, 31 Oct 2017 18:32:46 +0100 -Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels - -Otherwise - - for(i=0;i<vi->channels;i++){ - /* the encoder setup assumes that all the modes used by any - specific bitrate tweaking use the same floor */ - int submap=info->chmuxlist[i]; - -overreads later in mapping0_forward since chmuxlist is a fixed array of -256 elements max. ---- - lib/info.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/info.c b/lib/info.c -index fe759edf..7bc4ea42 100644 ---- a/lib/info.c -+++ b/lib/info.c -@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v, - oggpack_buffer opb; - private_state *b=v->backend_state; - -- if(!b||vi->channels<=0){ -+ if(!b||vi->channels<=0||vi->channels>256){ - ret=OV_EFAULT; - goto err_out; - } diff --git a/libvorbis/Pkgfile b/libvorbis/Pkgfile index 6461bb154..04d7d6f7b 100644 --- a/libvorbis/Pkgfile +++ b/libvorbis/Pkgfile @@ -4,19 +4,15 @@ # Depends on: libogg name=libvorbis -version=1.3.5 -release=2 +version=1.3.6 +release=1 source=(https://downloads.xiph.org/releases/vorbis/$name-$version.tar.xz - CVE-2017-14633.patch - CVE-2017-14632.patch CVE-2017-14160.patch) build() { cd $name-$version # https://security-tracker.debian.org/tracker/source-package/libvorbis - patch -p1 -i $SRC/CVE-2017-14633.patch - patch -p1 -i $SRC/CVE-2017-14632.patch patch -p1 -i $SRC/CVE-2017-14160.patch ./configure --prefix=/usr