diff --git a/SOURCES/flac-1.3.0-cve-2014-8962.patch b/SOURCES/flac-1.3.0-cve-2014-8962.patch new file mode 100644 index 0000000..a2e90d5 --- /dev/null +++ b/SOURCES/flac-1.3.0-cve-2014-8962.patch @@ -0,0 +1,35 @@ +commit 5b3033a2b355068c11fe637e14ac742d273f076e +Author: Erik de Castro Lopo +Date: Tue Nov 18 07:20:25 2014 -0800 + + src/libFLAC/stream_decoder.c : Fix buffer read overflow. + + This is CVE-2014-8962. + + Reported-by: Michele Spagnuolo, + Google Security Team + +diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c +index cb66fe2..88a656d 100644 +--- a/src/libFLAC/stream_decoder.c ++++ b/src/libFLAC/stream_decoder.c +@@ -71,7 +71,7 @@ FLAC_API int FLAC_API_SUPPORTS_OGG_FLAC = + * + ***********************************************************************/ + +-static FLAC__byte ID3V2_TAG_[3] = { 'I', 'D', '3' }; ++static const FLAC__byte ID3V2_TAG_[3] = { 'I', 'D', '3' }; + + /*********************************************************************** + * +@@ -1361,6 +1361,10 @@ FLAC__bool find_metadata_(FLAC__StreamDecoder *decoder) + id = 0; + continue; + } ++ ++ if(id >= 3) ++ return false; ++ + if(x == ID3V2_TAG_[id]) { + id++; + i = 0; diff --git a/SOURCES/flac-1.3.0-cve-2014-9028.patch b/SOURCES/flac-1.3.0-cve-2014-9028.patch new file mode 100644 index 0000000..c0d793c --- /dev/null +++ b/SOURCES/flac-1.3.0-cve-2014-9028.patch @@ -0,0 +1,108 @@ +Merged four commits: + +commit fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 +Author: Erik de Castro Lopo +Date: Wed Nov 19 19:35:59 2014 -0800 + + src/libFACL/stream_decoder.c : Fail safely to avoid a heap overflow. + + A file provided by the reporters caused the stream decoder to write to + un-allocated heap space resulting in a segfault. The solution is to + error out (by returning false from read_residual_partitioned_rice_()) + instead of trying to continue to decode. + + Fixes: CVE-2014-9028 + Reported-by: Michele Spagnuolo, + Google Security Team + +commit 5a365996d739bdf4711af51d9c2c71c8a5e14660 +Author: Erik de Castro Lopo +Date: Thu Nov 27 11:55:11 2014 +1100 + + src/libFLAC/stream_decoder.c : Fail safely to avoid a heap overflow. + + This fix is closely related to the fix for CVE-2014-9028. When that + fix went public Miroslav Lichvar noticed a similar potential problem + spot in the same function and was able to craft a file to trigger a + heap write overflow. + + Reported-by : Miroslav Lichvar + +commit b4b2910bdca010808ccf2799f55562fa91f4347b +Author: Erik de Castro Lopo +Date: Wed Dec 10 18:54:16 2014 +1100 + + src/libFLAC/stream_decoder.c : Fix seek bug. + + Janne Hyvärinen reported a problem with seeking as a result of the + fix for CVE-2014-9028. This is a different solution to the issue + that should not adversely affect seeking. + + This version of the fix for the above CVE has been extensively fuzz + tested using afl (http://lcamtuf.coredump.cx/afl/). + + Reported-by: Janne Hyvärinen + +commit fed0dfa1086296df0af41ca8f0c6430d5ac75c87 +Author: Miroslav Lichvar +Date: Mon Dec 15 15:46:12 2014 +0100 + + src/libFLAC/stream_decoder.c : Rework fix for seeking bug. + + To avoid crash caused by an unbound LPC decoding when predictor order is + larger than blocksize, the sanity check needs to be moved to the subframe + decoding functions. + + Signed-off-by: Erik de Castro Lopo + +diff -up flac-1.3.0/src/libFLAC/stream_decoder.c.cve-2014-9028 flac-1.3.0/src/libFLAC/stream_decoder.c +--- flac-1.3.0/src/libFLAC/stream_decoder.c.cve-2014-9028 2015-03-27 16:59:10.898884915 +0100 ++++ flac-1.3.0/src/libFLAC/stream_decoder.c 2015-03-27 17:00:34.879125031 +0100 +@@ -2550,6 +2550,11 @@ FLAC__bool read_subframe_fixed_(FLAC__St + case FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE2: + if(!FLAC__bitreader_read_raw_uint32(decoder->private_->input, &u32, FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE_ORDER_LEN)) + return false; /* read_callback_ sets the state for us */ ++ if(decoder->private_->frame.header.blocksize >> u32 < order) { ++ send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC); ++ decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC; ++ return true; ++ } + subframe->entropy_coding_method.data.partitioned_rice.order = u32; + subframe->entropy_coding_method.data.partitioned_rice.contents = &decoder->private_->partitioned_rice_contents[channel]; + break; +@@ -2629,6 +2634,11 @@ FLAC__bool read_subframe_lpc_(FLAC__Stre + case FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE2: + if(!FLAC__bitreader_read_raw_uint32(decoder->private_->input, &u32, FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE_ORDER_LEN)) + return false; /* read_callback_ sets the state for us */ ++ if(decoder->private_->frame.header.blocksize >> u32 < order) { ++ send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC); ++ decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC; ++ return true; ++ } + subframe->entropy_coding_method.data.partitioned_rice.order = u32; + subframe->entropy_coding_method.data.partitioned_rice.contents = &decoder->private_->partitioned_rice_contents[channel]; + break; +@@ -2704,21 +2714,8 @@ FLAC__bool read_residual_partitioned_ric + const unsigned plen = is_extended? FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE2_PARAMETER_LEN : FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE_PARAMETER_LEN; + const unsigned pesc = is_extended? FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE2_ESCAPE_PARAMETER : FLAC__ENTROPY_CODING_METHOD_PARTITIONED_RICE_ESCAPE_PARAMETER; + +- /* sanity checks */ +- if(partition_order == 0) { +- if(decoder->private_->frame.header.blocksize < predictor_order) { +- send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC); +- decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC; +- return true; +- } +- } +- else { +- if(partition_samples < predictor_order) { +- send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC); +- decoder->protected_->state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC; +- return true; +- } +- } ++ /* invalid predictor and partition orders mush be handled in the callers */ ++ FLAC__ASSERT(partition_order > 0? partition_samples >= predictor_order : decoder->private_->frame.header.blocksize >= predictor_order); + + if(!FLAC__format_entropy_coding_method_partitioned_rice_contents_ensure_size(partitioned_rice_contents, flac_max(6u, partition_order))) { + decoder->protected_->state = FLAC__STREAM_DECODER_MEMORY_ALLOCATION_ERROR; diff --git a/SPECS/flac.spec b/SPECS/flac.spec index 3bd193a..bcdbe53 100644 --- a/SPECS/flac.spec +++ b/SPECS/flac.spec @@ -1,7 +1,7 @@ Summary: An encoder/decoder for the Free Lossless Audio Codec Name: flac Version: 1.3.0 -Release: 4%{?dist} +Release: 5%{?dist} License: BSD and GPLv2+ and GFDL Group: Applications/Multimedia @@ -19,6 +19,8 @@ BuildRequires: nasm >= 2.0 Patch1: flac-metaflac_strcat.patch Patch2: flac-no_rice_asm.patch +Patch3: flac-1.3.0-cve-2014-8962.patch +Patch4: flac-1.3.0-cve-2014-9028.patch %description FLAC stands for Free Lossless Audio Codec. Grossly oversimplified, FLAC @@ -59,6 +61,8 @@ will use the Free Lossless Audio Codec. %setup -q %patch1 -p1 -b .metaflac-strcat %patch2 -p1 -b .no_rice_asm +%patch3 -p1 -b .cve-2014-8962 +%patch4 -p1 -b .cve-2014-9028 %build # use our libtool to avoid problems with RPATH @@ -109,6 +113,10 @@ make -C test check FLAC__TEST_LEVEL=0 &> /dev/null %{_datadir}/aclocal/*.m4 %changelog +* Fri Mar 27 2015 Miroslav Lichvar 1.3.0-5 +- fix buffer overflow when processing ID3v2 metadata (CVE-2014-8962) +- fix buffer overflow with invalid blocksize (CVE-2014-9028) + * Fri Jan 24 2014 Daniel Mach - 1.3.0-4 - Mass rebuild 2014-01-24