diff --git a/SOURCES/libsndfile-1.0.31-deb669ee.patch b/SOURCES/libsndfile-1.0.31-deb669ee.patch new file mode 100644 index 0000000..5c281e7 --- /dev/null +++ b/SOURCES/libsndfile-1.0.31-deb669ee.patch @@ -0,0 +1,21 @@ +diff -up libsndfile-1.0.25/src/ms_adpcm.c.deb669ee libsndfile-1.0.25/src/ms_adpcm.c +--- libsndfile-1.0.25/src/ms_adpcm.c.deb669ee 2021-07-23 13:20:56.365818063 +0200 ++++ libsndfile-1.0.25/src/ms_adpcm.c 2021-07-23 13:21:08.241674184 +0200 +@@ -140,6 +140,17 @@ wav_w64_msadpcm_init (SF_PRIVATE *psf, i + if (psf->file.mode == SFM_WRITE) + samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ; + ++ /* There's 7 samples per channel in the preamble of each block */ ++ if (samplesperblock < 7 * psf->sf.channels) ++ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ; ++ return SFE_INTERNAL ; ++ } ; ++ ++ if (2 * blockalign < samplesperblock * psf->sf.channels) ++ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ; ++ return SFE_INTERNAL ; ++ } ; ++ + pmssize = sizeof (MSADPCM_PRIVATE) + blockalign + 3 * psf->sf.channels * samplesperblock ; + + if (! (psf->codec_data = calloc (1, pmssize))) diff --git a/SPECS/libsndfile.spec b/SPECS/libsndfile.spec index 1023e72..5be7ea8 100644 --- a/SPECS/libsndfile.spec +++ b/SPECS/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.0.25 -Release: 12%{?dist} +Release: 12%{?dist}.1 License: LGPLv2+ and GPLv2+ and BSD Group: System Environment/Libraries URL: http://www.mega-nerd.com/libsndfile/ @@ -9,6 +9,8 @@ Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz Patch0: %{name}-1.0.25-system-gsm.patch Patch1: libsndfile-1.0.28-CVE_2018_13139.patch Patch2: libsndfile-1.0.28-CVE_2018_19662.patch +# from upstream, for <= 1.0.31, rhbz#1985024 +Patch3: libsndfile-1.0.31-deb669ee.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRequires: alsa-lib-devel @@ -59,6 +61,7 @@ This package contains command line utilities for libsndfile. %patch0 -p1 %patch1 -p1 -b .CVE_2018_13139 %patch2 -p1 -b .CVE_2018_19662 +%patch3 -p1 -b .deb669ee rm -r src/GSM610 ; autoreconf -I M4 -fiv # for system-gsm patch #also for aarch64 support which requires autotools 2.69+ @@ -165,6 +168,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Wed Jul 28 2021 Michal Hlavinka - 1.0.25-12.1 +- a crafted wav file could cause heap buffer overflow that allowed an arbitrary code execution(#1985024) + * Wed Mar 11 2020 Michal Hlavinka - 1.0.25-12 - fix CVE-2018-19662 - buffer over-read in the function i2alaw_array (#1673086)