* [Buildroot] [PATCH 1/2] package/taglib: fix CVE-2017-12678
@ 2020-03-01 20:37 Fabrice Fontaine
2020-03-01 20:37 ` [Buildroot] [PATCH 2/2] package/taglib: fix CVE-2018-11439 Fabrice Fontaine
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Fabrice Fontaine @ 2020-03-01 20:37 UTC (permalink / raw)
To: buildroot
In TagLib 1.11.1, the rebuildAggregateFrames function in
id3v2framefactory.cpp has a pointer to cast vulnerability, which allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted audio file.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...-instance-of-TextIdentificationFrame.patch | 33 +++++++++++++++++++
package/taglib/taglib.mk | 3 ++
2 files changed, 36 insertions(+)
create mode 100644 package/taglib/0002-Don-t-assume-TDRC-is-an-instance-of-TextIdentificationFrame.patch
diff --git a/package/taglib/0002-Don-t-assume-TDRC-is-an-instance-of-TextIdentificationFrame.patch b/package/taglib/0002-Don-t-assume-TDRC-is-an-instance-of-TextIdentificationFrame.patch
new file mode 100644
index 0000000000..c7ca9500d2
--- /dev/null
+++ b/package/taglib/0002-Don-t-assume-TDRC-is-an-instance-of-TextIdentificationFrame.patch
@@ -0,0 +1,33 @@
+From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001
+From: "Stephen F. Booth" <me@sbooth.org>
+Date: Sun, 23 Jul 2017 10:11:09 -0400
+Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame
+
+If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame
+which causes problems in rebuildAggregateFrames() when it is assumed
+that TDRC is a TextIdentificationFrame
+[Retrieved from:
+https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp
+index 759a9b7be..9347ab869 100644
+--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp
++++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp
+@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const
+ tag->frameList("TDAT").size() == 1)
+ {
+ TextIdentificationFrame *tdrc =
+- static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
++ dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+ UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front());
+
+- if(tdrc->fieldList().size() == 1 &&
++ if(tdrc &&
++ tdrc->fieldList().size() == 1 &&
+ tdrc->fieldList().front().size() == 4 &&
+ tdat->data().size() >= 5)
+ {
diff --git a/package/taglib/taglib.mk b/package/taglib/taglib.mk
index 6f36347e61..35b54348ff 100644
--- a/package/taglib/taglib.mk
+++ b/package/taglib/taglib.mk
@@ -10,6 +10,9 @@ TAGLIB_INSTALL_STAGING = YES
TAGLIB_LICENSE = LGPL-2.1 or MPL-1.1
TAGLIB_LICENSE_FILES = COPYING.LGPL COPYING.MPL
+# 0002-Don-t-assume-TDRC-is-an-instance-of-TextIdentificationFrame.patch
+TAGLIB_IGNORE_CVES += CVE-2017-12678
+
ifeq ($(BR2_PACKAGE_ZLIB),y)
TAGLIB_DEPENDENCIES += zlib
endif
--
2.25.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 2/2] package/taglib: fix CVE-2018-11439
2020-03-01 20:37 [Buildroot] [PATCH 1/2] package/taglib: fix CVE-2017-12678 Fabrice Fontaine
@ 2020-03-01 20:37 ` Fabrice Fontaine
2020-03-02 22:34 ` Peter Korsgaard
2020-03-15 9:22 ` Peter Korsgaard
2020-03-02 22:34 ` [Buildroot] [PATCH 1/2] package/taglib: fix CVE-2017-12678 Peter Korsgaard
2020-03-15 9:22 ` Peter Korsgaard
2 siblings, 2 replies; 6+ messages in thread
From: Fabrice Fontaine @ 2020-03-01 20:37 UTC (permalink / raw)
To: buildroot
The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib
1.11.1 allows remote attackers to cause information disclosure
(heap-based buffer over-read) via a crafted audio file.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...d-when-loading-invalid-ogg-flac-file.patch | 45 +++++++++++++++++++
package/taglib/taglib.mk | 3 ++
2 files changed, 48 insertions(+)
create mode 100644 package/taglib/0003-Fixed-OOB-read-when-loading-invalid-ogg-flac-file.patch
diff --git a/package/taglib/0003-Fixed-OOB-read-when-loading-invalid-ogg-flac-file.patch b/package/taglib/0003-Fixed-OOB-read-when-loading-invalid-ogg-flac-file.patch
new file mode 100644
index 0000000000..b245659c20
--- /dev/null
+++ b/package/taglib/0003-Fixed-OOB-read-when-loading-invalid-ogg-flac-file.patch
@@ -0,0 +1,45 @@
+From 2c4ae870ec086f2ddd21a47861a3709c36faac45 Mon Sep 17 00:00:00 2001
+From: Scott Gayou <github.scott@gmail.com>
+Date: Tue, 9 Oct 2018 18:46:55 -0500
+Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)
+ (#869)
+
+CVE-2018-11439 is caused by a failure to check the minimum length
+of a ogg flac header. This header is detailed in full at:
+https://xiph.org/flac/ogg_mapping.html. Added more strict checking
+for entire header.
+[Retrieved from:
+https://github.com/taglib/taglib/commit/2c4ae870ec086f2ddd21a47861a3709c36faac45]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
+index 53d04508a..07ea9dccc 100644
+--- a/taglib/ogg/flac/oggflacfile.cpp
++++ b/taglib/ogg/flac/oggflacfile.cpp
+@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
+
+ if(!metadataHeader.startsWith("fLaC")) {
+ // FLAC 1.1.2+
++ // See https://xiph.org/flac/ogg_mapping.html for the header specification.
++ if(metadataHeader.size() < 13)
++ return;
++
++ if(metadataHeader[0] != 0x7f)
++ return;
++
+ if(metadataHeader.mid(1, 4) != "FLAC")
+ return;
+
+- if(metadataHeader[5] != 1)
+- return; // not version 1
++ if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
++ return; // not version 1.0
++
++ if(metadataHeader.mid(9, 4) != "fLaC")
++ return;
+
+ metadataHeader = metadataHeader.mid(13);
+ }
diff --git a/package/taglib/taglib.mk b/package/taglib/taglib.mk
index 35b54348ff..9381e16672 100644
--- a/package/taglib/taglib.mk
+++ b/package/taglib/taglib.mk
@@ -13,6 +13,9 @@ TAGLIB_LICENSE_FILES = COPYING.LGPL COPYING.MPL
# 0002-Don-t-assume-TDRC-is-an-instance-of-TextIdentificationFrame.patch
TAGLIB_IGNORE_CVES += CVE-2017-12678
+# 0003-Fixed-OOB-read-when-loading-invalid-ogg-flac-file.patch
+TAGLIB_IGNORE_CVES += CVE-2018-11439
+
ifeq ($(BR2_PACKAGE_ZLIB),y)
TAGLIB_DEPENDENCIES += zlib
endif
--
2.25.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 1/2] package/taglib: fix CVE-2017-12678
2020-03-01 20:37 [Buildroot] [PATCH 1/2] package/taglib: fix CVE-2017-12678 Fabrice Fontaine
2020-03-01 20:37 ` [Buildroot] [PATCH 2/2] package/taglib: fix CVE-2018-11439 Fabrice Fontaine
@ 2020-03-02 22:34 ` Peter Korsgaard
2020-03-15 9:22 ` Peter Korsgaard
2 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2020-03-02 22:34 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> In TagLib 1.11.1, the rebuildAggregateFrames function in
> id3v2framefactory.cpp has a pointer to cast vulnerability, which allows
> remote attackers to cause a denial of service or possibly have
> unspecified other impact via a crafted audio file.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 2/2] package/taglib: fix CVE-2018-11439
2020-03-01 20:37 ` [Buildroot] [PATCH 2/2] package/taglib: fix CVE-2018-11439 Fabrice Fontaine
@ 2020-03-02 22:34 ` Peter Korsgaard
2020-03-15 9:22 ` Peter Korsgaard
1 sibling, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2020-03-02 22:34 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib
> 1.11.1 allows remote attackers to cause information disclosure
> (heap-based buffer over-read) via a crafted audio file.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 1/2] package/taglib: fix CVE-2017-12678
2020-03-01 20:37 [Buildroot] [PATCH 1/2] package/taglib: fix CVE-2017-12678 Fabrice Fontaine
2020-03-01 20:37 ` [Buildroot] [PATCH 2/2] package/taglib: fix CVE-2018-11439 Fabrice Fontaine
2020-03-02 22:34 ` [Buildroot] [PATCH 1/2] package/taglib: fix CVE-2017-12678 Peter Korsgaard
@ 2020-03-15 9:22 ` Peter Korsgaard
2 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2020-03-15 9:22 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> In TagLib 1.11.1, the rebuildAggregateFrames function in
> id3v2framefactory.cpp has a pointer to cast vulnerability, which allows
> remote attackers to cause a denial of service or possibly have
> unspecified other impact via a crafted audio file.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2019.02.x and 2019.11.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 2/2] package/taglib: fix CVE-2018-11439
2020-03-01 20:37 ` [Buildroot] [PATCH 2/2] package/taglib: fix CVE-2018-11439 Fabrice Fontaine
2020-03-02 22:34 ` Peter Korsgaard
@ 2020-03-15 9:22 ` Peter Korsgaard
1 sibling, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2020-03-15 9:22 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib
> 1.11.1 allows remote attackers to cause information disclosure
> (heap-based buffer over-read) via a crafted audio file.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2019.02.x and 2019.11.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-03-15 9:22 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-01 20:37 [Buildroot] [PATCH 1/2] package/taglib: fix CVE-2017-12678 Fabrice Fontaine
2020-03-01 20:37 ` [Buildroot] [PATCH 2/2] package/taglib: fix CVE-2018-11439 Fabrice Fontaine
2020-03-02 22:34 ` Peter Korsgaard
2020-03-15 9:22 ` Peter Korsgaard
2020-03-02 22:34 ` [Buildroot] [PATCH 1/2] package/taglib: fix CVE-2017-12678 Peter Korsgaard
2020-03-15 9:22 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.