[SCM] libquicktime/master: add security patches
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Fri Jun 30 20:56:01 UTC 2017
The following commit has been merged in the master branch:
commit 4728e38f2045d3d33be3d442a0ab9801990b4339
Author: Reinhard Tartler <siretart at tauware.de>
Date: Fri Jun 30 16:18:03 2017 -0400
add security patches
diff --git a/debian/changelog b/debian/changelog
index 9a25361..4472aab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+libquicktime (2:1.2.4-11) unstable; urgency=medium
+
+ * Cherry pick security patches from upstream (Closes: #864664)
+ - CVE-2017-9122
+ - CVE-2017-9123
+ - CVE-2017-9124
+ - CVE-2017-9125
+ - CVE-2017-9126
+ - CVE-2017-9127
+ - CVE-2017-9128
+
+ -- Reinhard Tartler <siretart at tauware.de> Fri, 30 Jun 2017 16:16:24 -0400
+
libquicktime (2:1.2.4-10) unstable; urgency=medium
* Fix integer overflow in the quicktime_read_pascal function (CVE-2016-2399)
diff --git a/debian/patches/CVE-2017-9122_et_al.patch b/debian/patches/CVE-2017-9122_et_al.patch
new file mode 100644
index 0000000..06fb7b3
--- /dev/null
+++ b/debian/patches/CVE-2017-9122_et_al.patch
@@ -0,0 +1,151 @@
+From: Burkhard Plaum <plaum at ipf.uni-stuttgart.de>
+Origin: https://sourceforge.net/p/libquicktime/mailman/libquicktime-devel/?viewmonth=201706
+
+Hi,
+
+I committed some (mostly trivial) updates to CVS. The following CVE's
+are fixed and/or no longer reproducible:
+
+CVE-2017-9122
+CVE-2017-9123
+CVE-2017-9124
+CVE-2017-9125
+CVE-2017-9126
+CVE-2017-9127
+CVE-2017-9128
+
+I was a bit surprised that one simple sanity check fixes a whole bunch of files.
+
+So it could be, that the problems are still there, but better hidden since the
+critical code isn't executed anymore with the sample files I got.
+
+If someone encounters more crashes, feel free to report them.
+
+Burkhard
+
+--- a/include/lqt_funcprotos.h
++++ b/include/lqt_funcprotos.h
+@@ -1345,9 +1345,9 @@ int quicktime_write_int32_le(quicktime_t
+ int quicktime_write_char32(quicktime_t *file, char *string);
+ float quicktime_read_fixed16(quicktime_t *file);
+ int quicktime_write_fixed16(quicktime_t *file, float number);
+-unsigned long quicktime_read_uint32(quicktime_t *file);
+-long quicktime_read_int32(quicktime_t *file);
+-long quicktime_read_int32_le(quicktime_t *file);
++uint32_t quicktime_read_uint32(quicktime_t *file);
++int32_t quicktime_read_int32(quicktime_t *file);
++int32_t quicktime_read_int32_le(quicktime_t *file);
+ int64_t quicktime_read_int64(quicktime_t *file);
+ int64_t quicktime_read_int64_le(quicktime_t *file);
+ long quicktime_read_int24(quicktime_t *file);
+--- a/src/atom.c
++++ b/src/atom.c
+@@ -131,6 +131,9 @@ int quicktime_atom_read_header(quicktime
+ atom->size = read_size64(header);
+ atom->end = atom->start + atom->size;
+ }
++/* Avoid broken files */
++ if(atom->end > file->total_length)
++ result = 1;
+ }
+
+
+--- a/src/lqt_quicktime.c
++++ b/src/lqt_quicktime.c
+@@ -1788,8 +1788,8 @@ int quicktime_read_info(quicktime_t *fil
+ quicktime_set_position(file, start_position);
+ free(temp);
+
+- quicktime_read_moov(file, &file->moov, &leaf_atom);
+- got_header = 1;
++ if(!quicktime_read_moov(file, &file->moov, &leaf_atom))
++ got_header = 1;
+ }
+ else
+ quicktime_atom_skip(file, &leaf_atom);
+--- a/src/moov.c
++++ b/src/moov.c
+@@ -218,7 +218,8 @@ int quicktime_read_moov(quicktime_t *fil
+ if(quicktime_atom_is(&leaf_atom, "trak"))
+ {
+ quicktime_trak_t *trak = quicktime_add_trak(file);
+- quicktime_read_trak(file, trak, &leaf_atom);
++ if(quicktime_read_trak(file, trak, &leaf_atom))
++ return 1;
+ }
+ else
+ if(quicktime_atom_is(&leaf_atom, "udta"))
+--- a/src/trak.c
++++ b/src/trak.c
+@@ -269,6 +269,14 @@ int quicktime_read_trak(quicktime_t *fil
+ else quicktime_atom_skip(file, &leaf_atom);
+ } while(quicktime_position(file) < trak_atom->end);
+
++ /* Do some sanity checks to prevent later crashes */
++ if(trak->mdia.minf.is_video || trak->mdia.minf.is_video)
++ {
++ if(!trak->mdia.minf.stbl.stsc.table ||
++ !trak->mdia.minf.stbl.stco.table)
++ return 1;
++ }
++
+ #if 1
+ if(trak->mdia.minf.is_video &&
+ quicktime_match_32(trak->mdia.minf.stbl.stsd.table[0].format, "drac"))
+--- a/src/util.c
++++ b/src/util.c
+@@ -647,10 +647,10 @@ int quicktime_write_fixed16(quicktime_t
+ return quicktime_write_data(file, data, 2);
+ }
+
+-unsigned long quicktime_read_uint32(quicktime_t *file)
++uint32_t quicktime_read_uint32(quicktime_t *file)
+ {
+- unsigned long result;
+- unsigned long a, b, c, d;
++ uint32_t result;
++ uint32_t a, b, c, d;
+ uint8_t data[4];
+
+ quicktime_read_data(file, data, 4);
+@@ -663,10 +663,10 @@ unsigned long quicktime_read_uint32(quic
+ return result;
+ }
+
+-long quicktime_read_int32(quicktime_t *file)
++int32_t quicktime_read_int32(quicktime_t *file)
+ {
+- unsigned long result;
+- unsigned long a, b, c, d;
++ uint32_t result;
++ uint32_t a, b, c, d;
+ uint8_t data[4];
+
+ quicktime_read_data(file, data, 4);
+@@ -676,13 +676,13 @@ long quicktime_read_int32(quicktime_t *f
+ d = data[3];
+
+ result = (a << 24) | (b << 16) | (c << 8) | d;
+- return (long)result;
++ return (int32_t)result;
+ }
+
+-long quicktime_read_int32_le(quicktime_t *file)
++int32_t quicktime_read_int32_le(quicktime_t *file)
+ {
+- unsigned long result;
+- unsigned long a, b, c, d;
++ uint32_t result;
++ uint32_t a, b, c, d;
+ uint8_t data[4];
+
+ quicktime_read_data(file, data, 4);
+@@ -692,7 +692,7 @@ long quicktime_read_int32_le(quicktime_t
+ d = data[3];
+
+ result = (d << 24) | (c << 16) | (b << 8) | a;
+- return (long)result;
++ return (int32_t)result;
+ }
+
+ int64_t quicktime_read_int64(quicktime_t *file)
diff --git a/debian/patches/series b/debian/patches/series
index 2f95641..8f801e3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
libav10.patch
ffmpeg_2.9.patch
CVE-2016-2399.patch
+CVE-2017-9122_et_al.patch
--
libquicktime packaging
More information about the pkg-multimedia-commits
mailing list