[libvorbis] 03/05: Removed obsolete patches CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch, CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch and CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch.
Petter Reinholdtsen
pere at moszumanska.debian.org
Thu Mar 22 08:24:37 UTC 2018
This is an automated email from the git hooks/post-receive script.
pere pushed a commit to annotated tag debian/1.3.6-1
in repository libvorbis.
commit 9dfb313332835d6606b6e32aa7e814b2bad5b7af
Author: Petter Reinholdtsen <pere at hungry.com>
Date: Thu Mar 22 08:22:17 2018 +0100
Removed obsolete patches CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch, CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch and CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch.
---
...orbis_analysis_header_out-Don-t-clear-opb.patch | 52 ------------
...33-Don-t-allow-for-more-than-256-channels.patch | 32 --------
...46-Prevent-out-of-bounds-write-in-codeboo.patch | 93 ----------------------
debian/patches/series | 3 -
4 files changed, 180 deletions(-)
diff --git a/debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch b/debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch
deleted file mode 100644
index 2de0f6b..0000000
--- a/debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: =?utf-8?q?Guido_G=C3=BCnther?= <agx at sigxcpu.org>
-Date: Wed, 15 Nov 2017 18:22:59 +0100
-Subject: CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb if not
- initialized
-
-If the number of channels is not within the allowed range
-we call oggback_writeclear although it's not initialized yet.
-
-This fixes
-
- =23371== Invalid free() / delete / delete[] / realloc()
- ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
- ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
- ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
- ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
- ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
- ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
- ==23371== by 0x10D82A: open_output_file (sox.c:1556)
- ==23371== by 0x10D82A: process (sox.c:1753)
- ==23371== by 0x10D82A: main (sox.c:3012)
- ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
- ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
- ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
- ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
- ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
- ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
- ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
- ==23371== by 0x10D82A: open_output_file (sox.c:1556)
- ==23371== by 0x10D82A: process (sox.c:1753)
- ==23371== by 0x10D82A: main (sox.c:3012)
-
-as seen when using the testcase from CVE-2017-11333 with
-008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
-there before.
-
-Closes: #876779
----
- lib/info.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/lib/info.c b/lib/info.c
-index dbb99fc..234cf1e 100644
---- a/lib/info.c
-+++ b/lib/info.c
-@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
- private_state *b=v->backend_state;
-
- if(!b||vi->channels<=0||vi->channels>256){
-+ b = NULL;
- ret=OV_EFAULT;
- goto err_out;
- }
diff --git a/debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch b/debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch
deleted file mode 100644
index f6abe49..0000000
--- a/debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From: =?utf-8?q?Guido_G=C3=BCnther?= <agx at sigxcpu.org>
-Date: Tue, 31 Oct 2017 18:32:46 +0100
-Subject: CVE-2017-14633: Don't allow for more than 256 channels
-
-Otherwise
-
- for(i=0;i<vi->channels;i++){
- /* the encoder setup assumes that all the modes used by any
- specific bitrate tweaking use the same floor */
- int submap=info->chmuxlist[i];
-
-overreads later in mapping0_forward since chmuxlist is a fixed array of
-256 elements max.
-
-Closes: #876778
----
- lib/info.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/info.c b/lib/info.c
-index 8a2a001..dbb99fc 100644
---- a/lib/info.c
-+++ b/lib/info.c
-@@ -583,7 +583,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
- oggpack_buffer opb;
- private_state *b=v->backend_state;
-
-- if(!b||vi->channels<=0){
-+ if(!b||vi->channels<=0||vi->channels>256){
- ret=OV_EFAULT;
- goto err_out;
- }
diff --git a/debian/patches/CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch b/debian/patches/CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch
deleted file mode 100644
index 6873eb7..0000000
--- a/debian/patches/CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From: Thomas Daede <daede003 at umn.edu>
-Date: Thu, 15 Mar 2018 14:15:31 -0700
-Subject: CVE-2018-5146: Prevent out-of-bounds write in codebook decoding.
-Origin: https://git.xiph.org/?p=vorbis.git;a=commit;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
-Bug-Debian: https://bugs.debian.org/893130
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5146
-
-Codebooks that are not an exact divisor of the partition size are now
-truncated to fit within the partition.
----
- lib/codebook.c | 48 ++++++++++--------------------------------------
- 1 file changed, 10 insertions(+), 38 deletions(-)
-
-diff --git a/lib/codebook.c b/lib/codebook.c
-index 321a28f..78672e2 100644
---- a/lib/codebook.c
-+++ b/lib/codebook.c
-@@ -386,7 +386,7 @@ long vorbis_book_decodevs_add(codebook *book,float *a,oggpack_buffer *b,int n){
- t[i] = book->valuelist+entry[i]*book->dim;
- }
- for(i=0,o=0;i<book->dim;i++,o+=step)
-- for (j=0;j<step;j++)
-+ for (j=0;o+j<n && j<step;j++)
- a[o+j]+=t[j][i];
- }
- return(0);
-@@ -398,41 +398,12 @@ long vorbis_book_decodev_add(codebook *book,float *a,oggpack_buffer *b,int n){
- int i,j,entry;
- float *t;
-
-- if(book->dim>8){
-- for(i=0;i<n;){
-- entry = decode_packed_entry_number(book,b);
-- if(entry==-1)return(-1);
-- t = book->valuelist+entry*book->dim;
-- for (j=0;j<book->dim;)
-- a[i++]+=t[j++];
-- }
-- }else{
-- for(i=0;i<n;){
-- entry = decode_packed_entry_number(book,b);
-- if(entry==-1)return(-1);
-- t = book->valuelist+entry*book->dim;
-- j=0;
-- switch((int)book->dim){
-- case 8:
-- a[i++]+=t[j++];
-- case 7:
-- a[i++]+=t[j++];
-- case 6:
-- a[i++]+=t[j++];
-- case 5:
-- a[i++]+=t[j++];
-- case 4:
-- a[i++]+=t[j++];
-- case 3:
-- a[i++]+=t[j++];
-- case 2:
-- a[i++]+=t[j++];
-- case 1:
-- a[i++]+=t[j++];
-- case 0:
-- break;
-- }
-- }
-+ for(i=0;i<n;){
-+ entry = decode_packed_entry_number(book,b);
-+ if(entry==-1)return(-1);
-+ t = book->valuelist+entry*book->dim;
-+ for(j=0;i<n && j<book->dim;)
-+ a[i++]+=t[j++];
- }
- }
- return(0);
-@@ -470,12 +441,13 @@ long vorbis_book_decodevv_add(codebook *book,float **a,long offset,int ch,
- long i,j,entry;
- int chptr=0;
- if(book->used_entries>0){
-- for(i=offset/ch;i<(offset+n)/ch;){
-+ int m=(offset+n)/ch;
-+ for(i=offset/ch;i<m;){
- entry = decode_packed_entry_number(book,b);
- if(entry==-1)return(-1);
- {
- const float *t = book->valuelist+entry*book->dim;
-- for (j=0;j<book->dim;j++){
-+ for (j=0;i<m && j<book->dim;j++){
- a[chptr++][i]+=t[j];
- if(chptr==ch){
- chptr=0;
---
-2.16.2
-
diff --git a/debian/patches/series b/debian/patches/series
index 2b9f0a7..da9fe07 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,5 +1,2 @@
0001-Fix-build-failure-with-DSO-link-changes.patch
0002-Avoid-SIGFPE-when-bytespersample-is-zero.patch
-CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch
-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch
-CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-xiph/libvorbis.git
More information about the pkg-xiph-commits
mailing list