gpac / CVE-2018-13005 / CVE-2018-13006
Attached is the patch to fix these issues, ported from upstream. I
removed some changes made by upstream:
* I didn't bother fixing the bug in the ERROR_ON_DUPLICATED_BOX
macro. The macro uses "a" when it should use the first parameter
"__abox" instead. Every call to this macro passes a as the first
parameter anyway, so it doesn't matter.
* I did not fix the whitespace errors.
Upstream patch:
https://github.com/gpac/gpac/commit/bceb03fd2be95097a7b409ea59914f332fb6bc86
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
diff -Nru gpac-0.5.0+svn5324~dfsg1/debian/changelog gpac-0.5.0+svn5324~dfsg1/debian/changelog
--- gpac-0.5.0+svn5324~dfsg1/debian/changelog 2014-07-31 23:35:25.000000000 +1000
+++ gpac-0.5.0+svn5324~dfsg1/debian/changelog 2018-07-17 17:21:06.000000000 +1000
@@ -1,3 +1,11 @@
+gpac (0.5.0+svn5324~dfsg1-1+deb8u1) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2018-13005: Buffer over-read in urn_Read in isomedia/box_code_base.c
+ * Fix CVE-2018-13006: Buffer over-read in hdlr_dump in isomedia/box_dump.c
+
+ -- Brian May <bam@debian.org> Tue, 17 Jul 2018 17:21:06 +1000
+
gpac (0.5.0+svn5324~dfsg1-1) unstable; urgency=medium
* New upstream snapshot.
diff -Nru gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13005.patch gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13005.patch
--- gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13005.patch 1970-01-01 10:00:00.000000000 +1000
+++ gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13005.patch 2018-07-17 17:17:17.000000000 +1000
@@ -0,0 +1,11 @@
+--- a/src/isomedia/box_code_base.c
++++ b/src/isomedia/box_code_base.c
+@@ -536,7 +536,7 @@
+
+ //then get the break
+ i = 0;
+- while ( (tmpName[i] != 0) && (i < to_read) ) {
++ while ( (i < to_read) && (tmpName[i] != 0) ) {
+ i++;
+ }
+ //check the data is consistent
diff -Nru gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13006.patch gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13006.patch
--- gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13006.patch 1970-01-01 10:00:00.000000000 +1000
+++ gpac-0.5.0+svn5324~dfsg1/debian/patches/CVE-2018-13006.patch 2018-07-17 17:18:42.000000000 +1000
@@ -0,0 +1,11 @@
+--- a/src/isomedia/box_dump.c
++++ b/src/isomedia/box_dump.c
+@@ -945,7 +945,7 @@
+ GF_Err hdlr_dump(GF_Box *a, FILE * trace)
+ {
+ GF_HandlerBox *p = (GF_HandlerBox *)a;
+- if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8+1)) {
++ if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8)-1) {
+ fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8+1);
+ } else {
+ fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8);
diff -Nru gpac-0.5.0+svn5324~dfsg1/debian/patches/series gpac-0.5.0+svn5324~dfsg1/debian/patches/series
--- gpac-0.5.0+svn5324~dfsg1/debian/patches/series 2014-05-20 19:33:06.000000000 +1000
+++ gpac-0.5.0+svn5324~dfsg1/debian/patches/series 2018-07-17 17:17:34.000000000 +1000
@@ -2,3 +2,5 @@
gcc-optflags.patch
libav10.patch
export_gf_isom_set_pixel_aspect_ratio.patch
+CVE-2018-13005.patch
+CVE-2018-13006.patch
Reply to: