[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1091885: bookworm-pu: package audiofile/0.3.6-5+deb12u1



Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: audiofile@packages.debian.org, debian-multimedia@lists.debian.org
Control: affects -1 + src:audiofile
User: release.debian.org@packages.debian.org
Usertags: pu

Fixes two minor security issues not worth a DSA,
debdiff below.

Cheers,
        Moritz

diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog
--- audiofile-0.3.6/debian/changelog	2019-04-05 16:13:16.000000000 +0200
+++ audiofile-0.3.6/debian/changelog	2025-01-01 17:42:41.000000000 +0100
@@ -1,3 +1,10 @@
+audiofile (0.3.6-5+deb12u1) bookworm; urgency=medium
+
+  * CVE-2022-24599 (Closes: #1008017)
+  * CVE-2019-13147 (Closes: #931343)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Wed, 01 Jan 2025 17:42:41 +0100
+
 audiofile (0.3.6-5) unstable; urgency=medium
 
   * Team upload.
diff -Nru audiofile-0.3.6/debian/patches/13-Fix-CVE-2022-24599.patch audiofile-0.3.6/debian/patches/13-Fix-CVE-2022-24599.patch
--- audiofile-0.3.6/debian/patches/13-Fix-CVE-2022-24599.patch	1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/13-Fix-CVE-2022-24599.patch	2025-01-01 17:41:31.000000000 +0100
@@ -0,0 +1,89 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Sat, 11 Nov 2023 15:58:50 +0000
+Subject: Fix CVE-2022-24599
+
+Memory-leak bug in printfileinfo, due to memcpy on an non allocated memory buffer
+with a user declared string.
+
+Fix it by calloc(declaredsize+1,1) that zeros the buffer and terminate by '\0'
+for printf
+
+Avoid also a buffer overflow by refusing to allocating more than INT_MAX-1.
+
+Before under valgrind:
+libtool --mode=execute valgrind --track-origins=yes  ./sfinfo heapleak_poc.aiff
+
+Duration       -inf seconds
+==896222== Invalid read of size 1
+==896222==    at 0x4846794: strlen (vg_replace_strmem.c:494)
+==896222==    by 0x49246C8: __printf_buffer (vfprintf-process-arg.c:435)
+==896222==    by 0x4924D90: __vfprintf_internal (vfprintf-internal.c:1459)
+==896222==    by 0x49DE986: __printf_chk (printf_chk.c:33)
+==896222==    by 0x10985C: printf (stdio2.h:86)
+==896222==    by 0x10985C: printfileinfo (printinfo.c:134)
+==896222==    by 0x10930A: main (sfinfo.c:113)
+==896222==  Address 0x4e89bd1 is 0 bytes after a block of size 1 alloc'd
+==896222==    at 0x48407B4: malloc (vg_replace_malloc.c:381)
+==896222==    by 0x109825: copyrightstring (printinfo.c:163)
+==896222==    by 0x109825: printfileinfo (printinfo.c:131)
+==896222==    by 0x10930A: main (sfinfo.c:113)
+==896222==
+Copyright      C
+
+After:
+Duration       -inf seconds
+Copyright      C
+
+forwarded: https://github.com/mpruett/audiofile/issues/60
+bug: https://github.com/mpruett/audiofile/issues/60
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008017
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2022-24599
+---
+ sfcommands/printinfo.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/sfcommands/printinfo.c b/sfcommands/printinfo.c
+index 60e6947..f5cf925 100644
+--- a/sfcommands/printinfo.c
++++ b/sfcommands/printinfo.c
+@@ -37,6 +37,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <limits.h>
+ 
+ static char *copyrightstring (AFfilehandle file);
+ 
+@@ -147,7 +148,11 @@ static char *copyrightstring (AFfilehandle file)
+ 	int		i, misccount;
+ 
+ 	misccount = afGetMiscIDs(file, NULL);
+-	miscids = (int *) malloc(sizeof (int) * misccount);
++	if(!misccount)
++		return NULL;
++	miscids = (int *) calloc(misccount, sizeof(int));
++	if(!miscids)
++		return NULL;
+ 	afGetMiscIDs(file, miscids);
+ 
+ 	for (i=0; i<misccount; i++)
+@@ -159,13 +164,16 @@ static char *copyrightstring (AFfilehandle file)
+ 			If this code executes, the miscellaneous chunk is a
+ 			copyright chunk.
+ 		*/
+-		int datasize = afGetMiscSize(file, miscids[i]);
+-		char *data = (char *) malloc(datasize);
++		size_t datasize = afGetMiscSize(file, miscids[i]);
++		if(datasize >= INT_MAX -1 ) {
++			goto error;
++		}
++		char *data = (char *) calloc(datasize + 1, 1);
+ 		afReadMisc(file, miscids[i], data, datasize);
+ 		copyright = data;
+ 		break;
+ 	}
+-
++error:
+ 	free(miscids);
+ 
+ 	return copyright;
diff -Nru audiofile-0.3.6/debian/patches/14-Partial-fix-of-CVE-2019-13147.patch audiofile-0.3.6/debian/patches/14-Partial-fix-of-CVE-2019-13147.patch
--- audiofile-0.3.6/debian/patches/14-Partial-fix-of-CVE-2019-13147.patch	1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/14-Partial-fix-of-CVE-2019-13147.patch	2025-01-01 17:41:31.000000000 +0100
@@ -0,0 +1,43 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Sat, 11 Nov 2023 17:42:03 +0000
+Subject: Partial fix of CVE-2019-13147
+
+This fix the symptom do not allow to allocate negative memory:
+==129695==WARNING: AddressSanitizer failed to allocate 0xffffffffc2c00000 bytes
+==129695==AddressSanitizer's allocator is terminating the process instead of returning 0
+==129695==If you don't like this behavior set allocator_may_return_null=1
+==129695==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
+    #0 0x7f48c8503c02  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02)
+    #1 0x7f48c8522595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595)
+    #2 0x7f48c8509342  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xef342)
+    #3 0x7f48c8441e46  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27e46)
+    #4 0x7f48c84f8b1a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb1a)
+    #5 0x558dc209af68 in copyaudiodata /home/tim/audiofile-santi/sfcommands/sfconvert.c:327
+    #6 0x558dc209a620 in main /home/tim/audiofile-santi/sfcommands/sfconvert.c:248
+    #7 0x7f48c7d38b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
+    #8 0x558dc209ac79 in _start (/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79)
+
+If negative bail out
+
+bug: https://github.com/mpruett/audiofile/issues/54
+forwarded: https://github.com/mpruett/audiofile/issues/54
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2019-13147
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931343
+---
+ sfcommands/sfconvert.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
+index 367f7a5..400d485 100644
+--- a/sfcommands/sfconvert.c
++++ b/sfcommands/sfconvert.c
+@@ -349,7 +349,8 @@ void printversion (void)
+ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
+ {
+ 	int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
+-
++	if(frameSize <= 0)
++		return false;
+ 	int kBufferFrameCount = 65536;
+ 	int bufferSize;
+ 	while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
diff -Nru audiofile-0.3.6/debian/patches/15-Partial-fix-of-CVE-2019-13147.patch audiofile-0.3.6/debian/patches/15-Partial-fix-of-CVE-2019-13147.patch
--- audiofile-0.3.6/debian/patches/15-Partial-fix-of-CVE-2019-13147.patch	1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/15-Partial-fix-of-CVE-2019-13147.patch	2025-01-01 17:41:31.000000000 +0100
@@ -0,0 +1,43 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Sat, 11 Nov 2023 17:43:19 +0000
+Subject: Partial fix of CVE-2019-13147
+
+This is the fix of the POC. Do not allow too many channel
+
+Now it fail with:
+Audio File Library: invalid file with 1633771873 channels [error 15]
+Could not open file 'poc' for reading.
+
+bug: https://github.com/mpruett/audiofile/issues/54
+forwarded: https://github.com/mpruett/audiofile/issues/54
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2019-13147
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931343
+---
+ libaudiofile/NeXT.cpp | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libaudiofile/NeXT.cpp b/libaudiofile/NeXT.cpp
+index c462dbe..01c967c 100644
+--- a/libaudiofile/NeXT.cpp
++++ b/libaudiofile/NeXT.cpp
+@@ -32,6 +32,7 @@
+ #include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ 
+ #include "File.h"
+ #include "Setup.h"
+@@ -122,6 +123,12 @@ status NeXTFile::readInit(AFfilesetup setup)
+ 		_af_error(AF_BAD_CHANNELS, "invalid file with 0 channels");
+ 		return AF_FAIL;
+ 	}
++	/* avoid overflow of INT for double size rate */
++	if (channelCount > (INT32_MAX / (sizeof(double))))
++	{
++		_af_error(AF_BAD_CHANNELS, "invalid file with %i channels", channelCount);
++		return AF_FAIL;
++	}
+ 
+ 	Track *track = allocateTrack();
+ 	if (!track)
diff -Nru audiofile-0.3.6/debian/patches/series audiofile-0.3.6/debian/patches/series
--- audiofile-0.3.6/debian/patches/series	2019-04-05 16:10:40.000000000 +0200
+++ audiofile-0.3.6/debian/patches/series	2025-01-01 17:42:28.000000000 +0100
@@ -10,3 +10,6 @@
 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch
 11_CVE-2018-13440.patch
 12_CVE-2018-17095.patch
+13-Fix-CVE-2022-24599.patch
+14-Partial-fix-of-CVE-2019-13147.patch
+15-Partial-fix-of-CVE-2019-13147.patch

Reply to: