Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 742161@bugs.debian.org
Subject: Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
From: Simon McVittie <smcv@debian.org>
Date: Sat, 12 Apr 2014 22:17:01 +0100
Message-id: <[🔎] 5349AD4D.7070102@debian.org>
Reply-to: Simon McVittie <smcv@debian.org>, 742161@bugs.debian.org
In-reply-to: <[🔎] 1396385309.4155.21.camel@jacala.jungle.funky-badger.org>
References: <20140319235441.GA28298@reptile.pseudorandom.co.uk> <[🔎] 1396385309.4155.21.camel@jacala.jungle.funky-badger.org>

On 01/04/14 21:48, Adam D. Barratt wrote:
> On Wed, 2014-03-19 at 23:54 +0000, Simon McVittie wrote:
>> mp3gain, an implementation of ReplayGain volume normalization, contains
>> a very old modified version of mpglib, an MPEG audio decoder maintained
>> as part of mpg123.
...
> Please go ahead; thanks.

Uploaded. Sorry for the delay, my test environment for it was rather
awkward (I didn't want to try suspicious exploits in a network-connected
environment, when there was a possibility they might still work). No
changes other than the changelog.

Would you be interested in a squeeze update? The patches appear to be
the same, apart from some end-of-line \r adjustments to make them apply.
A possible debdiff is attached; so far its status is "compiles in
sbuild, but untested". I would of course test it on a squeeze system
with all the mpg123 exploits I've been able to find before uploading.

    S

diffstat for mp3gain_1.5.1-4 mp3gain_1.5.1-4+deb6u1

 debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.dpatch |   32 ++++++
 debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.dpatch |   47 ++++++++++
 debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.dpatch |   33 +++++++
 debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.dpatch |   30 ++++++
 debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.dpatch |   36 +++++++
 debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch |   27 +++++
 mp3gain-1.5.1/debian/changelog                                                  |   12 ++
 mp3gain-1.5.1/debian/patches/00list                                             |    6 +
 8 files changed, 223 insertions(+)

diff -u mp3gain-1.5.1/debian/changelog mp3gain-1.5.1/debian/changelog
--- mp3gain-1.5.1/debian/changelog
+++ mp3gain-1.5.1/debian/changelog
@@ -1,3 +1,15 @@
+mp3gain (1.5.1-4+deb6u1) squeeze; urgency=high
+
+  * Add various patches from Daniel Kobras' mpg123 packaging to fix
+    buffer overflows in the embedded copy/fork of mpglib
+    - CVE-2003-0577 (originally #201698 in mpg123)
+    - CVE-2004-0805 (originally #270542 in mpg123)
+    - CVE-2004-0991
+    - CVE-2006-1655 (originally #361863 in mpg123)
+    (Closes: #740268)
+
+ -- Simon McVittie <smcv@debian.org>  Wed, 19 Mar 2014 09:19:58 +0000
+
 mp3gain (1.5.1-4) unstable; urgency=low
 
   * Fix various potential segfaults found by cppcheck.
diff -u mp3gain-1.5.1/debian/patches/00list mp3gain-1.5.1/debian/patches/00list
--- mp3gain-1.5.1/debian/patches/00list
+++ mp3gain-1.5.1/debian/patches/00list
@@ -10,0 +11,6 @@
+0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.dpatch
+0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.dpatch
+0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.dpatch
+0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.dpatch
+0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.dpatch
+0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch
+++ mp3gain-1.5.1/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie <smcv@debian.org>
+Date: Sun, 16 Mar 2014 22:21:26 +0000
+Subject: Increase MAXFRAMESIZE to 3456 bytes, which is much closer to reality
+
+Author: Daniel Kobras
+Origin: vendor, Debian (mpg123/0.59r-14)
+---
+ mpglibDBL/mpg123.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mpglibDBL/mpg123.h b/mpglibDBL/mpg123.h
+index 691eb9c..08bd217 100644
+--- a/mpglibDBL/mpg123.h
++++ b/mpglibDBL/mpg123.h
+@@ -61,7 +61,7 @@ char *strchr (), *strrchr ();
+ #define         MPG_MD_DUAL_CHANNEL     2
+ #define         MPG_MD_MONO             3
+ 
+-#define MAXFRAMESIZE 1792
++#define MAXFRAMESIZE 3456
+ 
+ /* AF: ADDED FOR LAYER1/LAYER2 */
+ #define         SCALE_BLOCK             12
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.dpatch
+++ mp3gain-1.5.1/debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.dpatch
@@ -0,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie <smcv@debian.org>
+Date: Sun, 16 Mar 2014 21:55:22 +0000
+Subject: CVE-2003-0577: common.c: 0000 is also an invalid bit rate
+
+According to Daniel Kobras on #201698, this patch is unnecessary...
+but it seems better to be careful, since our mpglib is not quite
+the same as the one in mpg123.
+
+Origin: vendor, Connectiva
+See-also: http://lwn.net/Alerts/39916/
+See-also: http://www.securityfocus.com/bid/6629
+See-also: http://www.securityfocus.com/archive/1/306903
+See-also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=201698
+---
+ mpglibDBL/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mpglibDBL/common.c b/mpglibDBL/common.c
+index 3172235..97a96b4 100644
+--- a/mpglibDBL/common.c
++++ b/mpglibDBL/common.c
+@@ -125,8 +125,8 @@ int head_check(unsigned long head,int check_layer)
+       if (nLayer != check_layer) return FALSE;
+   }
+ 
+-  if( ((head>>12)&0xf) == 0xf) {
+-    /* bits 16,17,18,19 = 1111  invalid bitrate */
++  if( ((head>>12)&0xf) == 0xf || ((head>>12)&0xf) == 0) {
++    /* bits 16,17,18,19 = 1111 or 0000 invalid bitrate */
+     return FALSE;
+   }
+   if( ((head>>10)&0x3) == 0x3 ) {
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.dpatch
+++ mp3gain-1.5.1/debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.dpatch
@@ -0,0 +1,30 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie <smcv@debian.org>
+Date: Sun, 16 Mar 2014 21:46:34 +0000
+Subject: CVE-2004-0991: copy frame size checking from mpg123/0.59r-18
+
+Author: Daniel Kobras
+Origin: vendor, Debian (mpg123/0.59r-18)
+---
+ mpglibDBL/common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/mpglibDBL/common.c b/mpglibDBL/common.c
+index 1e97adc..3172235 100644
+--- a/mpglibDBL/common.c
++++ b/mpglibDBL/common.c
+@@ -229,6 +229,11 @@ int decode_header(struct frame *fr,unsigned long newhead)
+         fprintf(stderr,"Sorry, layer %d not supported\n",fr->lay); 
+         return (0);
+     }
++    if (fr->framesize > MAXFRAMESIZE) {
++      fprintf(stderr,"Frame size too big: %d\n", fr->framesize+4-fr->padding);
++      return (0);
++    }
++
+     /*    print_header(fr); */
+ 
+     return 1;
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.dpatch
+++ mp3gain-1.5.1/debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.dpatch
@@ -0,0 +1,33 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie <smcv@debian.org>
+Date: Sun, 16 Mar 2014 21:10:15 +0000
+Subject: CVE-2004-0991: fix insufficient validation of MPEG header values
+
+Taken from mpg123/0.59r-19 by a process of elimination (all the diff
+from upstream in layer2.c, except the bits that are CVE-2004-0805)
+since I can't find the original patch anywhere. This includes both the
+original patch in -18, and the follow-up patch in -19 fixing an
+off-by-one error in this boundary check.
+
+Author: Daniel Kobras
+Origin: vendor, Debian (mpg123/0.59r-18, mpg123/0.59r-19)
+---
+ mpglibDBL/layer2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mpglibDBL/layer2.c b/mpglibDBL/layer2.c
+index 027cced..ca3315d 100644
+--- a/mpglibDBL/layer2.c
++++ b/mpglibDBL/layer2.c
+@@ -253,7 +253,7 @@ static void II_select_table(struct frame *fr)
+        { alloc_0, alloc_1, alloc_2, alloc_3 , alloc_4 };
+   static const int sblims[5] = { 27 , 30 , 8, 12 , 30 };
+ 
+-  if(fr->lsf)
++  if(fr->sampling_frequency >= 3)      /* Or equivalent: (fr->lsf == 1) */
+     table = 4;
+   else
+     table = translate[fr->sampling_frequency][2-fr->stereo][fr->bitrate_index];
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.dpatch
+++ mp3gain-1.5.1/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.dpatch
@@ -0,0 +1,47 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie <smcv@debian.org>
+Date: Sun, 16 Mar 2014 21:00:31 +0000
+Subject: CVE-2006-1655: fix heap overflow in layer3.c::III_antialias()
+
+This combines two patches taken from mpg123: the original fix by Daniel
+Kobras, and "extended fix for CVE-2006-1655" from upstream 0.61.
+
+Origin: vendor, Debian (mpg123/0.59r-22); upstream (mpg123/0.61)
+Author: Daniel Kobras <kobras@debian.org>
+Author: thor
+Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361863
+---
+ mpglibDBL/layer3.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/mpglibDBL/layer3.c b/mpglibDBL/layer3.c
+index 4016a2a..793857c 100644
+--- a/mpglibDBL/layer3.c
++++ b/mpglibDBL/layer3.c
+@@ -1113,7 +1113,10 @@ maybe still wrong??? (copy 12 to 13?) */
+  * and mode = mixed_mode 
+  */
+            int sfb = gr_infos->maxbandl;
+-           int idx = bi->longIdx[sfb];
++           int idx;
++           if (sfb > 21)
++             return;
++           idx = bi->longIdx[sfb];
+ 
+            for ( ; sfb<8; sfb++ )
+            {
+@@ -1137,7 +1140,10 @@ maybe still wrong??? (copy 12 to 13?) */
+       else /* ((gr_infos->block_type != 2)) */
+       {
+         int sfb = gr_infos->maxbandl;
+-        int is_p,idx = bi->longIdx[sfb];
++        int is_p,idx;
++        if (sfb > 21)
++          return;
++        idx = bi->longIdx[sfb];
+         for ( ; sfb<21; sfb++)
+         {
+           int sb = bi->longDiff[sfb];
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.dpatch
+++ mp3gain-1.5.1/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.dpatch
@@ -0,0 +1,32 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie <smcv@debian.org>
+Date: Sun, 16 Mar 2014 20:52:15 +0000
+Subject: CVE-2004-0805: layer2.c: fix buffer overflow in layer2 decoder
+
+Origin: vendor, Debian (mpg123/0.59r-18)
+Author: Daniel Kobras <kobras@debian.org>
+See-also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=270542
+See-also: http://article.gmane.org/gmane.comp.security.full-disclosure/25471
+---
+ mpglibDBL/layer2.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/mpglibDBL/layer2.c b/mpglibDBL/layer2.c
+index 8f4e9e3..027cced 100644
+--- a/mpglibDBL/layer2.c
++++ b/mpglibDBL/layer2.c
+@@ -280,6 +280,11 @@ int do_layer2( PMPSTR mp,unsigned char *pcm_sample,int *pcm_point)
+   fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
+      (fr->mode_ext<<2)+4 : fr->II_sblimit;
+ 
++  if (fr->jsbound > fr->II_sblimit) {
++    fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
++    fr->jsbound=fr->II_sblimit;
++  }
++
+   if(stereo == 1 || single == 3)
+     single = 0;
+

Reply to:

Follow-Ups:
- Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: NEW changes in stable-new
Next by Date: Bug#743826: ruby-bson-ext is also rebuilt
Previous by thread: Processed: Re: Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
Next by thread: Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
Index(es):
- Date
- Thread