Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
On Wed, 19 Mar 2014 at 23:54:41 +0000, Simon McVittie wrote:
> A proposed debdiff is attached.
Sorry, it wasn't. Here it is.
S
diffstat for mp3gain-1.5.2-r2 mp3gain-1.5.2-r2
changelog | 12 ++
patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch | 28 ++++++
patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch | 43 ++++++++++
patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch | 29 ++++++
patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch | 26 ++++++
patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.patch | 32 +++++++
patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch | 23 +++++
patches/series | 6 +
8 files changed, 199 insertions(+)
diff -Nru mp3gain-1.5.2-r2/debian/changelog mp3gain-1.5.2-r2/debian/changelog
--- mp3gain-1.5.2-r2/debian/changelog 2011-11-10 15:27:35.000000000 +0000
+++ mp3gain-1.5.2-r2/debian/changelog 2014-03-19 09:22:48.000000000 +0000
@@ -1,3 +1,15 @@
+mp3gain (1.5.2-r2-2+deb7u1) wheezy-security; urgency=high
+
+ * Add various patches from Daniel Kobras' mpg123 packaging to fix
+ buffer overflows in the embedded copy/fork of mpglib
+ - CVE-2003-0577 (originally #201698 in mpg123)
+ - CVE-2004-0805 (originally #270542 in mpg123)
+ - CVE-2004-0991
+ - CVE-2006-1655 (originally #361863 in mpg123)
+ (Closes: #740268, hopefully)
+
+ -- Simon McVittie <smcv@debian.org> Wed, 19 Mar 2014 09:19:58 +0000
+
mp3gain (1.5.2-r2-2) unstable; urgency=low
[ Simon McVittie ]
diff -Nru mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch
--- mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch 1970-01-01 01:00:00.000000000 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch 2014-03-19 09:22:48.000000000 +0000
@@ -0,0 +1,28 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Sun, 16 Mar 2014 20:52:15 +0000
+Subject: CVE-2004-0805: layer2.c: fix buffer overflow in layer2 decoder
+
+Origin: vendor, Debian (mpg123/0.59r-18)
+Author: Daniel Kobras <kobras@debian.org>
+See-also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=270542
+See-also: http://article.gmane.org/gmane.comp.security.full-disclosure/25471
+---
+ mpglibDBL/layer2.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/mpglibDBL/layer2.c b/mpglibDBL/layer2.c
+index 8f4e9e3..027cced 100644
+--- a/mpglibDBL/layer2.c
++++ b/mpglibDBL/layer2.c
+@@ -280,6 +280,11 @@ int do_layer2( PMPSTR mp,unsigned char *pcm_sample,int *pcm_point)
+ fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
+ (fr->mode_ext<<2)+4 : fr->II_sblimit;
+
++ if (fr->jsbound > fr->II_sblimit) {
++ fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
++ fr->jsbound=fr->II_sblimit;
++ }
++
+ if(stereo == 1 || single == 3)
+ single = 0;
+
diff -Nru mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch
--- mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch 1970-01-01 01:00:00.000000000 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch 2014-03-19 09:22:48.000000000 +0000
@@ -0,0 +1,43 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Sun, 16 Mar 2014 21:00:31 +0000
+Subject: CVE-2006-1655: fix heap overflow in layer3.c::III_antialias()
+
+This combines two patches taken from mpg123: the original fix by Daniel
+Kobras, and "extended fix for CVE-2006-1655" from upstream 0.61.
+
+Origin: vendor, Debian (mpg123/0.59r-22); upstream (mpg123/0.61)
+Author: Daniel Kobras <kobras@debian.org>
+Author: thor
+Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361863
+---
+ mpglibDBL/layer3.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/mpglibDBL/layer3.c b/mpglibDBL/layer3.c
+index 4016a2a..793857c 100644
+--- a/mpglibDBL/layer3.c
++++ b/mpglibDBL/layer3.c
+@@ -1113,7 +1113,10 @@ maybe still wrong??? (copy 12 to 13?) */
+ * and mode = mixed_mode
+ */
+ int sfb = gr_infos->maxbandl;
+- int idx = bi->longIdx[sfb];
++ int idx;
++ if (sfb > 21)
++ return;
++ idx = bi->longIdx[sfb];
+
+ for ( ; sfb<8; sfb++ )
+ {
+@@ -1137,7 +1140,10 @@ maybe still wrong??? (copy 12 to 13?) */
+ else /* ((gr_infos->block_type != 2)) */
+ {
+ int sfb = gr_infos->maxbandl;
+- int is_p,idx = bi->longIdx[sfb];
++ int is_p,idx;
++ if (sfb > 21)
++ return;
++ idx = bi->longIdx[sfb];
+ for ( ; sfb<21; sfb++)
+ {
+ int sb = bi->longDiff[sfb];
diff -Nru mp3gain-1.5.2-r2/debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch mp3gain-1.5.2-r2/debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch
--- mp3gain-1.5.2-r2/debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch 1970-01-01 01:00:00.000000000 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch 2014-03-19 09:22:48.000000000 +0000
@@ -0,0 +1,29 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Sun, 16 Mar 2014 21:10:15 +0000
+Subject: CVE-2004-0991: fix insufficient validation of MPEG header values
+
+Taken from mpg123/0.59r-19 by a process of elimination (all the diff
+from upstream in layer2.c, except the bits that are CVE-2004-0805)
+since I can't find the original patch anywhere. This includes both the
+original patch in -18, and the follow-up patch in -19 fixing an
+off-by-one error in this boundary check.
+
+Author: Daniel Kobras
+Origin: vendor, Debian (mpg123/0.59r-18, mpg123/0.59r-19)
+---
+ mpglibDBL/layer2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mpglibDBL/layer2.c b/mpglibDBL/layer2.c
+index 027cced..ca3315d 100644
+--- a/mpglibDBL/layer2.c
++++ b/mpglibDBL/layer2.c
+@@ -253,7 +253,7 @@ static void II_select_table(struct frame *fr)
+ { alloc_0, alloc_1, alloc_2, alloc_3 , alloc_4 };
+ static const int sblims[5] = { 27 , 30 , 8, 12 , 30 };
+
+- if(fr->lsf)
++ if(fr->sampling_frequency >= 3) /* Or equivalent: (fr->lsf == 1) */
+ table = 4;
+ else
+ table = translate[fr->sampling_frequency][2-fr->stereo][fr->bitrate_index];
diff -Nru mp3gain-1.5.2-r2/debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch mp3gain-1.5.2-r2/debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch
--- mp3gain-1.5.2-r2/debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch 1970-01-01 01:00:00.000000000 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch 2014-03-19 09:22:48.000000000 +0000
@@ -0,0 +1,26 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Sun, 16 Mar 2014 21:46:34 +0000
+Subject: CVE-2004-0991: copy frame size checking from mpg123/0.59r-18
+
+Author: Daniel Kobras
+Origin: vendor, Debian (mpg123/0.59r-18)
+---
+ mpglibDBL/common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/mpglibDBL/common.c b/mpglibDBL/common.c
+index 1e97adc..3172235 100644
+--- a/mpglibDBL/common.c
++++ b/mpglibDBL/common.c
+@@ -229,6 +229,11 @@ int decode_header(struct frame *fr,unsigned long newhead)
+ fprintf(stderr,"Sorry, layer %d not supported\n",fr->lay);
+ return (0);
+ }
++ if (fr->framesize > MAXFRAMESIZE) {
++ fprintf(stderr,"Frame size too big: %d\n", fr->framesize+4-fr->padding);
++ return (0);
++ }
++
+ /* print_header(fr); */
+
+ return 1;
diff -Nru mp3gain-1.5.2-r2/debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.patch mp3gain-1.5.2-r2/debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.patch
--- mp3gain-1.5.2-r2/debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.patch 1970-01-01 01:00:00.000000000 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.patch 2014-03-19 09:22:48.000000000 +0000
@@ -0,0 +1,32 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Sun, 16 Mar 2014 21:55:22 +0000
+Subject: CVE-2003-0577: common.c: 0000 is also an invalid bit rate
+
+According to Daniel Kobras on #201698, this patch is unnecessary...
+but it seems better to be careful, since our mpglib is not quite
+the same as the one in mpg123.
+
+Origin: vendor, Connectiva
+See-also: http://lwn.net/Alerts/39916/
+See-also: http://www.securityfocus.com/bid/6629
+See-also: http://www.securityfocus.com/archive/1/306903
+See-also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=201698
+---
+ mpglibDBL/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mpglibDBL/common.c b/mpglibDBL/common.c
+index 3172235..97a96b4 100644
+--- a/mpglibDBL/common.c
++++ b/mpglibDBL/common.c
+@@ -125,8 +125,8 @@ int head_check(unsigned long head,int check_layer)
+ if (nLayer != check_layer) return FALSE;
+ }
+
+- if( ((head>>12)&0xf) == 0xf) {
+- /* bits 16,17,18,19 = 1111 invalid bitrate */
++ if( ((head>>12)&0xf) == 0xf || ((head>>12)&0xf) == 0) {
++ /* bits 16,17,18,19 = 1111 or 0000 invalid bitrate */
+ return FALSE;
+ }
+ if( ((head>>10)&0x3) == 0x3 ) {
diff -Nru mp3gain-1.5.2-r2/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch mp3gain-1.5.2-r2/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch
--- mp3gain-1.5.2-r2/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch 1970-01-01 01:00:00.000000000 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch 2014-03-19 09:22:48.000000000 +0000
@@ -0,0 +1,23 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Sun, 16 Mar 2014 22:21:26 +0000
+Subject: Increase MAXFRAMESIZE to 3456 bytes, which is much closer to reality
+
+Author: Daniel Kobras
+Origin: vendor, Debian (mpg123/0.59r-14)
+---
+ mpglibDBL/mpg123.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mpglibDBL/mpg123.h b/mpglibDBL/mpg123.h
+index 691eb9c..08bd217 100644
+--- a/mpglibDBL/mpg123.h
++++ b/mpglibDBL/mpg123.h
+@@ -61,7 +61,7 @@ char *strchr (), *strrchr ();
+ #define MPG_MD_DUAL_CHANNEL 2
+ #define MPG_MD_MONO 3
+
+-#define MAXFRAMESIZE 1792
++#define MAXFRAMESIZE 3456
+
+ /* AF: ADDED FOR LAYER1/LAYER2 */
+ #define SCALE_BLOCK 12
diff -Nru mp3gain-1.5.2-r2/debian/patches/series mp3gain-1.5.2-r2/debian/patches/series
--- mp3gain-1.5.2-r2/debian/patches/series 2011-11-10 15:27:35.000000000 +0000
+++ mp3gain-1.5.2-r2/debian/patches/series 2014-03-19 09:22:48.000000000 +0000
@@ -7,3 +7,9 @@
10_fix_potential_segfaults.diff
11_txxx.diff
12_force_update.diff
+0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch
+0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch
+0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch
+0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch
+0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.patch
+0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch
Reply to: