Bug#868459: stretch-pu: package libquicktime/2:1.2.4-10+deb9u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#868459: stretch-pu: package libquicktime/2:1.2.4-10+deb9u1
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Sat, 15 Jul 2017 19:12:52 +0200
Message-id: <[🔎] 150013877241.4226.3277737231270523857.reportbug@hullmann.westfalen.local>
Reply-to: Moritz Muehlenhoff <jmm@debian.org>, 868459@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,
some minor security fixes for libquicktime, identical to what's
already in unstable and also tested with reverse deps on stretch.

If it's too late for 9.1, 9.2 is also just fine.

Cheers,
        Moritz

diff -Nru libquicktime-1.2.4/debian/changelog libquicktime-1.2.4/debian/changelog
--- libquicktime-1.2.4/debian/changelog	2017-02-27 23:15:35.000000000 +0100
+++ libquicktime-1.2.4/debian/changelog	2017-07-13 18:31:44.000000000 +0200
@@ -1,3 +1,10 @@
+libquicktime (2:1.2.4-10+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2017-9122 to CVE-2017-9128, patch from 1.2.4-11 in unstable
+    (Closes: #864664)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Thu, 13 Jul 2017 20:29:10 +0200
+
 libquicktime (2:1.2.4-10) unstable; urgency=medium
 
   * Fix integer overflow in the quicktime_read_pascal function (CVE-2016-2399)
diff -Nru libquicktime-1.2.4/debian/patches/CVE-2017-9122_et_al.patch libquicktime-1.2.4/debian/patches/CVE-2017-9122_et_al.patch
--- libquicktime-1.2.4/debian/patches/CVE-2017-9122_et_al.patch	1970-01-01 01:00:00.000000000 +0100
+++ libquicktime-1.2.4/debian/patches/CVE-2017-9122_et_al.patch	2017-07-13 18:28:48.000000000 +0200
@@ -0,0 +1,151 @@
+From: Burkhard Plaum <plaum@ipf.uni-stuttgart.de>
+Origin: https://sourceforge.net/p/libquicktime/mailman/libquicktime-devel/?viewmonth=201706
+
+Hi,
+
+I committed some (mostly trivial) updates to CVS. The following CVE's
+are fixed and/or no longer reproducible:
+
+CVE-2017-9122
+CVE-2017-9123
+CVE-2017-9124
+CVE-2017-9125
+CVE-2017-9126
+CVE-2017-9127
+CVE-2017-9128
+
+I was a bit surprised that one simple sanity check fixes a whole bunch of files.
+
+So it could be, that the problems are still there, but better hidden since the
+critical code isn't executed anymore with the sample files I got.
+
+If someone encounters more crashes, feel free to report them.
+
+Burkhard
+
+--- a/include/lqt_funcprotos.h
++++ b/include/lqt_funcprotos.h
+@@ -1345,9 +1345,9 @@ int quicktime_write_int32_le(quicktime_t
+ int quicktime_write_char32(quicktime_t *file, char *string);
+ float quicktime_read_fixed16(quicktime_t *file);
+ int quicktime_write_fixed16(quicktime_t *file, float number);
+-unsigned long quicktime_read_uint32(quicktime_t *file);
+-long quicktime_read_int32(quicktime_t *file);
+-long quicktime_read_int32_le(quicktime_t *file);
++uint32_t quicktime_read_uint32(quicktime_t *file);
++int32_t quicktime_read_int32(quicktime_t *file);
++int32_t quicktime_read_int32_le(quicktime_t *file);
+ int64_t quicktime_read_int64(quicktime_t *file);
+ int64_t quicktime_read_int64_le(quicktime_t *file);
+ long quicktime_read_int24(quicktime_t *file);
+--- a/src/atom.c
++++ b/src/atom.c
+@@ -131,6 +131,9 @@ int quicktime_atom_read_header(quicktime
+ 			atom->size = read_size64(header);
+ 			atom->end = atom->start + atom->size;
+ 		}
++/* Avoid broken files */
++        if(atom->end > file->total_length)
++          result = 1;
+ 	}
+ 
+ 
+--- a/src/lqt_quicktime.c
++++ b/src/lqt_quicktime.c
+@@ -1788,8 +1788,8 @@ int quicktime_read_info(quicktime_t *fil
+                 quicktime_set_position(file, start_position);
+                 free(temp);
+ 
+-                quicktime_read_moov(file, &file->moov, &leaf_atom);
+-                got_header = 1;
++                if(!quicktime_read_moov(file, &file->moov, &leaf_atom))
++                  got_header = 1;
+                 }
+               else
+                 quicktime_atom_skip(file, &leaf_atom);
+--- a/src/moov.c
++++ b/src/moov.c
+@@ -218,7 +218,8 @@ int quicktime_read_moov(quicktime_t *fil
+ 		if(quicktime_atom_is(&leaf_atom, "trak"))
+ 		{
+ 			quicktime_trak_t *trak = quicktime_add_trak(file);
+-			quicktime_read_trak(file, trak, &leaf_atom);
++			if(quicktime_read_trak(file, trak, &leaf_atom))
++                          return 1;
+ 		}
+ 		else
+ 		if(quicktime_atom_is(&leaf_atom, "udta"))
+--- a/src/trak.c
++++ b/src/trak.c
+@@ -269,6 +269,14 @@ int quicktime_read_trak(quicktime_t *fil
+     else quicktime_atom_skip(file, &leaf_atom);
+     } while(quicktime_position(file) < trak_atom->end);
+ 
++  /* Do some sanity checks to prevent later crashes */
++  if(trak->mdia.minf.is_video || trak->mdia.minf.is_video)
++    {
++    if(!trak->mdia.minf.stbl.stsc.table ||
++       !trak->mdia.minf.stbl.stco.table)
++      return 1;
++    }
++
+ #if 1 
+   if(trak->mdia.minf.is_video &&
+      quicktime_match_32(trak->mdia.minf.stbl.stsd.table[0].format, "drac"))
+--- a/src/util.c
++++ b/src/util.c
+@@ -647,10 +647,10 @@ int quicktime_write_fixed16(quicktime_t
+ 	return quicktime_write_data(file, data, 2);
+ }
+ 
+-unsigned long quicktime_read_uint32(quicktime_t *file)
++uint32_t quicktime_read_uint32(quicktime_t *file)
+ {
+-	unsigned long result;
+-	unsigned long a, b, c, d;
++	uint32_t result;
++	uint32_t a, b, c, d;
+ 	uint8_t data[4];
+ 
+ 	quicktime_read_data(file, data, 4);
+@@ -663,10 +663,10 @@ unsigned long quicktime_read_uint32(quic
+ 	return result;
+ }
+ 
+-long quicktime_read_int32(quicktime_t *file)
++int32_t quicktime_read_int32(quicktime_t *file)
+ {
+-	unsigned long result;
+-	unsigned long a, b, c, d;
++	uint32_t result;
++	uint32_t a, b, c, d;
+ 	uint8_t data[4];
+ 
+ 	quicktime_read_data(file, data, 4);
+@@ -676,13 +676,13 @@ long quicktime_read_int32(quicktime_t *f
+ 	d = data[3];
+ 
+ 	result = (a << 24) | (b << 16) | (c << 8) | d;
+-	return (long)result;
++	return (int32_t)result;
+ }
+ 
+-long quicktime_read_int32_le(quicktime_t *file)
++int32_t quicktime_read_int32_le(quicktime_t *file)
+ {
+-	unsigned long result;
+-	unsigned long a, b, c, d;
++	uint32_t result;
++	uint32_t a, b, c, d;
+ 	uint8_t data[4];
+ 
+ 	quicktime_read_data(file, data, 4);
+@@ -692,7 +692,7 @@ long quicktime_read_int32_le(quicktime_t
+ 	d = data[3];
+ 
+ 	result = (d << 24) | (c << 16) | (b << 8) | a;
+-	return (long)result;
++	return (int32_t)result;
+ }
+ 
+ int64_t quicktime_read_int64(quicktime_t *file)
diff -Nru libquicktime-1.2.4/debian/patches/series libquicktime-1.2.4/debian/patches/series
--- libquicktime-1.2.4/debian/patches/series	2017-02-27 23:15:35.000000000 +0100
+++ libquicktime-1.2.4/debian/patches/series	2017-07-13 18:29:03.000000000 +0200
@@ -3,3 +3,4 @@
 libav10.patch
 ffmpeg_2.9.patch
 CVE-2016-2399.patch
+CVE-2017-9122_et_al.patch

Reply to:

Follow-Ups:
- Bug#868459: stretch-pu: package libquicktime/2:1.2.4-10+deb9u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#868459: stretch-pu: package libquicktime/2:1.2.4-10+deb9u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#868459: stretch-pu: package libquicktime/2:1.2.4-10+deb9u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#868459: marked as done (stretch-pu: package libquicktime/2:1.2.4-10+deb9u1)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#864028: stretch-pu: package flatpak, maybe want debdiff against security?
Next by Date: Bug#867965: stretch-pu: package pykde4/4.14.3-2+deb9u1
Previous by thread: Bug#868451: marked as done (stretch-pu: package debian-edu-doc/1.921~20170603+deb9u1)
Next by thread: Bug#868459: stretch-pu: package libquicktime/2:1.2.4-10+deb9u1
Index(es):
- Date
- Thread