Bug#926739: stretch-pu: package gpac/0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Fixes a number of minor issues, same patches are also in unstable for a week.
Cheers,
Moritz
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog 2016-08-04 23:29:39.000000000 +0200
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog 2019-03-04 23:37:26.000000000 +0100
@@ -1,3 +1,12 @@
+gpac (0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1) stretch; urgency=medium
+
+ * CVE-2018-7752 (Closes: #892526)
+ * CVE-2018-13005, CVE-2018-13006 (Closes: #902782)
+ * CVE-2018-20760, CVE-2018-20761, CVE-2018-20762, CVE-2018-20763
+ (Closes: #921969)
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Mon, 04 Mar 2019 23:37:26 +0100
+
gpac (0.5.2-426-gc5ad4e4+dfsg5-3) unstable; urgency=medium
* Team upload.
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-13005_CVE-2018-13006.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-13005_CVE-2018-13006.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-13005_CVE-2018-13006.patch 1970-01-01 01:00:00.000000000 +0100
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-13005_CVE-2018-13006.patch 2019-03-04 23:13:09.000000000 +0100
@@ -0,0 +1,38 @@
+From bceb03fd2be95097a7b409ea59914f332fb6bc86 Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Thu, 28 Jun 2018 13:34:08 +0200
+Subject: [PATCH] fixed 2 possible heap overflows (inc. #1088)
+
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/include/gpac/internal/isomedia_dev.h
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/include/gpac/internal/isomedia_dev.h
+@@ -2988,7 +2988,7 @@ GF_GenericSubtitleSample *gf_isom_parse_
+ char __ptype[5];\
+ strcpy(__ptype, gf_4cc_to_str(__parent->type) );\
+ GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[iso file] extra box %s found in %s, deleting\n", gf_4cc_to_str(__abox->type), __ptype)); \
+- gf_isom_box_del(a);\
++ gf_isom_box_del(__abox);\
+ return GF_OK;\
+ }
+
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/isomedia/box_code_base.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/isomedia/box_code_base.c
+@@ -619,7 +619,7 @@ GF_Err urn_Read(GF_Box *s, GF_BitStream
+
+ //then get the break
+ i = 0;
+- while ( (tmpName[i] != 0) && (i < to_read) ) {
++ while ( (i < to_read) && (tmpName[i] != 0) ) {
+ i++;
+ }
+ //check the data is consistent
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/isomedia/box_dump.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/isomedia/box_dump.c
+@@ -988,7 +988,7 @@ GF_Err dpin_dump(GF_Box *a, FILE * trace
+ GF_Err hdlr_dump(GF_Box *a, FILE * trace)
+ {
+ GF_HandlerBox *p = (GF_HandlerBox *)a;
+- if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8+1)) {
++ if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8)-1) {
+ fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8+1);
+ } else {
+ fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8);
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20760.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20760.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20760.patch 1970-01-01 01:00:00.000000000 +0100
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20760.patch 2019-03-04 23:13:47.000000000 +0100
@@ -0,0 +1,16 @@
+From 4c1360818fc8948e9307059fba4dc47ba8ad255d Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Thu, 13 Dec 2018 14:39:21 +0100
+Subject: [PATCH] check error code on call to gf_utf8_wcstombs (#1177)
+
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/media_tools/text_import.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/media_tools/text_import.c
+@@ -259,6 +259,8 @@ char *gf_text_get_utf8_line(char *szLine
+ }
+ sptr = (u16 *)szLine;
+ i = (u32) gf_utf8_wcstombs(szLineConv, 1024, (const unsigned short **) &sptr);
++ if (i >= (u32)ARRAY_LENGTH(szLineConv))
++ return NULL;
+ szLineConv[i] = 0;
+ strcpy(szLine, szLineConv);
+ /*this is ugly indeed: since input is UTF16-LE, there are many chances the fgets never reads the \0 after a \n*/
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20761_CVE-2018-20762.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20761_CVE-2018-20762.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20761_CVE-2018-20762.patch 1970-01-01 01:00:00.000000000 +0100
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20761_CVE-2018-20762.patch 2019-03-04 23:14:31.000000000 +0100
@@ -0,0 +1,147 @@
+From 35ab4475a7df9b2a4bcab235e379c0c3ec543658 Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Fri, 11 Jan 2019 11:32:54 +0100
+Subject: [PATCH] fix some overflows due to strcpy
+
+fixes #1184, #1186, #1187 among other things
+
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/applications/mp4box/fileimport.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/applications/mp4box/fileimport.c
+@@ -2119,17 +2119,33 @@ GF_Err cat_multiple_files(GF_ISOFile *de
+ cat_enum.align_timelines = align_timelines;
+ cat_enum.allow_add_in_command = allow_add_in_command;
+
++ if (strlen(fileName) >= sizeof(cat_enum.szPath)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName));
++ return GF_NOT_SUPPORTED;
++ }
+ strcpy(cat_enum.szPath, fileName);
+ sep = strrchr(cat_enum.szPath, GF_PATH_SEPARATOR);
+ if (!sep) sep = strrchr(cat_enum.szPath, '/');
+ if (!sep) {
+ strcpy(cat_enum.szPath, ".");
++ if (strlen(fileName) >= sizeof(cat_enum.szRad1)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName));
++ return GF_NOT_SUPPORTED;
++ }
+ strcpy(cat_enum.szRad1, fileName);
+ } else {
++ if (strlen(sep + 1) >= sizeof(cat_enum.szRad1)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1)));
++ return GF_NOT_SUPPORTED;
++ }
+ strcpy(cat_enum.szRad1, sep+1);
+ sep[0] = 0;
+ }
+ sep = strchr(cat_enum.szRad1, '*');
++ if (strlen(sep + 1) >= sizeof(cat_enum.szRad2)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1)));
++ return GF_NOT_SUPPORTED;
++ }
+ strcpy(cat_enum.szRad2, sep+1);
+ sep[0] = 0;
+ sep = strchr(cat_enum.szRad2, '%');
+@@ -2137,6 +2153,10 @@ GF_Err cat_multiple_files(GF_ISOFile *de
+ if (!sep) sep = strchr(cat_enum.szRad2, ':');
+ strcpy(cat_enum.szOpt, "");
+ if (sep) {
++ if (strlen(sep) >= sizeof(cat_enum.szOpt)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("Invalid option: %s.\n", sep));
++ return GF_NOT_SUPPORTED;
++ }
+ strcpy(cat_enum.szOpt, sep);
+ sep[0] = 0;
+ }
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/applications/mp4client/main.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/applications/mp4client/main.c
+@@ -885,7 +885,8 @@ Bool GPAC_EventProc(void *ptr, GF_Event
+ break;
+ case GF_EVENT_NAVIGATE:
+ if (gf_term_is_supported_url(term, evt->navigate.to_url, 1, no_mime_check)) {
+- strcpy(the_url, evt->navigate.to_url);
++ strncpy(the_url, evt->navigate.to_url, sizeof(the_url)-1);
++ the_url[sizeof(the_url) - 1] = 0;
+ fprintf(stderr, "Navigating to URL %s\n", the_url);
+ gf_term_navigate_to(term, evt->navigate.to_url);
+ return 1;
+@@ -1534,7 +1535,14 @@ int main (int argc, char **argv)
+ else if (!gui_mode && url_arg) {
+ char *ext;
+
+- strcpy(the_url, url_arg);
++ if (strlen(url_arg) >= sizeof(the_url)) {
++ fprintf(stderr, "Input url %s is too long, truncating to %d chars.\n", url_arg, (int)(sizeof(the_url) - 1));
++ strncpy(the_url, url_arg, sizeof(the_url)-1);
++ the_url[sizeof(the_url) - 1] = 0;
++ }
++ else {
++ strcpy(the_url, url_arg);
++ }
+ ext = strrchr(the_url, '.');
+ if (ext && (!stricmp(ext, ".m3u") || !stricmp(ext, ".pls"))) {
+ GF_Err e = GF_OK;
+@@ -1546,7 +1554,10 @@ int main (int argc, char **argv)
+ GF_DownloadSession *sess = gf_dm_sess_new(term->downloader, the_url, GF_NETIO_SESSION_NOT_THREADED, NULL, NULL, &e);
+ if (sess) {
+ e = gf_dm_sess_process(sess);
+- if (!e) strcpy(the_url, gf_dm_sess_get_cache_name(sess));
++ if (!e) {
++ strncpy(the_url, gf_dm_sess_get_cache_name(sess), sizeof(the_url) - 1);
++ the_url[sizeof(the_cfg) - 1] = 0;
++ }
+ gf_dm_sess_del(sess);
+ }
+ }
+@@ -1574,7 +1585,8 @@ int main (int argc, char **argv)
+ fprintf(stderr, "Hit 'h' for help\n\n");
+ str = gf_cfg_get_key(cfg_file, "General", "StartupFile");
+ if (str) {
+- strcpy(the_url, "MP4Client "GPAC_FULL_VERSION);
++ strncpy(the_url, "MP4Client "GPAC_FULL_VERSION , sizeof(the_url)-1);
++ the_url[sizeof(the_url) - 1] = 0;
+ gf_term_connect(term, str);
+ startup_file = 1;
+ is_connected = 1;
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/modules/ffmpeg_in/ffmpeg_demux.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/modules/ffmpeg_in/ffmpeg_demux.c
+@@ -227,7 +227,7 @@ static Bool FFD_CanHandleURL(GF_InputSer
+ AVFormatContext *ctx;
+ AVOutputFormat *fmt_out;
+ Bool ret = 0;
+- char *ext, szName[1000], szExt[20];
++ char *ext, szName[1024], szExt[20];
+ const char *szExtList;
+ FFDemux *ffd;
+ if (!plug || !url)
+@@ -243,6 +243,9 @@ static Bool FFD_CanHandleURL(GF_InputSer
+
+ ffd = plug->priv;
+
++ if (strlen(url) >= sizeof(szName))
++ return GF_FALSE;
++
+ strcpy(szName, url);
+ ext = strrchr(szName, '#');
+ if (ext) ext[0] = 0;
+@@ -252,7 +255,7 @@ static Bool FFD_CanHandleURL(GF_InputSer
+ ext = strrchr(szName, '.');
+ if (ext && strlen(ext) > 19) ext = NULL;
+
+- if (ext && strlen(ext) > 1) {
++ if (ext && strlen(ext) > 1 && strlen(ext) <= sizeof(szExt)) {
+ strcpy(szExt, &ext[1]);
+ strlwr(szExt);
+ #ifndef FFMPEG_DEMUX_ENABLE_MPEG2TS
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/scene_manager/scene_manager.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/scene_manager/scene_manager.c
+@@ -642,6 +642,10 @@ GF_Err gf_sm_load_init(GF_SceneLoader *l
+ ext[0] = '.';
+ ext = anext;
+ }
++ if (strlen(ext) < 2 || strlen(ext) > sizeof(szExt)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_SCENE, ("[Scene Manager] invalid extension in file name %s\n", load->fileName));
++ return GF_NOT_SUPPORTED;
++ }
+ strcpy(szExt, &ext[1]);
+ strlwr(szExt);
+ if (strstr(szExt, "bt")) load->type = GF_SM_LOAD_BT;
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20763.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20763.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20763.patch 1970-01-01 01:00:00.000000000 +0100
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20763.patch 2019-03-04 23:14:59.000000000 +0100
@@ -0,0 +1,109 @@
+From 1c449a34fe0b50aaffb881bfb9d7c5ab0bb18cdd Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Fri, 11 Jan 2019 14:05:16 +0100
+Subject: [PATCH] add some boundary checks on gf_text_get_utf8_line (#1188)
+
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/media_tools/text_import.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/media_tools/text_import.c
+@@ -195,49 +195,76 @@ char *gf_text_get_utf8_line(char *szLine
+ if (unicode_type<=1) {
+ j=0;
+ len = (u32) strlen(szLine);
+- for (i=0; i<len; i++) {
++ for (i=0; i<len && j < sizeof(szLineConv) - 1; i++, j++) {
++
+ if (!unicode_type && (szLine[i] & 0x80)) {
+ /*non UTF8 (likely some win-CP)*/
+ if ((szLine[i+1] & 0xc0) != 0x80) {
+- szLineConv[j] = 0xc0 | ( (szLine[i] >> 6) & 0x3 );
+- j++;
+- szLine[i] &= 0xbf;
++ if (j + 1 < sizeof(szLineConv) - 1) {
++ szLineConv[j] = 0xc0 | ((szLine[i] >> 6) & 0x3);
++ j++;
++ szLine[i] &= 0xbf;
++ }
++ else
++ break;
+ }
+ /*UTF8 2 bytes char*/
+ else if ( (szLine[i] & 0xe0) == 0xc0) {
+- szLineConv[j] = szLine[i];
+- i++;
+- j++;
++
++ // don't cut multibyte in the middle in there is no more room in dest
++ if (j + 1 < sizeof(szLineConv) - 1 && i + 1 < len) {
++ szLineConv[j] = szLine[i];
++ i++;
++ j++;
++ }
++ else {
++ break;
++ }
+ }
+ /*UTF8 3 bytes char*/
+ else if ( (szLine[i] & 0xf0) == 0xe0) {
+- szLineConv[j] = szLine[i];
+- i++;
+- j++;
+- szLineConv[j] = szLine[i];
+- i++;
+- j++;
++ if (j + 2 < sizeof(szLineConv) - 1 && i + 2 < len) {
++ szLineConv[j] = szLine[i];
++ i++;
++ j++;
++ szLineConv[j] = szLine[i];
++ i++;
++ j++;
++ }
++ else {
++ break;
++ }
+ }
+ /*UTF8 4 bytes char*/
+ else if ( (szLine[i] & 0xf8) == 0xf0) {
+- szLineConv[j] = szLine[i];
+- i++;
+- j++;
+- szLineConv[j] = szLine[i];
+- i++;
+- j++;
+- szLineConv[j] = szLine[i];
+- i++;
+- j++;
++ if (j + 3 < sizeof(szLineConv) - 1 && i + 3 < len) {
++ szLineConv[j] = szLine[i];
++ i++;
++ j++;
++ szLineConv[j] = szLine[i];
++ i++;
++ j++;
++ szLineConv[j] = szLine[i];
++ i++;
++ j++;
++ }
++ else {
++ break;
++ }
+ } else {
+ i+=1;
+ continue;
+ }
+ }
+- szLineConv[j] = szLine[i];
+- j++;
++ if (j < sizeof(szLineConv)-1 && i<len)
++ szLineConv[j] = szLine[i];
++
+ }
+- szLineConv[j] = 0;
++ if (j >= sizeof(szLineConv))
++ szLineConv[sizeof(szLineConv) - 1] = 0;
++ else
++ szLineConv[j] = 0;
++
+ strcpy(szLine, szLineConv);
+ return sOK;
+ }
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-7752.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-7752.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-7752.patch 1970-01-01 01:00:00.000000000 +0100
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-7752.patch 2019-03-04 23:12:30.000000000 +0100
@@ -0,0 +1,28 @@
+From 90dc7f853d31b0a4e9441cba97feccf36d8b69a4 Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Tue, 6 Mar 2018 11:23:31 +0100
+Subject: [PATCH] fix some exploitable overflows (#994, #997)
+
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/include/gpac/tools.h
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/include/gpac/tools.h
+@@ -999,6 +999,7 @@ void gf_fm_request_call(u32 type, u32 pa
+ }
+ #endif
+
++#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0]))
+
+ #endif /*_GF_CORE_H_*/
+
+--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/media_tools/av_parsers.c
++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/media_tools/av_parsers.c
+@@ -2160,6 +2160,10 @@ s32 gf_media_avc_read_sps(const char *sp
+ sps->offset_for_non_ref_pic = bs_get_se(bs);
+ sps->offset_for_top_to_bottom_field = bs_get_se(bs);
+ sps->poc_cycle_length = bs_get_ue(bs);
++ if (sps->poc_cycle_length > ARRAY_LENGTH(sps->offset_for_ref_frame)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[avc-h264] offset_for_ref_frame overflow from poc_cycle_length\n"));
++ goto exit;
++ }
+ for(i=0; i<sps->poc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs);
+ }
+ if (sps->poc_type > 2) {
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series 2016-08-04 21:51:54.000000000 +0200
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series 2019-03-04 23:14:46.000000000 +0100
@@ -5,3 +5,8 @@
dont-err-build-on-uknown-system.patch
skip-swf-test.patch
ffmpeg_2.9.patch
+CVE-2018-7752.patch
+CVE-2018-13005_CVE-2018-13006.patch
+CVE-2018-20760.patch
+CVE-2018-20761_CVE-2018-20762.patch
+CVE-2018-20763.patch
Reply to: