Bug#927042: marked as done (unblock: gpac/gpac 0.5.2-426-gc5ad4e4+dfsg5-5)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#927042: marked as done (unblock: gpac/gpac 0.5.2-426-gc5ad4e4+dfsg5-5)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 14 Apr 2019 06:15:05 +0000
Message-id: <[🔎] handler.927042.D927042.1555222437910.ackdone@bugs.debian.org>
Reply-to: 927042@bugs.debian.org
References: <5f21c6b8-46cb-1ab2-1606-2d81c3849ead@thykier.net> <[🔎] 155520862203.27395.16824113524730026055.reportbug@x1.int.tauware.de>

Your message dated Sun, 14 Apr 2019 06:13:00 +0000
with message-id <5f21c6b8-46cb-1ab2-1606-2d81c3849ead@thykier.net>
and subject line Re: Bug#927042: unblock: gpac/gpac 0.5.2-426-gc5ad4e4+dfsg5-5
has caused the Debian Bug report #927042,
regarding unblock: gpac/gpac 0.5.2-426-gc5ad4e4+dfsg5-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
927042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927042
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: gpac/gpac 0.5.2-426-gc5ad4e4+dfsg5-5
From: Reinhard Tartler <siretart@debian.org>
Date: Sat, 13 Apr 2019 22:23:42 -0400
Message-id: <[🔎] 155520862203.27395.16824113524730026055.reportbug@x1.int.tauware.de>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package gpac

Moritz has kindly pointed out and backported the relevant patches from upstream
that fixes this issue. Here is the relevant part of debian/changelog:

  * Bug fix: "CVE-2019-11222: Buffer-overflow in gf_bin128_parse", thanks
    to Salvatore Bonaccorso (Closes: #926961).
  * Bug fix: "CVE-2019-11221: buffer-overflow issue in gf_import_message()
    in media_import.c", thanks to Salvatore Bonaccorso (Closes: #926963).

unblock gpac/gpac 0.5.2-426-gc5ad4e4+dfsg5-5

Thanks for considering.
-rt

diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog	2019-04-01 17:07:02.000000000 -0400
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog	2019-04-13 16:41:15.000000000 -0400
@@ -1,3 +1,13 @@
+gpac (0.5.2-426-gc5ad4e4+dfsg5-5) unstable; urgency=medium
+
+  [ Moritz Muehlenhoff ]
+  * Bug fix: "CVE-2019-11222: Buffer-overflow in gf_bin128_parse", thanks
+    to Salvatore Bonaccorso (Closes: #926961).
+  * Bug fix: "CVE-2019-11221: buffer-overflow issue in gf_import_message()
+    in media_import.c", thanks to Salvatore Bonaccorso (Closes: #926963).
+
+ -- Reinhard Tartler <siretart@tauware.de>  Sat, 13 Apr 2019 16:41:15 -0400
+
 gpac (0.5.2-426-gc5ad4e4+dfsg5-4.1) unstable; urgency=medium

   * CVE-2018-7752 (Closes: #892526)
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11221.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11221.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11221.patch	1969-12-31 19:00:00.000000000 -0500
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11221.patch	2019-04-13 16:41:15.000000000 -0400
@@ -0,0 +1,180 @@
+From f4616202e5578e65746cf7e7ceeba63bee1b094b Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Thu, 11 Apr 2019 14:18:58 +0200
+Subject: [PATCH] fix a bunch of vsprintf -> vsnprintf
+
+closes #1203
+---
+ applications/mp4client/main.c         |  2 +-
+ applications/osmo4_sym/osmo4_view.cpp |  2 +-
+ src/media_tools/media_export.c        |  2 +-
+ src/media_tools/media_import.c        |  2 +-
+ src/scene_manager/loader_bt.c         |  4 ++--
+ src/scene_manager/loader_isom.c       |  2 +-
+ src/scene_manager/loader_qt.c         |  2 +-
+ src/scene_manager/loader_svg.c        |  8 ++++----
+ src/scene_manager/loader_xmt.c        | 14 +++++++-------
+ src/scene_manager/swf_parse.c         |  6 +++---
+ src/scene_manager/swf_svg.c           |  2 +-
+ src/scenegraph/xbl_process.c          |  2 +-
+ src/utils/alloc.c                     |  2 +-
+ src/utils/xml_parser.c                | 24 +++++++++++++-----------
+ 15 files changed, 49 insertions(+), 47 deletions(-)
+
+--- a/applications/mp4client/main.c
++++ b/applications/mp4client/main.c
+@@ -1023,7 +1023,7 @@ static void on_gpac_log(void *cbk, u32 l
+
+ 	if (rti_logs && (lm & GF_LOG_RTI)) {
+ 		char szMsg[2048];
+-		vsprintf(szMsg, fmt, list);
++		vsnprintf(szMsg, 2048, fmt, list);
+ 		UpdateRTInfo(szMsg + 6 /*"[RTI] "*/);
+ 	} else {
+ 		if (log_time_start) {
+--- a/src/media_tools/media_export.c
++++ b/src/media_tools/media_export.c
+@@ -57,7 +57,7 @@ static GF_Err gf_export_message(GF_Media
+ 		va_list args;
+ 		char szMsg[1024];
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 1024, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_AUTHOR, ("%s\n", szMsg) );
+ 	}
+--- a/src/media_tools/media_import.c
++++ b/src/media_tools/media_import.c
+@@ -50,7 +50,7 @@ GF_Err gf_import_message(GF_MediaImporte
+ 		va_list args;
+ 		char szMsg[1024];
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 1024, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_WARNING : GF_LOG_INFO), GF_LOG_AUTHOR, ("%s\n", szMsg) );
+ 	}
+--- a/src/scene_manager/loader_bt.c
++++ b/src/scene_manager/loader_bt.c
+@@ -121,7 +121,7 @@ static GF_Err gf_bt_report(GF_BTParser *
+ 		char szMsg[2048];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 2048, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[BT/WRL Parsing] %s (line %d)\n", szMsg, parser->line));
+ 	}
+--- a/src/scene_manager/loader_isom.c
++++ b/src/scene_manager/loader_isom.c
+@@ -144,7 +144,7 @@ static void mp4_report(GF_SceneLoader *l
+ 		char szMsg[1024];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 1024, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[MP4 Loading] %s\n", szMsg) );
+ 	}
+--- a/src/scene_manager/loader_qt.c
++++ b/src/scene_manager/loader_qt.c
+@@ -40,7 +40,7 @@ static GF_Err gf_qt_report(GF_SceneLoade
+ 		char szMsg[1024];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 1024, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[QT Parsing] %s\n", szMsg) );
+ 	}
+--- a/src/scene_manager/loader_svg.c
++++ b/src/scene_manager/loader_svg.c
+@@ -134,7 +134,7 @@ static GF_Err svg_report(GF_SVG_Parser *
+ 		char szMsg[2048];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 2048, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[SVG Parsing] line %d - %s\n", gf_xml_sax_get_line(parser->sax_parser), szMsg));
+ 	}
+--- a/src/scene_manager/loader_xmt.c
++++ b/src/scene_manager/loader_xmt.c
+@@ -144,7 +144,7 @@ static GF_Err xmt_report(GF_XMTParser *p
+ 		char szMsg[2048];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 2048, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[XMT Parsing] %s (line %d)\n", szMsg, gf_xml_sax_get_line(parser->sax_parser)) );
+ 	}
+--- a/src/scene_manager/swf_parse.c
++++ b/src/scene_manager/swf_parse.c
+@@ -2410,7 +2410,7 @@ void swf_report(SWFReader *read, GF_Err
+ 		char szMsg[2048];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 2048, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[SWF Parsing] %s (frame %d)\n", szMsg, read->current_frame+1) );
+ 	}
+--- a/src/scene_manager/swf_svg.c
++++ b/src/scene_manager/swf_svg.c
+@@ -51,7 +51,7 @@ static void swf_svg_print(SWFReader *rea
+
+ 	/* print the line */
+ 	va_start(args, format);
+-	vsprintf(line, format, args);
++	vsnprintf(line, 2000, format, args);
+ 	va_end(args);
+ 	/* add the line to the buffer */
+ 	line_length = (u32)strlen(line);
+--- a/src/scenegraph/xbl_process.c
++++ b/src/scenegraph/xbl_process.c
+@@ -61,7 +61,7 @@ static GF_Err xbl_parse_report(GF_XBL_Pa
+ 		char szMsg[2048];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 2048, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[XBL Parsing] line %d - %s\n", gf_xml_sax_get_line(parser->sax_parser), szMsg));
+ 	}
+--- a/src/utils/alloc.c
++++ b/src/utils/alloc.c
+@@ -658,7 +658,7 @@ static void gf_memory_log(unsigned int l
+ 	char msg[1024];
+ 	assert(strlen(fmt) < 200);
+ 	va_start(vl, fmt);
+-	vsprintf(msg, fmt, vl);
++	vsnprintf(msg, 1024, fmt, vl);
+ 	GF_LOG(level, GF_LOG_MEMORY, (msg));
+ 	va_end(vl);
+ }
+--- a/src/utils/xml_parser.c
++++ b/src/utils/xml_parser.c
+@@ -218,14 +218,16 @@ static void format_sax_error(GF_SAXParse
+ 	char szM[20];
+
+ 	va_start(args, fmt);
+-	vsprintf(parser->err_msg, fmt, args);
++	vsnprintf(parser->err_msg, ARRAY_LENGTH(parser->err_msg), fmt, args);
+ 	va_end(args);
+
+-	sprintf(szM, " - Line %d: ", parser->line + 1);
+-	strcat(parser->err_msg, szM);
+-	len = (u32) strlen(parser->err_msg);
+-	strncpy(parser->err_msg + len, parser->buffer+ (linepos ? linepos : parser->current_pos), 10);
+-	parser->err_msg[len + 10] = 0;
++	if (strlen(parser->err_msg)+30 < ARRAY_LENGTH(parser->err_msg)) {
++		snprintf(szM, 20, " - Line %d: ", parser->line + 1);
++		strcat(parser->err_msg, szM);
++		len = (u32) strlen(parser->err_msg);
++		strncpy(parser->err_msg + len, parser->buffer+ (linepos ? linepos : parser->current_pos), 10);
++		parser->err_msg[len + 10] = 0;
++	}
+ 	parser->sax_state = SAX_STATE_SYNTAX_ERROR;
+ }
+
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11222.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11222.patch
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11222.patch	1969-12-31 19:00:00.000000000 -0500
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2019-11222.patch	2019-04-13 16:41:15.000000000 -0400
@@ -0,0 +1,25 @@
+From f36525c5beafb78959c3a07d6622c9028de348da Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Thu, 11 Apr 2019 14:54:53 +0200
+Subject: [PATCH] fix buffer overrun in gf_bin128_parse
+
+closes #1204
+closes #1205
+---
+ src/utils/os_divers.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/src/utils/os_divers.c
++++ b/src/utils/os_divers.c
+@@ -1958,6 +1958,11 @@ GF_Err gf_bin128_parse(char *string, bin
+ 			sscanf(szV, "%x", &v);
+ 			value[i] = v;
+ 			i++;
++			if (i > 15) {
++				// force error check below
++				i++;
++				break;
++			}
+ 		}
+ 	}
+ 	if (i != 16) {
diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series
--- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series	2019-04-01 17:06:55.000000000 -0400
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/series	2019-04-13 16:41:15.000000000 -0400
@@ -11,3 +11,5 @@
 CVE-2018-20760.patch
 CVE-2018-20761_CVE-2018-20762.patch
 CVE-2018-20763.patch
+CVE-2019-11221.patch
+CVE-2019-11222.patch


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

To: Reinhard Tartler <siretart@debian.org>, 927042-done@bugs.debian.org

Subject: Re: Bug#927042: unblock: gpac/gpac 0.5.2-426-gc5ad4e4+dfsg5-5

From: Niels Thykier <niels@thykier.net>

Date: Sun, 14 Apr 2019 06:13:00 +0000

Message-id: <5f21c6b8-46cb-1ab2-1606-2d81c3849ead@thykier.net>

In-reply-to: <[🔎] 155520862203.27395.16824113524730026055.reportbug@x1.int.tauware.de>

References: <[🔎] 155520862203.27395.16824113524730026055.reportbug@x1.int.tauware.de>
Reinhard Tartler:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package gpac
> 
> Moritz has kindly pointed out and backported the relevant patches from upstream
> that fixes this issue. Here is the relevant part of debian/changelog:
> 
>   * Bug fix: "CVE-2019-11222: Buffer-overflow in gf_bin128_parse", thanks
>     to Salvatore Bonaccorso (Closes: #926961).
>   * Bug fix: "CVE-2019-11221: buffer-overflow issue in gf_import_message()
>     in media_import.c", thanks to Salvatore Bonaccorso (Closes: #926963).
> 
> unblock gpac/gpac 0.5.2-426-gc5ad4e4+dfsg5-5
> 
> Thanks for considering.
> -rt
> 
> [...]
> 

Unblocked, thanks.
~Niels
--- End Message ---

Reply to:

References:
- Bug#927042: unblock: gpac/gpac 0.5.2-426-gc5ad4e4+dfsg5-5
  - From: Reinhard Tartler <siretart@debian.org>

Prev by Date: Bug#927035: marked as done (unblock: mozc/2.23.2815.102+dfsg-4)
Next by Date: Bug#927028: marked as done (unblock: soundscaperenderer/0.5.0~dfsg-4)
Previous by thread: Bug#927042: unblock: gpac/gpac 0.5.2-426-gc5ad4e4+dfsg5-5
Next by thread: Bug#927051: unblock: cross-gcc/230
Index(es):
- Date
- Thread