Bug#940647: buster-pu: package libmysofa/0.6~dfsg0-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#940647: buster-pu: package libmysofa/0.6~dfsg0-3
From: IOhannes m zmoelnig <umlaeute@debian.org>
Date: Wed, 18 Sep 2019 14:42:44 +0200
Message-id: <[🔎] 156881056448.133353.12118677113731934017.reportbug@umlautS.umlaeute>
Reply-to: IOhannes m zmoelnig <umlaeute@debian.org>, 940647@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release-team,

the binary package libmysofa0 is used by VLC (the ubiquitous media
player) and the ffmpeg framework (the ubiquitous media framework), and
consequently has a popcon of 43382.

The src:libmysofa package has been assigned a number of CVEs and a
cumulative Debian bug #939735.
The issues (NULL-pointer access, out-of-bound reads, invalid reads and
writes) have been promptly fixed by upstream, who have released a new
version (0.8).

I've uploaded the new version to 'sid' yesterday (setting urgency=high; I
hope this is correct).
For buster (which ships 0.6) I need your cooperation in order to get the
package uploaded.

Since there are a number of CVEs involved, I have first contacted the security
team, to coordinate an upload via buster-security. However, their response was:
> I have looked at those now from stable update point of view, and I
> think they are somehow limited impact (clearly with posibility to lead
> to crashes of reverse dependecies), but would not warrant a DSA on its
> own.
>
> I tend to mark those as no-dsa for buster and ask you if you can
> schedule an update just for the next buster point release.

I agree with their assassment of the impact of these CVEs, so here I am :-)

Please see the attached debdiff for my proposed changes.
These changes include fixes for the various CVEs and a (small but) cumulative
patch for 3 more security issues fixed upstream, which haven't got a CVE
assigned.

Let me know what I should do.

Cheers and thanks for making Debian a better place.

fgamsdr
IOhannes

diff -Nru libmysofa-0.6~dfsg0/debian/changelog libmysofa-0.6~dfsg0/debian/changelog
--- libmysofa-0.6~dfsg0/debian/changelog	2019-04-01 23:25:15.000000000 +0200
+++ libmysofa-0.6~dfsg0/debian/changelog	2019-09-18 13:44:59.000000000 +0200
@@ -1,3 +1,15 @@
+libmysofa (0.6~dfsg0-3+deb10u1) buster; urgency=high
+
+  * Backport security fixes (Closes: #939735)
+    * CVE-2019-16091
+    * CVE-2019-16092
+    * CVE-2019-16093
+    * CVE-2019-16094
+    * CVE-2019-16095
+    * misc security fixes that have no CVE assigned
+
+ -- IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>  Wed, 18 Sep 2019 13:44:59 +0200
+
 libmysofa (0.6~dfsg0-3) unstable; urgency=medium
 
   [ IOhannes m zmölnig ]
diff -Nru libmysofa-0.6~dfsg0/debian/gbp.conf libmysofa-0.6~dfsg0/debian/gbp.conf
--- libmysofa-0.6~dfsg0/debian/gbp.conf	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/gbp.conf	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,4 @@
+[DEFAULT]
+pristine-tar = True
+#upstream-branch = upstream
+debian-branch = buster
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,99 @@
+Description: Fix for CVE-2019-16091
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/78
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hdf/fractalhead.c
++++ libmysofa/src/hdf/fractalhead.c
+@@ -10,6 +10,7 @@
+ #include <math.h>
+ #include <errno.h>
+ #include <assert.h>
++#include <inttypes.h>
+ #include "reader.h"
+ 
+ static int log2i(int a) {
+@@ -36,7 +37,7 @@
+ 	if (fread(buf, 1, 4, reader->fhd) != 4 || strncmp(buf, "FHDB", 4)) {
+ 		log("cannot read signature of fractal heap indirect block\n");
+ 		return MYSOFA_INVALID_FORMAT;
+-	} log("%08lX %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
++	} log("%08" PRIX64 " %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
+ 
+ 	if (fgetc(reader->fhd) != 0) {
+ 		log("object FHDB must have version 0\n");
+@@ -60,7 +61,7 @@
+ 	else
+ 		length_size = ceilf(log2f(fractalheap->maximum_size) / 8);
+ 
+-	log(" %d %ld %d\n",size,block_offset,offset_size);
++	log(" %d %" PRIu64 " %d\n",size,block_offset,offset_size);
+ 
+ 	/*
+ 	 * 00003e00  00 46 48 44 42 00 40 02  00 00 00 00 00 00 00 00  |.FHDB.@.........|
+@@ -81,10 +82,10 @@
+ 		typeandversion = (uint8_t)fgetc(reader->fhd);
+ 		offset = readValue(reader, offset_size);
+ 		length = readValue(reader, length_size);
+-		if(offset>0x10000000 || length>0x10000000)
++		if(offset>0x10000000 || length>0x10000000 || length == 0)
+ 			return MYSOFA_UNSUPPORTED_FORMAT;
+ 
+-		log(" %d %4lX %ld %8lX\n",typeandversion,offset,length,ftell(reader->fhd));
++		log(" %d %4" PRIX64 " %" PRIu64 " %8" PRIX64 "\n",typeandversion,offset,length,ftell(reader->fhd));
+ 
+ 		/* TODO: for the following part, the specification is incomplete */
+ 		if (typeandversion == 3) {
+@@ -97,12 +98,13 @@
+ 				return MYSOFA_UNSUPPORTED_FORMAT;
+ 			}
+ 
+-			if (!(name = malloc(length)))
++			if (!(name = malloc(length+1)))
+ 				return MYSOFA_NO_MEMORY;
+ 			if(fread(name, 1, length, reader->fhd)!=length) {
+ 				free(name);
+ 				return MYSOFA_READ_ERROR;
+ 			}
++			name[length]=0;
+ 
+ 			if (readValue(reader, 4) != 0x00000013) {
+ 				log("FHDB type 3 unsupported values");
+@@ -177,7 +179,7 @@
+ 			heap_header_address = readValue(reader,
+ 							reader->superblock.size_of_offsets);
+ 
+-			log("\nfractal head type 1 length %4lX name %s address %lX\n", length, name, heap_header_address);
++			log("\nfractal head type 1 length %4" PRIX64 " name %s address %" PRIX64 "\n", length, name, heap_header_address);
+ 
+ 			dir = malloc(sizeof(struct DIR));
+ 			if(!dir) {
+@@ -241,7 +243,7 @@
+ 	if (fread(buf, 1, 4, reader->fhd) != 4 || strncmp(buf, "FHIB", 4)) {
+ 		log("cannot read signature of fractal heap indirect block\n");
+ 		return MYSOFA_INVALID_FORMAT;
+-	} log("%08lX %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
++	} log("%08" PRIX64 " %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
+ 
+ 	if (fgetc(reader->fhd) != 0) {
+ 		log("object FHIB must have version 0\n");
+@@ -282,7 +284,7 @@
+ 			size_filtered = readValue(reader,
+ 						  reader->superblock.size_of_lengths);
+ 			filter_mask = readValue(reader, 4);
+-		} log(">> %d %lX %d\n",k,child_direct_block,size);
++		} log(">> %d %" PRIX64 " %d\n",k,child_direct_block,size);
+ 		if (validAddress(reader, child_direct_block)) {
+ 			store = ftell(reader->fhd);
+ 			if(fseek(reader->fhd, child_direct_block, SEEK_SET)<0)
+@@ -347,7 +349,7 @@
+ 	if (fread(buf, 1, 4, reader->fhd) != 4 || strncmp(buf, "FRHP", 4)) {
+ 		log("cannot read signature of fractal heap\n");
+ 		return MYSOFA_UNSUPPORTED_FORMAT;
+-	} log("%08lX %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
++	} log("%" PRIX64 " %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
+ 
+ 	if (fgetc(reader->fhd) != 0) {
+ 		log("object fractal heap must have version 0\n");
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,21 @@
+Description: Fix for CVE-2019-16092
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/77
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hrtf/reader.c
++++ libmysofa/src/hrtf/reader.c
+@@ -188,8 +188,9 @@
+ 
+ 	dir = reader->superblock.dataobject.directory;
+ 	while (dir) {
+-
+-		if (!strcmp(dir->dataobject.name, "ListenerPosition")) {
++		if(!dir->dataobject.name) {
++			log("SOFA VARIABLE IS NULL.\n");
++		} else if (!strcmp(dir->dataobject.name, "ListenerPosition")) {
+ 			*err = getArray(&hrtf->ListenerPosition, &dir->dataobject);
+ 		} else if (!strcmp(dir->dataobject.name, "ReceiverPosition")) {
+ 			*err = getArray(&hrtf->ReceiverPosition, &dir->dataobject);
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,18 @@
+Description: Fix for CVE-2019-16093
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/76
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hdf/dataobject.c
++++ libmysofa/src/hdf/dataobject.c
+@@ -352,6 +352,8 @@
+ 
+ 	case 2:
+ 		dimensionality = (uint8_t)fgetc(reader->fhd);
++		if(dimensionality < 0 || dimensionality >= sizeof(data->datalayout_chunk) / sizeof(data->datalayout_chunk)[0])
++			return MYSOFA_INVALID_FORMAT;
+ 		data_address = readValue(reader, reader->superblock.size_of_offsets);
+ 		log(" CHUNK %lX\n", data_address);
+ 		for (i = 0; i < dimensionality; i++) {
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,18 @@
+Description: Fix for CVE-2019-16094
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/75
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hdf/dataobject.c
++++ libmysofa/src/hdf/dataobject.c
+@@ -371,6 +371,8 @@
+ 			if (fseek(reader->fhd, data_address, SEEK_SET)<0)
+ 				return errno;
+ 			if (!data->data) {
++				if(size < 0 || size > 0x10000000)
++					return MYSOFA_INVALID_FORMAT;
+ 				data->data_len = size;
+ 				data->data = malloc(size);
+ 				if (!data->data)
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,17 @@
+Description: Fix for CVE-2019-16095
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/72
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hrtf/reader.c
++++ libmysofa/src/hrtf/reader.c
+@@ -74,6 +74,7 @@
+ 		log(" %s=%s\n",attr->name,attr->value);
+ 
+ 		if (!strcmp(attr->name, "NAME")
++		    && attr->value
+ 		    && !strncmp(attr->value,
+ 				"This is a netCDF dimension but not a netCDF variable.",
+ 				53)) {
diff -Nru libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch
--- libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,45 @@
+Description: misc security fixes without a CVE
+ backport of some minor fixes that were not assigned a CVE
+ - don't pass negative size to malloc()
+ - use calloc() to avoid uninitialized memory
+ - fix segfault (invalid-read) in the mysofa2json test-application (shipped in
+   libmysofa-utils)
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/79, https://github.com/hoene/libmysofa/issues/67, https://github.com/hoene/libmysofa/issues/74
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hdf/btree.c
++++ libmysofa/src/hdf/btree.c
+@@ -246,6 +246,8 @@
+ 
+ 	log("elements %d size %d\n",elements,size);
+ 
++	if (elements >= 0x100000 || size > 0x10)
++		return MYSOFA_INVALID_FORMAT;
+ 	if (!(output = malloc(elements * size))) {
+ 		return MYSOFA_NO_MEMORY;
+ 	}
+--- libmysofa.orig/src/tests/json.c
++++ libmysofa/src/tests/json.c
+@@ -101,7 +101,7 @@
+ 
+ 		fprintf(out, "   \"DimensionNames\":[");
+ 		s = found->value;
+-		while (s[0] && dims < 4) {
++		while (s && s[0] && dims < 4) {
+ 			switch (s[0]) {
+ 			case 'I':
+ 				dimensions[dims++] = hrtf->I;
+--- libmysofa.orig/src/hdf/dataobject.c
++++ libmysofa/src/hdf/dataobject.c
+@@ -374,7 +374,7 @@
+ 				if(size < 0 || size > 0x10000000)
+ 					return MYSOFA_INVALID_FORMAT;
+ 				data->data_len = size;
+-				data->data = malloc(size);
++				data->data = calloc(1,size);
+ 				if (!data->data)
+ 					return MYSOFA_NO_MEMORY;
+ 			}
diff -Nru libmysofa-0.6~dfsg0/debian/patches/series libmysofa-0.6~dfsg0/debian/patches/series
--- libmysofa-0.6~dfsg0/debian/patches/series	2019-04-01 23:25:15.000000000 +0200
+++ libmysofa-0.6~dfsg0/debian/patches/series	2019-09-18 13:44:59.000000000 +0200
@@ -1,2 +1,8 @@
 fix_export_symbols.patch
 CVE-2019-10672.patch
+CVE-2019-16091.patch
+CVE-2019-16092.patch
+CVE-2019-16093.patch
+CVE-2019-16094.patch
+CVE-2019-16095.patch
+misc-security-fixes.patch

Reply to:

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Processed: block 940605 with 940632, block 940596 with 940632
Next by thread: Bug#940685: buster-pu: libsixel/1.8.2-1+deb10u1
Index(es):
- Date
- Thread