Bug#940647: buster-pu: package libmysofa/0.6~dfsg0-3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release-team,
the binary package libmysofa0 is used by VLC (the ubiquitous media
player) and the ffmpeg framework (the ubiquitous media framework), and
consequently has a popcon of 43382.
The src:libmysofa package has been assigned a number of CVEs and a
cumulative Debian bug #939735.
The issues (NULL-pointer access, out-of-bound reads, invalid reads and
writes) have been promptly fixed by upstream, who have released a new
version (0.8).
I've uploaded the new version to 'sid' yesterday (setting urgency=high; I
hope this is correct).
For buster (which ships 0.6) I need your cooperation in order to get the
package uploaded.
Since there are a number of CVEs involved, I have first contacted the security
team, to coordinate an upload via buster-security. However, their response was:
> I have looked at those now from stable update point of view, and I
> think they are somehow limited impact (clearly with posibility to lead
> to crashes of reverse dependecies), but would not warrant a DSA on its
> own.
>
> I tend to mark those as no-dsa for buster and ask you if you can
> schedule an update just for the next buster point release.
I agree with their assassment of the impact of these CVEs, so here I am :-)
Please see the attached debdiff for my proposed changes.
These changes include fixes for the various CVEs and a (small but) cumulative
patch for 3 more security issues fixed upstream, which haven't got a CVE
assigned.
Let me know what I should do.
Cheers and thanks for making Debian a better place.
fgamsdr
IOhannes
diff -Nru libmysofa-0.6~dfsg0/debian/changelog libmysofa-0.6~dfsg0/debian/changelog
--- libmysofa-0.6~dfsg0/debian/changelog 2019-04-01 23:25:15.000000000 +0200
+++ libmysofa-0.6~dfsg0/debian/changelog 2019-09-18 13:44:59.000000000 +0200
@@ -1,3 +1,15 @@
+libmysofa (0.6~dfsg0-3+deb10u1) buster; urgency=high
+
+ * Backport security fixes (Closes: #939735)
+ * CVE-2019-16091
+ * CVE-2019-16092
+ * CVE-2019-16093
+ * CVE-2019-16094
+ * CVE-2019-16095
+ * misc security fixes that have no CVE assigned
+
+ -- IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org> Wed, 18 Sep 2019 13:44:59 +0200
+
libmysofa (0.6~dfsg0-3) unstable; urgency=medium
[ IOhannes m zmölnig ]
diff -Nru libmysofa-0.6~dfsg0/debian/gbp.conf libmysofa-0.6~dfsg0/debian/gbp.conf
--- libmysofa-0.6~dfsg0/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/gbp.conf 2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,4 @@
+[DEFAULT]
+pristine-tar = True
+#upstream-branch = upstream
+debian-branch = buster
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch 2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,99 @@
+Description: Fix for CVE-2019-16091
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/78
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hdf/fractalhead.c
++++ libmysofa/src/hdf/fractalhead.c
+@@ -10,6 +10,7 @@
+ #include <math.h>
+ #include <errno.h>
+ #include <assert.h>
++#include <inttypes.h>
+ #include "reader.h"
+
+ static int log2i(int a) {
+@@ -36,7 +37,7 @@
+ if (fread(buf, 1, 4, reader->fhd) != 4 || strncmp(buf, "FHDB", 4)) {
+ log("cannot read signature of fractal heap indirect block\n");
+ return MYSOFA_INVALID_FORMAT;
+- } log("%08lX %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
++ } log("%08" PRIX64 " %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
+
+ if (fgetc(reader->fhd) != 0) {
+ log("object FHDB must have version 0\n");
+@@ -60,7 +61,7 @@
+ else
+ length_size = ceilf(log2f(fractalheap->maximum_size) / 8);
+
+- log(" %d %ld %d\n",size,block_offset,offset_size);
++ log(" %d %" PRIu64 " %d\n",size,block_offset,offset_size);
+
+ /*
+ * 00003e00 00 46 48 44 42 00 40 02 00 00 00 00 00 00 00 00 |.FHDB.@.........|
+@@ -81,10 +82,10 @@
+ typeandversion = (uint8_t)fgetc(reader->fhd);
+ offset = readValue(reader, offset_size);
+ length = readValue(reader, length_size);
+- if(offset>0x10000000 || length>0x10000000)
++ if(offset>0x10000000 || length>0x10000000 || length == 0)
+ return MYSOFA_UNSUPPORTED_FORMAT;
+
+- log(" %d %4lX %ld %8lX\n",typeandversion,offset,length,ftell(reader->fhd));
++ log(" %d %4" PRIX64 " %" PRIu64 " %8" PRIX64 "\n",typeandversion,offset,length,ftell(reader->fhd));
+
+ /* TODO: for the following part, the specification is incomplete */
+ if (typeandversion == 3) {
+@@ -97,12 +98,13 @@
+ return MYSOFA_UNSUPPORTED_FORMAT;
+ }
+
+- if (!(name = malloc(length)))
++ if (!(name = malloc(length+1)))
+ return MYSOFA_NO_MEMORY;
+ if(fread(name, 1, length, reader->fhd)!=length) {
+ free(name);
+ return MYSOFA_READ_ERROR;
+ }
++ name[length]=0;
+
+ if (readValue(reader, 4) != 0x00000013) {
+ log("FHDB type 3 unsupported values");
+@@ -177,7 +179,7 @@
+ heap_header_address = readValue(reader,
+ reader->superblock.size_of_offsets);
+
+- log("\nfractal head type 1 length %4lX name %s address %lX\n", length, name, heap_header_address);
++ log("\nfractal head type 1 length %4" PRIX64 " name %s address %" PRIX64 "\n", length, name, heap_header_address);
+
+ dir = malloc(sizeof(struct DIR));
+ if(!dir) {
+@@ -241,7 +243,7 @@
+ if (fread(buf, 1, 4, reader->fhd) != 4 || strncmp(buf, "FHIB", 4)) {
+ log("cannot read signature of fractal heap indirect block\n");
+ return MYSOFA_INVALID_FORMAT;
+- } log("%08lX %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
++ } log("%08" PRIX64 " %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
+
+ if (fgetc(reader->fhd) != 0) {
+ log("object FHIB must have version 0\n");
+@@ -282,7 +284,7 @@
+ size_filtered = readValue(reader,
+ reader->superblock.size_of_lengths);
+ filter_mask = readValue(reader, 4);
+- } log(">> %d %lX %d\n",k,child_direct_block,size);
++ } log(">> %d %" PRIX64 " %d\n",k,child_direct_block,size);
+ if (validAddress(reader, child_direct_block)) {
+ store = ftell(reader->fhd);
+ if(fseek(reader->fhd, child_direct_block, SEEK_SET)<0)
+@@ -347,7 +349,7 @@
+ if (fread(buf, 1, 4, reader->fhd) != 4 || strncmp(buf, "FRHP", 4)) {
+ log("cannot read signature of fractal heap\n");
+ return MYSOFA_UNSUPPORTED_FORMAT;
+- } log("%08lX %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
++ } log("%" PRIX64 " %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
+
+ if (fgetc(reader->fhd) != 0) {
+ log("object fractal heap must have version 0\n");
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch 2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,21 @@
+Description: Fix for CVE-2019-16092
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/77
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hrtf/reader.c
++++ libmysofa/src/hrtf/reader.c
+@@ -188,8 +188,9 @@
+
+ dir = reader->superblock.dataobject.directory;
+ while (dir) {
+-
+- if (!strcmp(dir->dataobject.name, "ListenerPosition")) {
++ if(!dir->dataobject.name) {
++ log("SOFA VARIABLE IS NULL.\n");
++ } else if (!strcmp(dir->dataobject.name, "ListenerPosition")) {
+ *err = getArray(&hrtf->ListenerPosition, &dir->dataobject);
+ } else if (!strcmp(dir->dataobject.name, "ReceiverPosition")) {
+ *err = getArray(&hrtf->ReceiverPosition, &dir->dataobject);
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch 2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,18 @@
+Description: Fix for CVE-2019-16093
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/76
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hdf/dataobject.c
++++ libmysofa/src/hdf/dataobject.c
+@@ -352,6 +352,8 @@
+
+ case 2:
+ dimensionality = (uint8_t)fgetc(reader->fhd);
++ if(dimensionality < 0 || dimensionality >= sizeof(data->datalayout_chunk) / sizeof(data->datalayout_chunk)[0])
++ return MYSOFA_INVALID_FORMAT;
+ data_address = readValue(reader, reader->superblock.size_of_offsets);
+ log(" CHUNK %lX\n", data_address);
+ for (i = 0; i < dimensionality; i++) {
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch 2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,18 @@
+Description: Fix for CVE-2019-16094
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/75
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hdf/dataobject.c
++++ libmysofa/src/hdf/dataobject.c
+@@ -371,6 +371,8 @@
+ if (fseek(reader->fhd, data_address, SEEK_SET)<0)
+ return errno;
+ if (!data->data) {
++ if(size < 0 || size > 0x10000000)
++ return MYSOFA_INVALID_FORMAT;
+ data->data_len = size;
+ data->data = malloc(size);
+ if (!data->data)
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch 2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,17 @@
+Description: Fix for CVE-2019-16095
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/72
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hrtf/reader.c
++++ libmysofa/src/hrtf/reader.c
+@@ -74,6 +74,7 @@
+ log(" %s=%s\n",attr->name,attr->value);
+
+ if (!strcmp(attr->name, "NAME")
++ && attr->value
+ && !strncmp(attr->value,
+ "This is a netCDF dimension but not a netCDF variable.",
+ 53)) {
diff -Nru libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch
--- libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch 2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,45 @@
+Description: misc security fixes without a CVE
+ backport of some minor fixes that were not assigned a CVE
+ - don't pass negative size to malloc()
+ - use calloc() to avoid uninitialized memory
+ - fix segfault (invalid-read) in the mysofa2json test-application (shipped in
+ libmysofa-utils)
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/79, https://github.com/hoene/libmysofa/issues/67, https://github.com/hoene/libmysofa/issues/74
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hdf/btree.c
++++ libmysofa/src/hdf/btree.c
+@@ -246,6 +246,8 @@
+
+ log("elements %d size %d\n",elements,size);
+
++ if (elements >= 0x100000 || size > 0x10)
++ return MYSOFA_INVALID_FORMAT;
+ if (!(output = malloc(elements * size))) {
+ return MYSOFA_NO_MEMORY;
+ }
+--- libmysofa.orig/src/tests/json.c
++++ libmysofa/src/tests/json.c
+@@ -101,7 +101,7 @@
+
+ fprintf(out, " \"DimensionNames\":[");
+ s = found->value;
+- while (s[0] && dims < 4) {
++ while (s && s[0] && dims < 4) {
+ switch (s[0]) {
+ case 'I':
+ dimensions[dims++] = hrtf->I;
+--- libmysofa.orig/src/hdf/dataobject.c
++++ libmysofa/src/hdf/dataobject.c
+@@ -374,7 +374,7 @@
+ if(size < 0 || size > 0x10000000)
+ return MYSOFA_INVALID_FORMAT;
+ data->data_len = size;
+- data->data = malloc(size);
++ data->data = calloc(1,size);
+ if (!data->data)
+ return MYSOFA_NO_MEMORY;
+ }
diff -Nru libmysofa-0.6~dfsg0/debian/patches/series libmysofa-0.6~dfsg0/debian/patches/series
--- libmysofa-0.6~dfsg0/debian/patches/series 2019-04-01 23:25:15.000000000 +0200
+++ libmysofa-0.6~dfsg0/debian/patches/series 2019-09-18 13:44:59.000000000 +0200
@@ -1,2 +1,8 @@
fix_export_symbols.patch
CVE-2019-10672.patch
+CVE-2019-16091.patch
+CVE-2019-16092.patch
+CVE-2019-16093.patch
+CVE-2019-16094.patch
+CVE-2019-16095.patch
+misc-security-fixes.patch
Reply to: