[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#940647: marked as done (buster-pu: package libmysofa/0.6~dfsg0-3)

Your message dated Sat, 08 Feb 2020 14:21:36 +0000
with message-id <cf1cb2f35981916a86b98b83609df15c95aa378b.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.3 point release
has caused the Debian Bug report #940647,
regarding buster-pu: package libmysofa/0.6~dfsg0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
940647: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940647
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release-team,

the binary package libmysofa0 is used by VLC (the ubiquitous media
player) and the ffmpeg framework (the ubiquitous media framework), and
consequently has a popcon of 43382.

The src:libmysofa package has been assigned a number of CVEs and a
cumulative Debian bug #939735.
The issues (NULL-pointer access, out-of-bound reads, invalid reads and
writes) have been promptly fixed by upstream, who have released a new
version (0.8).

I've uploaded the new version to 'sid' yesterday (setting urgency=high; I
hope this is correct).
For buster (which ships 0.6) I need your cooperation in order to get the
package uploaded.

Since there are a number of CVEs involved, I have first contacted the security
team, to coordinate an upload via buster-security. However, their response was:
> I have looked at those now from stable update point of view, and I
> think they are somehow limited impact (clearly with posibility to lead
> to crashes of reverse dependecies), but would not warrant a DSA on its
> own.
>
> I tend to mark those as no-dsa for buster and ask you if you can
> schedule an update just for the next buster point release.

I agree with their assassment of the impact of these CVEs, so here I am :-)

Please see the attached debdiff for my proposed changes.
These changes include fixes for the various CVEs and a (small but) cumulative
patch for 3 more security issues fixed upstream, which haven't got a CVE
assigned.

Let me know what I should do.

Cheers and thanks for making Debian a better place.

fgamsdr
IOhannes

diff -Nru libmysofa-0.6~dfsg0/debian/changelog libmysofa-0.6~dfsg0/debian/changelog
--- libmysofa-0.6~dfsg0/debian/changelog	2019-04-01 23:25:15.000000000 +0200
+++ libmysofa-0.6~dfsg0/debian/changelog	2019-09-18 13:44:59.000000000 +0200
@@ -1,3 +1,15 @@
+libmysofa (0.6~dfsg0-3+deb10u1) buster; urgency=high
+
+  * Backport security fixes (Closes: #939735)
+    * CVE-2019-16091
+    * CVE-2019-16092
+    * CVE-2019-16093
+    * CVE-2019-16094
+    * CVE-2019-16095
+    * misc security fixes that have no CVE assigned
+
+ -- IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>  Wed, 18 Sep 2019 13:44:59 +0200
+
 libmysofa (0.6~dfsg0-3) unstable; urgency=medium
 
   [ IOhannes m zmölnig ]
diff -Nru libmysofa-0.6~dfsg0/debian/gbp.conf libmysofa-0.6~dfsg0/debian/gbp.conf
--- libmysofa-0.6~dfsg0/debian/gbp.conf	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/gbp.conf	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,4 @@
+[DEFAULT]
+pristine-tar = True
+#upstream-branch = upstream
+debian-branch = buster
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16091.patch	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,99 @@
+Description: Fix for CVE-2019-16091
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/78
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hdf/fractalhead.c
++++ libmysofa/src/hdf/fractalhead.c
+@@ -10,6 +10,7 @@
+ #include <math.h>
+ #include <errno.h>
+ #include <assert.h>
++#include <inttypes.h>
+ #include "reader.h"
+ 
+ static int log2i(int a) {
+@@ -36,7 +37,7 @@
+ 	if (fread(buf, 1, 4, reader->fhd) != 4 || strncmp(buf, "FHDB", 4)) {
+ 		log("cannot read signature of fractal heap indirect block\n");
+ 		return MYSOFA_INVALID_FORMAT;
+-	} log("%08lX %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
++	} log("%08" PRIX64 " %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
+ 
+ 	if (fgetc(reader->fhd) != 0) {
+ 		log("object FHDB must have version 0\n");
+@@ -60,7 +61,7 @@
+ 	else
+ 		length_size = ceilf(log2f(fractalheap->maximum_size) / 8);
+ 
+-	log(" %d %ld %d\n",size,block_offset,offset_size);
++	log(" %d %" PRIu64 " %d\n",size,block_offset,offset_size);
+ 
+ 	/*
+ 	 * 00003e00  00 46 48 44 42 00 40 02  00 00 00 00 00 00 00 00  |.FHDB.@.........|
+@@ -81,10 +82,10 @@
+ 		typeandversion = (uint8_t)fgetc(reader->fhd);
+ 		offset = readValue(reader, offset_size);
+ 		length = readValue(reader, length_size);
+-		if(offset>0x10000000 || length>0x10000000)
++		if(offset>0x10000000 || length>0x10000000 || length == 0)
+ 			return MYSOFA_UNSUPPORTED_FORMAT;
+ 
+-		log(" %d %4lX %ld %8lX\n",typeandversion,offset,length,ftell(reader->fhd));
++		log(" %d %4" PRIX64 " %" PRIu64 " %8" PRIX64 "\n",typeandversion,offset,length,ftell(reader->fhd));
+ 
+ 		/* TODO: for the following part, the specification is incomplete */
+ 		if (typeandversion == 3) {
+@@ -97,12 +98,13 @@
+ 				return MYSOFA_UNSUPPORTED_FORMAT;
+ 			}
+ 
+-			if (!(name = malloc(length)))
++			if (!(name = malloc(length+1)))
+ 				return MYSOFA_NO_MEMORY;
+ 			if(fread(name, 1, length, reader->fhd)!=length) {
+ 				free(name);
+ 				return MYSOFA_READ_ERROR;
+ 			}
++			name[length]=0;
+ 
+ 			if (readValue(reader, 4) != 0x00000013) {
+ 				log("FHDB type 3 unsupported values");
+@@ -177,7 +179,7 @@
+ 			heap_header_address = readValue(reader,
+ 							reader->superblock.size_of_offsets);
+ 
+-			log("\nfractal head type 1 length %4lX name %s address %lX\n", length, name, heap_header_address);
++			log("\nfractal head type 1 length %4" PRIX64 " name %s address %" PRIX64 "\n", length, name, heap_header_address);
+ 
+ 			dir = malloc(sizeof(struct DIR));
+ 			if(!dir) {
+@@ -241,7 +243,7 @@
+ 	if (fread(buf, 1, 4, reader->fhd) != 4 || strncmp(buf, "FHIB", 4)) {
+ 		log("cannot read signature of fractal heap indirect block\n");
+ 		return MYSOFA_INVALID_FORMAT;
+-	} log("%08lX %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
++	} log("%08" PRIX64 " %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
+ 
+ 	if (fgetc(reader->fhd) != 0) {
+ 		log("object FHIB must have version 0\n");
+@@ -282,7 +284,7 @@
+ 			size_filtered = readValue(reader,
+ 						  reader->superblock.size_of_lengths);
+ 			filter_mask = readValue(reader, 4);
+-		} log(">> %d %lX %d\n",k,child_direct_block,size);
++		} log(">> %d %" PRIX64 " %d\n",k,child_direct_block,size);
+ 		if (validAddress(reader, child_direct_block)) {
+ 			store = ftell(reader->fhd);
+ 			if(fseek(reader->fhd, child_direct_block, SEEK_SET)<0)
+@@ -347,7 +349,7 @@
+ 	if (fread(buf, 1, 4, reader->fhd) != 4 || strncmp(buf, "FRHP", 4)) {
+ 		log("cannot read signature of fractal heap\n");
+ 		return MYSOFA_UNSUPPORTED_FORMAT;
+-	} log("%08lX %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
++	} log("%" PRIX64 " %.4s\n", (uint64_t )ftell(reader->fhd) - 4, buf);
+ 
+ 	if (fgetc(reader->fhd) != 0) {
+ 		log("object fractal heap must have version 0\n");
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16092.patch	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,21 @@
+Description: Fix for CVE-2019-16092
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/77
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hrtf/reader.c
++++ libmysofa/src/hrtf/reader.c
+@@ -188,8 +188,9 @@
+ 
+ 	dir = reader->superblock.dataobject.directory;
+ 	while (dir) {
+-
+-		if (!strcmp(dir->dataobject.name, "ListenerPosition")) {
++		if(!dir->dataobject.name) {
++			log("SOFA VARIABLE IS NULL.\n");
++		} else if (!strcmp(dir->dataobject.name, "ListenerPosition")) {
+ 			*err = getArray(&hrtf->ListenerPosition, &dir->dataobject);
+ 		} else if (!strcmp(dir->dataobject.name, "ReceiverPosition")) {
+ 			*err = getArray(&hrtf->ReceiverPosition, &dir->dataobject);
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16093.patch	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,18 @@
+Description: Fix for CVE-2019-16093
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/76
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hdf/dataobject.c
++++ libmysofa/src/hdf/dataobject.c
+@@ -352,6 +352,8 @@
+ 
+ 	case 2:
+ 		dimensionality = (uint8_t)fgetc(reader->fhd);
++		if(dimensionality < 0 || dimensionality >= sizeof(data->datalayout_chunk) / sizeof(data->datalayout_chunk)[0])
++			return MYSOFA_INVALID_FORMAT;
+ 		data_address = readValue(reader, reader->superblock.size_of_offsets);
+ 		log(" CHUNK %lX\n", data_address);
+ 		for (i = 0; i < dimensionality; i++) {
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16094.patch	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,18 @@
+Description: Fix for CVE-2019-16094
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/75
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hdf/dataobject.c
++++ libmysofa/src/hdf/dataobject.c
+@@ -371,6 +371,8 @@
+ 			if (fseek(reader->fhd, data_address, SEEK_SET)<0)
+ 				return errno;
+ 			if (!data->data) {
++				if(size < 0 || size > 0x10000000)
++					return MYSOFA_INVALID_FORMAT;
+ 				data->data_len = size;
+ 				data->data = malloc(size);
+ 				if (!data->data)
diff -Nru libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch
--- libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/CVE-2019-16095.patch	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,17 @@
+Description: Fix for CVE-2019-16095
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/72
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hrtf/reader.c
++++ libmysofa/src/hrtf/reader.c
+@@ -74,6 +74,7 @@
+ 		log(" %s=%s\n",attr->name,attr->value);
+ 
+ 		if (!strcmp(attr->name, "NAME")
++		    && attr->value
+ 		    && !strncmp(attr->value,
+ 				"This is a netCDF dimension but not a netCDF variable.",
+ 				53)) {
diff -Nru libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch
--- libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmysofa-0.6~dfsg0/debian/patches/misc-security-fixes.patch	2019-09-18 13:44:59.000000000 +0200
@@ -0,0 +1,45 @@
+Description: misc security fixes without a CVE
+ backport of some minor fixes that were not assigned a CVE
+ - don't pass negative size to malloc()
+ - use calloc() to avoid uninitialized memory
+ - fix segfault (invalid-read) in the mysofa2json test-application (shipped in
+   libmysofa-utils)
+Author: IOhannes m zmölnig
+Origin: upstream
+Bug: https://github.com/hoene/libmysofa/issues/79, https://github.com/hoene/libmysofa/issues/67, https://github.com/hoene/libmysofa/issues/74
+Last-Update: 2019-09-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libmysofa.orig/src/hdf/btree.c
++++ libmysofa/src/hdf/btree.c
+@@ -246,6 +246,8 @@
+ 
+ 	log("elements %d size %d\n",elements,size);
+ 
++	if (elements >= 0x100000 || size > 0x10)
++		return MYSOFA_INVALID_FORMAT;
+ 	if (!(output = malloc(elements * size))) {
+ 		return MYSOFA_NO_MEMORY;
+ 	}
+--- libmysofa.orig/src/tests/json.c
++++ libmysofa/src/tests/json.c
+@@ -101,7 +101,7 @@
+ 
+ 		fprintf(out, "   \"DimensionNames\":[");
+ 		s = found->value;
+-		while (s[0] && dims < 4) {
++		while (s && s[0] && dims < 4) {
+ 			switch (s[0]) {
+ 			case 'I':
+ 				dimensions[dims++] = hrtf->I;
+--- libmysofa.orig/src/hdf/dataobject.c
++++ libmysofa/src/hdf/dataobject.c
+@@ -374,7 +374,7 @@
+ 				if(size < 0 || size > 0x10000000)
+ 					return MYSOFA_INVALID_FORMAT;
+ 				data->data_len = size;
+-				data->data = malloc(size);
++				data->data = calloc(1,size);
+ 				if (!data->data)
+ 					return MYSOFA_NO_MEMORY;
+ 			}
diff -Nru libmysofa-0.6~dfsg0/debian/patches/series libmysofa-0.6~dfsg0/debian/patches/series
--- libmysofa-0.6~dfsg0/debian/patches/series	2019-04-01 23:25:15.000000000 +0200
+++ libmysofa-0.6~dfsg0/debian/patches/series	2019-09-18 13:44:59.000000000 +0200
@@ -1,2 +1,8 @@
 fix_export_symbols.patch
 CVE-2019-10672.patch
+CVE-2019-16091.patch
+CVE-2019-16092.patch
+CVE-2019-16093.patch
+CVE-2019-16094.patch
+CVE-2019-16095.patch
+misc-security-fixes.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.3

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: