GNU bug report logs - #30180
[PATCH] gnu: libsndfile: Fix CVE-2017-12562.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sat, 20 Jan 2018 02:11:01 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30180 in the body.
You can then email your comments to 30180 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#30180; Package guix-patches. (Sat, 20 Jan 2018 02:11:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Sat, 20 Jan 2018 02:11:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: libsndfile: Fix CVE-2017-12562.
Date: Fri, 19 Jan 2018 18:07:45 -0800
I'd like to ungraft this on core-updates, even though it's late in the
core-updates cycle. Changing libsndfile requires only ~600 rebuilds per
architecture.

* gnu/packages/patches/libsndfile-CVE-2017-12562.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
(libsndfile/fixed): New variable.
---
 gnu/local.mk                                       |  1 +
 .../patches/libsndfile-CVE-2017-12562.patch        | 97 ++++++++++++++++++++++
 gnu/packages/pulseaudio.scm                        | 10 +++
 3 files changed, 108 insertions(+)
 create mode 100644 gnu/packages/patches/libsndfile-CVE-2017-12562.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 240554fe4..80e7527e4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -837,6 +837,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libsndfile-armhf-type-checks.patch	\
   %D%/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch	\
   %D%/packages/patches/libsndfile-CVE-2017-8362.patch		\
+  %D%/packages/patches/libsndfile-CVE-2017-12562.patch		\
   %D%/packages/patches/libssh-hostname-parser-bug.patch		\
   %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch	\
   %D%/packages/patches/libtar-CVE-2013-4420.patch 		\
diff --git a/gnu/packages/patches/libsndfile-CVE-2017-12562.patch b/gnu/packages/patches/libsndfile-CVE-2017-12562.patch
new file mode 100644
index 000000000..58cb242b1
--- /dev/null
+++ b/gnu/packages/patches/libsndfile-CVE-2017-12562.patch
@@ -0,0 +1,97 @@
+Fix CVE-2017-12562:
+
+https://github.com/erikd/libsndfile/issues/292
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12562
+
+Patch copied from upstream source repository:
+
+https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8
+
+From cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx <at> problemloesungsmaschine.de>
+Date: Wed, 14 Jun 2017 12:25:40 +0200
+Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings
+ in binheader
+
+Fixes the following problems:
+ 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
+ 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
+    big switch statement by an amount (16 bytes) which is enough for all cases
+    where only a single value gets added. Cases 's', 'S', 'p' however
+    additionally write an arbitrary length block of data and again enlarge the
+    buffer to the required amount. However, the required space calculation does
+    not take into account the size of the length field which gets output before
+    the data.
+ 3. Buffer size requirement calculation in case 'S' does not account for the
+    padding byte ("size += (size & 1) ;" happens after the calculation which
+    uses "size").
+ 4. Case 'S' can overrun the header buffer by 1 byte when no padding is
+    involved
+    ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
+    the buffer is only guaranteed to have "size" space available).
+ 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
+    beyond the space which is guaranteed to be allocated in the header buffer.
+ 6. Case 's' can overrun the provided source string by 1 byte if padding is
+    involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
+    where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
+    plus optionally another 1 which is padding and not guaranteed to be
+    readable via the source string pointer).
+
+Closes: https://github.com/erikd/libsndfile/issues/292
+---
+ src/common.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/src/common.c b/src/common.c
+index 1a6204ca..6b2a2ee9 100644
+--- a/src/common.c
++++ b/src/common.c
+@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					/* Write a C string (guaranteed to have a zero terminator). */
+ 					strptr = va_arg (argptr, char *) ;
+ 					size = strlen (strptr) + 1 ;
+-					size += (size & 1) ;
+ 
+-					if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
++					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ 						return count ;
+ 
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+-						header_put_be_int (psf, size) ;
++						header_put_be_int (psf, size + (size & 1)) ;
+ 					else
+-						header_put_le_int (psf, size) ;
++						header_put_le_int (psf, size + (size & 1)) ;
+ 					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
++					size += (size & 1) ;
+ 					psf->header.indx += size ;
+ 					psf->header.ptr [psf->header.indx - 1] = 0 ;
+ 					count += 4 + size ;
+@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					*/
+ 					strptr = va_arg (argptr, char *) ;
+ 					size = strlen (strptr) ;
+-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
++					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ 						return count ;
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+ 						header_put_be_int (psf, size) ;
+ 					else
+ 						header_put_le_int (psf, size) ;
+-					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;
++					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;
+ 					size += (size & 1) ;
+ 					psf->header.indx += size ;
+-					psf->header.ptr [psf->header.indx] = 0 ;
+ 					count += 4 + size ;
+ 					break ;
+ 
+@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					size = (size & 1) ? size : size + 1 ;
+ 					size = (size > 254) ? 254 : size ;
+ 
+-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
++					if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
+ 						return count ;
+ 
+ 					header_put_byte (psf, size) ;
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index ba288aa44..39f54437c 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -47,6 +47,7 @@
 (define-public libsndfile
   (package
     (name "libsndfile")
+    (replacement libsndfile/fixed)
     (version "1.0.28")
     (source (origin
              (method url-fetch)
@@ -80,6 +81,15 @@ SPARC.  Hopefully the design of the library will also make it easy to extend
 for reading and writing new sound file formats.")
     (license l:gpl2+)))
 
+(define libsndfile/fixed
+  (package
+    (inherit libsndfile)
+    (source (origin
+              (inherit (package-source libsndfile))
+              (patches (append
+                         (origin-patches (package-source libsndfile))
+                         (search-patches "libsndfile-CVE-2017-12562.patch")))))))
+
 (define-public libsamplerate
   (package
     (name "libsamplerate")                     ; aka. Secret Rabbit Code (SRC)
-- 
2.16.0





Information forwarded to guix-patches <at> gnu.org:
bug#30180; Package guix-patches. (Tue, 23 Jan 2018 09:21:01 GMT) Full text and rfc822 format available.

Message #8 received at 30180 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 30180 <at> debbugs.gnu.org
Subject: Re: [bug#30180] [PATCH] gnu: libsndfile: Fix CVE-2017-12562.
Date: Tue, 23 Jan 2018 10:20:26 +0100
Leo Famulari <leo <at> famulari.name> skribis:

> I'd like to ungraft this on core-updates, even though it's late in the
> core-updates cycle. Changing libsndfile requires only ~600 rebuilds per
> architecture.
>
> * gnu/packages/patches/libsndfile-CVE-2017-12562.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
> (libsndfile/fixed): New variable.

The patch LGTM!

As for ungrafting, I’ll let you judge.  I would really like to merge
that branch soon, but I haven’t checked in status over the last couple
of days.

Thanks you,
Ludo’.




Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Tue, 23 Jan 2018 20:27:02 GMT) Full text and rfc822 format available.

Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Tue, 23 Jan 2018 20:27:02 GMT) Full text and rfc822 format available.

Message #13 received at 30180-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 30180-done <at> debbugs.gnu.org
Subject: Re: [bug#30180] [PATCH] gnu: libsndfile: Fix CVE-2017-12562.
Date: Tue, 23 Jan 2018 15:25:52 -0500
[Message part 1 (text/plain, inline)]
On Tue, Jan 23, 2018 at 10:20:26AM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo <at> famulari.name> skribis:
> 
> > I'd like to ungraft this on core-updates, even though it's late in the
> > core-updates cycle. Changing libsndfile requires only ~600 rebuilds per
> > architecture.
> >
> > * gnu/packages/patches/libsndfile-CVE-2017-12562.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
> > (libsndfile/fixed): New variable.
> 
> The patch LGTM!

Okay, pushed!

> As for ungrafting, I’ll let you judge.  I would really like to merge
> that branch soon, but I haven’t checked in status over the last couple
> of days.

The branch is very close to done if you just look at the numbers, but
there are still some important package failures. But there will be more
grafts soon enough, so I guess we might as well leave it grafted.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#30180; Package guix-patches. (Wed, 24 Jan 2018 14:00:02 GMT) Full text and rfc822 format available.

Message #16 received at 30180-done <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 30180-done <at> debbugs.gnu.org
Subject: Re: [bug#30180] [PATCH] gnu: libsndfile: Fix CVE-2017-12562.
Date: Wed, 24 Jan 2018 14:59:18 +0100
Leo Famulari <leo <at> famulari.name> skribis:

> On Tue, Jan 23, 2018 at 10:20:26AM +0100, Ludovic Courtès wrote:
>> Leo Famulari <leo <at> famulari.name> skribis:
>> 
>> > I'd like to ungraft this on core-updates, even though it's late in the
>> > core-updates cycle. Changing libsndfile requires only ~600 rebuilds per
>> > architecture.
>> >
>> > * gnu/packages/patches/libsndfile-CVE-2017-12562.patch: New file.
>> > * gnu/local.mk (dist_patch_DATA): Add it.
>> > * gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
>> > (libsndfile/fixed): New variable.
>> 
>> The patch LGTM!
>
> Okay, pushed!
>
>> As for ungrafting, I’ll let you judge.  I would really like to merge
>> that branch soon, but I haven’t checked in status over the last couple
>> of days.
>
> The branch is very close to done if you just look at the numbers, but
> there are still some important package failures. But there will be more
> grafts soon enough, so I guess we might as well leave it grafted.

Sounds reasonable.

Ludo’.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 22 Feb 2018 12:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 6 years and 36 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.