Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1

Wed, 19 Mar 2014 17:04:05 -0700 

On Wed, 19 Mar 2014 at 23:54:41 +0000, Simon McVittie wrote:
> A proposed debdiff is attached.

Sorry, it wasn't. Here it is.

    S

diffstat for mp3gain-1.5.2-r2 mp3gain-1.5.2-r2

 changelog                                                               |   12 ++
 patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch |   28 ++++++
 patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch |   43 ++++++++++
 patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch |   29 ++++++
 patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch |   26 ++++++
 patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.patch |   32 +++++++
 patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch |   23 +++++
 patches/series                                                          |    6 +
 8 files changed, 199 insertions(+)

diff -Nru mp3gain-1.5.2-r2/debian/changelog mp3gain-1.5.2-r2/debian/changelog
--- mp3gain-1.5.2-r2/debian/changelog	2011-11-10 15:27:35.000000000 +0000
+++ mp3gain-1.5.2-r2/debian/changelog	2014-03-19 09:22:48.000000000 +0000
@@ -1,3 +1,15 @@
+mp3gain (1.5.2-r2-2+deb7u1) wheezy-security; urgency=high
+
+  * Add various patches from Daniel Kobras' mpg123 packaging to fix
+    buffer overflows in the embedded copy/fork of mpglib
+    - CVE-2003-0577 (originally #201698 in mpg123)
+    - CVE-2004-0805 (originally #270542 in mpg123)
+    - CVE-2004-0991
+    - CVE-2006-1655 (originally #361863 in mpg123)
+    (Closes: #740268, hopefully)
+
+ -- Simon McVittie <s...@debian.org>  Wed, 19 Mar 2014 09:19:58 +0000
+
 mp3gain (1.5.2-r2-2) unstable; urgency=low
 
   [ Simon McVittie ]
diff -Nru mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch
--- mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch	1970-01-01 01:00:00.000000000 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch	2014-03-19 09:22:48.000000000 +0000
@@ -0,0 +1,28 @@
+From: Simon McVittie <s...@debian.org>
+Date: Sun, 16 Mar 2014 20:52:15 +0000
+Subject: CVE-2004-0805: layer2.c: fix buffer overflow in layer2 decoder
+
+Origin: vendor, Debian (mpg123/0.59r-18)
+Author: Daniel Kobras <kob...@debian.org>
+See-also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=270542
+See-also: http://article.gmane.org/gmane.comp.security.full-disclosure/25471
+---
+ mpglibDBL/layer2.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/mpglibDBL/layer2.c b/mpglibDBL/layer2.c
+index 8f4e9e3..027cced 100644
+--- a/mpglibDBL/layer2.c
++++ b/mpglibDBL/layer2.c
+@@ -280,6 +280,11 @@ int do_layer2( PMPSTR mp,unsigned char *pcm_sample,int *pcm_point)
+   fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
+      (fr->mode_ext<<2)+4 : fr->II_sblimit;
+ 
++  if (fr->jsbound > fr->II_sblimit) {
++    fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
++    fr->jsbound=fr->II_sblimit;
++  }
++
+   if(stereo == 1 || single == 3)
+     single = 0;
+ 
diff -Nru mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch
--- mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch	1970-01-01 01:00:00.000000000 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch	2014-03-19 09:22:48.000000000 +0000
@@ -0,0 +1,43 @@
+From: Simon McVittie <s...@debian.org>
+Date: Sun, 16 Mar 2014 21:00:31 +0000
+Subject: CVE-2006-1655: fix heap overflow in layer3.c::III_antialias()
+
+This combines two patches taken from mpg123: the original fix by Daniel
+Kobras, and "extended fix for CVE-2006-1655" from upstream 0.61.
+
+Origin: vendor, Debian (mpg123/0.59r-22); upstream (mpg123/0.61)
+Author: Daniel Kobras <kob...@debian.org>
+Author: thor
+Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361863
+---
+ mpglibDBL/layer3.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/mpglibDBL/layer3.c b/mpglibDBL/layer3.c
+index 4016a2a..793857c 100644
+--- a/mpglibDBL/layer3.c
++++ b/mpglibDBL/layer3.c
+@@ -1113,7 +1113,10 @@ maybe still wrong??? (copy 12 to 13?) */
+  * and mode = mixed_mode 
+  */
+            int sfb = gr_infos->maxbandl;
+-           int idx = bi->longIdx[sfb];
++           int idx;
++           if (sfb > 21)
++             return;
++           idx = bi->longIdx[sfb];
+ 
+            for ( ; sfb<8; sfb++ )
+            {
+@@ -1137,7 +1140,10 @@ maybe still wrong??? (copy 12 to 13?) */
+       else /* ((gr_infos->block_type != 2)) */
+       {
+         int sfb = gr_infos->maxbandl;
+-        int is_p,idx = bi->longIdx[sfb];
++        int is_p,idx;
++        if (sfb > 21)
++          return;
++        idx = bi->longIdx[sfb];
+         for ( ; sfb<21; sfb++)
+         {
+           int sb = bi->longDiff[sfb];
diff -Nru mp3gain-1.5.2-r2/debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch mp3gain-1.5.2-r2/debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch
--- mp3gain-1.5.2-r2/debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch	1970-01-01 01:00:00.000000000 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch	2014-03-19 09:22:48.000000000 +0000
@@ -0,0 +1,29 @@
+From: Simon McVittie <s...@debian.org>
+Date: Sun, 16 Mar 2014 21:10:15 +0000
+Subject: CVE-2004-0991: fix insufficient validation of MPEG header values
+
+Taken from mpg123/0.59r-19 by a process of elimination (all the diff
+from upstream in layer2.c, except the bits that are CVE-2004-0805)
+since I can't find the original patch anywhere. This includes both the
+original patch in -18, and the follow-up patch in -19 fixing an
+off-by-one error in this boundary check.
+
+Author: Daniel Kobras
+Origin: vendor, Debian (mpg123/0.59r-18, mpg123/0.59r-19)
+---
+ mpglibDBL/layer2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mpglibDBL/layer2.c b/mpglibDBL/layer2.c
+index 027cced..ca3315d 100644
+--- a/mpglibDBL/layer2.c
++++ b/mpglibDBL/layer2.c
+@@ -253,7 +253,7 @@ static void II_select_table(struct frame *fr)
+        { alloc_0, alloc_1, alloc_2, alloc_3 , alloc_4 };
+   static const int sblims[5] = { 27 , 30 , 8, 12 , 30 };
+ 
+-  if(fr->lsf)
++  if(fr->sampling_frequency >= 3)      /* Or equivalent: (fr->lsf == 1) */
+     table = 4;
+   else
+     table = translate[fr->sampling_frequency][2-fr->stereo][fr->bitrate_index];
diff -Nru mp3gain-1.5.2-r2/debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch mp3gain-1.5.2-r2/debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch
--- mp3gain-1.5.2-r2/debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch	1970-01-01 01:00:00.000000000 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch	2014-03-19 09:22:48.000000000 +0000
@@ -0,0 +1,26 @@
+From: Simon McVittie <s...@debian.org>
+Date: Sun, 16 Mar 2014 21:46:34 +0000
+Subject: CVE-2004-0991: copy frame size checking from mpg123/0.59r-18
+
+Author: Daniel Kobras
+Origin: vendor, Debian (mpg123/0.59r-18)
+---
+ mpglibDBL/common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/mpglibDBL/common.c b/mpglibDBL/common.c
+index 1e97adc..3172235 100644
+--- a/mpglibDBL/common.c
++++ b/mpglibDBL/common.c
+@@ -229,6 +229,11 @@ int decode_header(struct frame *fr,unsigned long newhead)
+         fprintf(stderr,"Sorry, layer %d not supported\n",fr->lay); 
+         return (0);
+     }
++    if (fr->framesize > MAXFRAMESIZE) {
++      fprintf(stderr,"Frame size too big: %d\n", fr->framesize+4-fr->padding);
++      return (0);
++    }
++
+     /*    print_header(fr); */
+ 
+     return 1;
diff -Nru mp3gain-1.5.2-r2/debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.patch mp3gain-1.5.2-r2/debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.patch
--- mp3gain-1.5.2-r2/debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.patch	1970-01-01 01:00:00.000000000 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.patch	2014-03-19 09:22:48.000000000 +0000
@@ -0,0 +1,32 @@
+From: Simon McVittie <s...@debian.org>
+Date: Sun, 16 Mar 2014 21:55:22 +0000
+Subject: CVE-2003-0577: common.c: 0000 is also an invalid bit rate
+
+According to Daniel Kobras on #201698, this patch is unnecessary...
+but it seems better to be careful, since our mpglib is not quite
+the same as the one in mpg123.
+
+Origin: vendor, Connectiva
+See-also: http://lwn.net/Alerts/39916/
+See-also: http://www.securityfocus.com/bid/6629
+See-also: http://www.securityfocus.com/archive/1/306903
+See-also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=201698
+---
+ mpglibDBL/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mpglibDBL/common.c b/mpglibDBL/common.c
+index 3172235..97a96b4 100644
+--- a/mpglibDBL/common.c
++++ b/mpglibDBL/common.c
+@@ -125,8 +125,8 @@ int head_check(unsigned long head,int check_layer)
+       if (nLayer != check_layer) return FALSE;
+   }
+ 
+-  if( ((head>>12)&0xf) == 0xf) {
+-    /* bits 16,17,18,19 = 1111  invalid bitrate */
++  if( ((head>>12)&0xf) == 0xf || ((head>>12)&0xf) == 0) {
++    /* bits 16,17,18,19 = 1111 or 0000 invalid bitrate */
+     return FALSE;
+   }
+   if( ((head>>10)&0x3) == 0x3 ) {
diff -Nru mp3gain-1.5.2-r2/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch mp3gain-1.5.2-r2/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch
--- mp3gain-1.5.2-r2/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch	1970-01-01 01:00:00.000000000 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch	2014-03-19 09:22:48.000000000 +0000
@@ -0,0 +1,23 @@
+From: Simon McVittie <s...@debian.org>
+Date: Sun, 16 Mar 2014 22:21:26 +0000
+Subject: Increase MAXFRAMESIZE to 3456 bytes, which is much closer to reality
+
+Author: Daniel Kobras
+Origin: vendor, Debian (mpg123/0.59r-14)
+---
+ mpglibDBL/mpg123.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mpglibDBL/mpg123.h b/mpglibDBL/mpg123.h
+index 691eb9c..08bd217 100644
+--- a/mpglibDBL/mpg123.h
++++ b/mpglibDBL/mpg123.h
+@@ -61,7 +61,7 @@ char *strchr (), *strrchr ();
+ #define         MPG_MD_DUAL_CHANNEL     2
+ #define         MPG_MD_MONO             3
+ 
+-#define MAXFRAMESIZE 1792
++#define MAXFRAMESIZE 3456
+ 
+ /* AF: ADDED FOR LAYER1/LAYER2 */
+ #define         SCALE_BLOCK             12
diff -Nru mp3gain-1.5.2-r2/debian/patches/series mp3gain-1.5.2-r2/debian/patches/series
--- mp3gain-1.5.2-r2/debian/patches/series	2011-11-10 15:27:35.000000000 +0000
+++ mp3gain-1.5.2-r2/debian/patches/series	2014-03-19 09:22:48.000000000 +0000
@@ -7,3 +7,9 @@
 10_fix_potential_segfaults.diff
 11_txxx.diff
 12_force_update.diff
+0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch
+0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch
+0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch
+0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch
+0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.patch
+0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch

Reply via email to