On 01/04/14 21:48, Adam D. Barratt wrote:
> On Wed, 2014-03-19 at 23:54 +0000, Simon McVittie wrote:
>> mp3gain, an implementation of ReplayGain volume normalization, contains
>> a very old modified version of mpglib, an MPEG audio decoder maintained
>> as part of mpg123.
...
> Please go ahead; thanks.
Uploaded. Sorry for the delay, my test environment for it was rather
awkward (I didn't want to try suspicious exploits in a network-connected
environment, when there was a possibility they might still work). No
changes other than the changelog.
Would you be interested in a squeeze update? The patches appear to be
the same, apart from some end-of-line \r adjustments to make them apply.
A possible debdiff is attached; so far its status is "compiles in
sbuild, but untested". I would of course test it on a squeeze system
with all the mpg123 exploits I've been able to find before uploading.
S
diffstat for mp3gain_1.5.1-4 mp3gain_1.5.1-4+deb6u1
debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.dpatch | 32 ++++++
debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.dpatch | 47 ++++++++++
debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.dpatch | 33 +++++++
debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.dpatch | 30 ++++++
debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.dpatch | 36 +++++++
debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch | 27 +++++
mp3gain-1.5.1/debian/changelog | 12 ++
mp3gain-1.5.1/debian/patches/00list | 6 +
8 files changed, 223 insertions(+)
diff -u mp3gain-1.5.1/debian/changelog mp3gain-1.5.1/debian/changelog
--- mp3gain-1.5.1/debian/changelog
+++ mp3gain-1.5.1/debian/changelog
@@ -1,3 +1,15 @@
+mp3gain (1.5.1-4+deb6u1) squeeze; urgency=high
+
+ * Add various patches from Daniel Kobras' mpg123 packaging to fix
+ buffer overflows in the embedded copy/fork of mpglib
+ - CVE-2003-0577 (originally #201698 in mpg123)
+ - CVE-2004-0805 (originally #270542 in mpg123)
+ - CVE-2004-0991
+ - CVE-2006-1655 (originally #361863 in mpg123)
+ (Closes: #740268)
+
+ -- Simon McVittie <s...@debian.org> Wed, 19 Mar 2014 09:19:58 +0000
+
mp3gain (1.5.1-4) unstable; urgency=low
* Fix various potential segfaults found by cppcheck.
diff -u mp3gain-1.5.1/debian/patches/00list mp3gain-1.5.1/debian/patches/00list
--- mp3gain-1.5.1/debian/patches/00list
+++ mp3gain-1.5.1/debian/patches/00list
@@ -10,0 +11,6 @@
+0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.dpatch
+0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.dpatch
+0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.dpatch
+0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.dpatch
+0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.dpatch
+0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch
+++ mp3gain-1.5.1/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie <s...@debian.org>
+Date: Sun, 16 Mar 2014 22:21:26 +0000
+Subject: Increase MAXFRAMESIZE to 3456 bytes, which is much closer to reality
+
+Author: Daniel Kobras
+Origin: vendor, Debian (mpg123/0.59r-14)
+---
+ mpglibDBL/mpg123.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mpglibDBL/mpg123.h b/mpglibDBL/mpg123.h
+index 691eb9c..08bd217 100644
+--- a/mpglibDBL/mpg123.h
++++ b/mpglibDBL/mpg123.h
+@@ -61,7 +61,7 @@ char *strchr (), *strrchr ();
+ #define MPG_MD_DUAL_CHANNEL 2
+ #define MPG_MD_MONO 3
+
+-#define MAXFRAMESIZE 1792
++#define MAXFRAMESIZE 3456
+
+ /* AF: ADDED FOR LAYER1/LAYER2 */
+ #define SCALE_BLOCK 12
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.dpatch
+++ mp3gain-1.5.1/debian/patches/0015-CVE-2003-0577-common.c-0000-is-also-an-invalid-bit-r.dpatch
@@ -0,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie <s...@debian.org>
+Date: Sun, 16 Mar 2014 21:55:22 +0000
+Subject: CVE-2003-0577: common.c: 0000 is also an invalid bit rate
+
+According to Daniel Kobras on #201698, this patch is unnecessary...
+but it seems better to be careful, since our mpglib is not quite
+the same as the one in mpg123.
+
+Origin: vendor, Connectiva
+See-also: http://lwn.net/Alerts/39916/
+See-also: http://www.securityfocus.com/bid/6629
+See-also: http://www.securityfocus.com/archive/1/306903
+See-also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=201698
+---
+ mpglibDBL/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mpglibDBL/common.c b/mpglibDBL/common.c
+index 3172235..97a96b4 100644
+--- a/mpglibDBL/common.c
++++ b/mpglibDBL/common.c
+@@ -125,8 +125,8 @@ int head_check(unsigned long head,int check_layer)
+ if (nLayer != check_layer) return FALSE;
+ }
+
+- if( ((head>>12)&0xf) == 0xf) {
+- /* bits 16,17,18,19 = 1111 invalid bitrate */
++ if( ((head>>12)&0xf) == 0xf || ((head>>12)&0xf) == 0) {
++ /* bits 16,17,18,19 = 1111 or 0000 invalid bitrate */
+ return FALSE;
+ }
+ if( ((head>>10)&0x3) == 0x3 ) {
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.dpatch
+++ mp3gain-1.5.1/debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.dpatch
@@ -0,0 +1,30 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie <s...@debian.org>
+Date: Sun, 16 Mar 2014 21:46:34 +0000
+Subject: CVE-2004-0991: copy frame size checking from mpg123/0.59r-18
+
+Author: Daniel Kobras
+Origin: vendor, Debian (mpg123/0.59r-18)
+---
+ mpglibDBL/common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/mpglibDBL/common.c b/mpglibDBL/common.c
+index 1e97adc..3172235 100644
+--- a/mpglibDBL/common.c
++++ b/mpglibDBL/common.c
+@@ -229,6 +229,11 @@ int decode_header(struct frame *fr,unsigned long newhead)
+ fprintf(stderr,"Sorry, layer %d not supported\n",fr->lay);
+ return (0);
+ }
++ if (fr->framesize > MAXFRAMESIZE) {
++ fprintf(stderr,"Frame size too big: %d\n", fr->framesize+4-fr->padding);
++ return (0);
++ }
++
+ /* print_header(fr); */
+
+ return 1;
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.dpatch
+++ mp3gain-1.5.1/debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.dpatch
@@ -0,0 +1,33 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie <s...@debian.org>
+Date: Sun, 16 Mar 2014 21:10:15 +0000
+Subject: CVE-2004-0991: fix insufficient validation of MPEG header values
+
+Taken from mpg123/0.59r-19 by a process of elimination (all the diff
+from upstream in layer2.c, except the bits that are CVE-2004-0805)
+since I can't find the original patch anywhere. This includes both the
+original patch in -18, and the follow-up patch in -19 fixing an
+off-by-one error in this boundary check.
+
+Author: Daniel Kobras
+Origin: vendor, Debian (mpg123/0.59r-18, mpg123/0.59r-19)
+---
+ mpglibDBL/layer2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mpglibDBL/layer2.c b/mpglibDBL/layer2.c
+index 027cced..ca3315d 100644
+--- a/mpglibDBL/layer2.c
++++ b/mpglibDBL/layer2.c
+@@ -253,7 +253,7 @@ static void II_select_table(struct frame *fr)
+ { alloc_0, alloc_1, alloc_2, alloc_3 , alloc_4 };
+ static const int sblims[5] = { 27 , 30 , 8, 12 , 30 };
+
+- if(fr->lsf)
++ if(fr->sampling_frequency >= 3) /* Or equivalent: (fr->lsf == 1) */
+ table = 4;
+ else
+ table = translate[fr->sampling_frequency][2-fr->stereo][fr->bitrate_index];
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.dpatch
+++ mp3gain-1.5.1/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.dpatch
@@ -0,0 +1,47 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie <s...@debian.org>
+Date: Sun, 16 Mar 2014 21:00:31 +0000
+Subject: CVE-2006-1655: fix heap overflow in layer3.c::III_antialias()
+
+This combines two patches taken from mpg123: the original fix by Daniel
+Kobras, and "extended fix for CVE-2006-1655" from upstream 0.61.
+
+Origin: vendor, Debian (mpg123/0.59r-22); upstream (mpg123/0.61)
+Author: Daniel Kobras <kob...@debian.org>
+Author: thor
+Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361863
+---
+ mpglibDBL/layer3.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/mpglibDBL/layer3.c b/mpglibDBL/layer3.c
+index 4016a2a..793857c 100644
+--- a/mpglibDBL/layer3.c
++++ b/mpglibDBL/layer3.c
+@@ -1113,7 +1113,10 @@ maybe still wrong??? (copy 12 to 13?) */
+ * and mode = mixed_mode
+ */
+ int sfb = gr_infos->maxbandl;
+- int idx = bi->longIdx[sfb];
++ int idx;
++ if (sfb > 21)
++ return;
++ idx = bi->longIdx[sfb];
+
+ for ( ; sfb<8; sfb++ )
+ {
+@@ -1137,7 +1140,10 @@ maybe still wrong??? (copy 12 to 13?) */
+ else /* ((gr_infos->block_type != 2)) */
+ {
+ int sfb = gr_infos->maxbandl;
+- int is_p,idx = bi->longIdx[sfb];
++ int is_p,idx;
++ if (sfb > 21)
++ return;
++ idx = bi->longIdx[sfb];
+ for ( ; sfb<21; sfb++)
+ {
+ int sb = bi->longDiff[sfb];
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.dpatch
+++ mp3gain-1.5.1/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.dpatch
@@ -0,0 +1,32 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie <s...@debian.org>
+Date: Sun, 16 Mar 2014 20:52:15 +0000
+Subject: CVE-2004-0805: layer2.c: fix buffer overflow in layer2 decoder
+
+Origin: vendor, Debian (mpg123/0.59r-18)
+Author: Daniel Kobras <kob...@debian.org>
+See-also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=270542
+See-also: http://article.gmane.org/gmane.comp.security.full-disclosure/25471
+---
+ mpglibDBL/layer2.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/mpglibDBL/layer2.c b/mpglibDBL/layer2.c
+index 8f4e9e3..027cced 100644
+--- a/mpglibDBL/layer2.c
++++ b/mpglibDBL/layer2.c
+@@ -280,6 +280,11 @@ int do_layer2( PMPSTR mp,unsigned char *pcm_sample,int *pcm_point)
+ fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
+ (fr->mode_ext<<2)+4 : fr->II_sblimit;
+
++ if (fr->jsbound > fr->II_sblimit) {
++ fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
++ fr->jsbound=fr->II_sblimit;
++ }
++
+ if(stereo == 1 || single == 3)
+ single = 0;
+
