NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/taglib: fix CVE-2018-11439

Browse Source 
The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib
1.11.1 allows remote attackers to cause information disclosure
(heap-based buffer over-read) via a crafted audio file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Fabrice Fontaine 2020-03-01 21:37:59 +01:00 committed by Peter Korsgaard
parent 85ed0d1c09
commit 70b2411cee
2 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
package/taglib/0003-Fixed-OOB-read-when-loading-invalid-ogg-flac-file.patch Normal file
View File

@ -0,0 +1,45 @@
From 2c4ae870ec086f2ddd21a47861a3709c36faac45 Mon Sep 17 00:00:00 2001
From: Scott Gayou <github.scott@gmail.com>
Date: Tue, 9 Oct 2018 18:46:55 -0500
Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)
(#869)
CVE-2018-11439 is caused by a failure to check the minimum length
of a ogg flac header. This header is detailed in full at:
https://xiph.org/flac/ogg_mapping.html. Added more strict checking
for entire header.
[Retrieved from:
https://github.com/taglib/taglib/commit/2c4ae870ec086f2ddd21a47861a3709c36faac45]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
index 53d04508a..07ea9dccc 100644
--- a/taglib/ogg/flac/oggflacfile.cpp
+++ b/taglib/ogg/flac/oggflacfile.cpp
@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
if(!metadataHeader.startsWith("fLaC")) {
// FLAC 1.1.2+
+ // See https://xiph.org/flac/ogg_mapping.html for the header specification.
+ if(metadataHeader.size() < 13)
+ return;
+
+ if(metadataHeader[0] != 0x7f)
+ return;
+
if(metadataHeader.mid(1, 4) != "FLAC")
return;
- if(metadataHeader[5] != 1)
- return; // not version 1
+ if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
+ return; // not version 1.0
+
+ if(metadataHeader.mid(9, 4) != "fLaC")
+ return;
metadataHeader = metadataHeader.mid(13);
}

3
package/taglib/taglib.mk
View File

@ -13,6 +13,9 @@ TAGLIB_LICENSE_FILES = COPYING.LGPL COPYING.MPL
# 0002-Don-t-assume-TDRC-is-an-instance-of-TextIdentificationFrame.patch
TAGLIB_IGNORE_CVES += CVE-2017-12678
# 0003-Fixed-OOB-read-when-loading-invalid-ogg-flac-file.patch
TAGLIB_IGNORE_CVES += CVE-2018-11439
ifeq ($(BR2_PACKAGE_ZLIB),y)
TAGLIB_DEPENDENCIES += zlib
endif