From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33243)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ecidW-0001Y2-64
	for guix-patches@gnu.org; Fri, 19 Jan 2018 21:13:08 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ecicZ-00073O-4A
	for guix-patches@gnu.org; Fri, 19 Jan 2018 21:12:02 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:55759)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1ecicY-00072B-O2
	for guix-patches@gnu.org; Fri, 19 Jan 2018 21:11:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ecicX-0007PQ-Rq
	for guix-patches@gnu.org; Fri, 19 Jan 2018 21:11:01 -0500
Subject: [bug#30180] [PATCH] gnu: libsndfile: Fix CVE-2017-12562.
Resent-Message-ID: <handler.30180.B.151641423028440@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53408)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1eciaM-0000ZS-Dh
	for guix-patches@gnu.org; Fri, 19 Jan 2018 21:09:52 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1eciZW-0000lD-HQ
	for guix-patches@gnu.org; Fri, 19 Jan 2018 21:08:46 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:33095)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1eciZW-0000jI-4U
	for guix-patches@gnu.org; Fri, 19 Jan 2018 21:07:54 -0500
Received: from jasmine.lan (unknown [68.119.236.136])
	by mail.messagingengine.com (Postfix) with ESMTPA id 6B78B7E2E5
	for <guix-patches@gnu.org>; Fri, 19 Jan 2018 21:07:52 -0500 (EST)
From: Leo Famulari <leo@famulari.name>
Date: Fri, 19 Jan 2018 18:07:45 -0800
Message-Id: <4ce9653c4e8ec4b70e53d2608a2551bb0831c1d0.1516414012.git.leo@famulari.name>
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: 30180@debbugs.gnu.org

I'd like to ungraft this on core-updates, even though it's late in the
core-updates cycle. Changing libsndfile requires only ~600 rebuilds per
architecture.

* gnu/packages/patches/libsndfile-CVE-2017-12562.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
(libsndfile/fixed): New variable.
---
 gnu/local.mk                                       |  1 +
 .../patches/libsndfile-CVE-2017-12562.patch        | 97 ++++++++++++++++++++++
 gnu/packages/pulseaudio.scm                        | 10 +++
 3 files changed, 108 insertions(+)
 create mode 100644 gnu/packages/patches/libsndfile-CVE-2017-12562.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 240554fe4..80e7527e4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -837,6 +837,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libsndfile-armhf-type-checks.patch	\
   %D%/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch	\
   %D%/packages/patches/libsndfile-CVE-2017-8362.patch		\
+  %D%/packages/patches/libsndfile-CVE-2017-12562.patch		\
   %D%/packages/patches/libssh-hostname-parser-bug.patch		\
   %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch	\
   %D%/packages/patches/libtar-CVE-2013-4420.patch 		\
diff --git a/gnu/packages/patches/libsndfile-CVE-2017-12562.patch b/gnu/packages/patches/libsndfile-CVE-2017-12562.patch
new file mode 100644
index 000000000..58cb242b1
--- /dev/null
+++ b/gnu/packages/patches/libsndfile-CVE-2017-12562.patch
@@ -0,0 +1,97 @@
+Fix CVE-2017-12562:
+
+https://github.com/erikd/libsndfile/issues/292
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12562
+
+Patch copied from upstream source repository:
+
+https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8
+
+From cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de>
+Date: Wed, 14 Jun 2017 12:25:40 +0200
+Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings
+ in binheader
+
+Fixes the following problems:
+ 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
+ 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
+    big switch statement by an amount (16 bytes) which is enough for all cases
+    where only a single value gets added. Cases 's', 'S', 'p' however
+    additionally write an arbitrary length block of data and again enlarge the
+    buffer to the required amount. However, the required space calculation does
+    not take into account the size of the length field which gets output before
+    the data.
+ 3. Buffer size requirement calculation in case 'S' does not account for the
+    padding byte ("size += (size & 1) ;" happens after the calculation which
+    uses "size").
+ 4. Case 'S' can overrun the header buffer by 1 byte when no padding is
+    involved
+    ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
+    the buffer is only guaranteed to have "size" space available).
+ 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
+    beyond the space which is guaranteed to be allocated in the header buffer.
+ 6. Case 's' can overrun the provided source string by 1 byte if padding is
+    involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
+    where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
+    plus optionally another 1 which is padding and not guaranteed to be
+    readable via the source string pointer).
+
+Closes: https://github.com/erikd/libsndfile/issues/292
+---
+ src/common.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/src/common.c b/src/common.c
+index 1a6204ca..6b2a2ee9 100644
+--- a/src/common.c
++++ b/src/common.c
+@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					/* Write a C string (guaranteed to have a zero terminator). */
+ 					strptr = va_arg (argptr, char *) ;
+ 					size = strlen (strptr) + 1 ;
+-					size += (size & 1) ;
+ 
+-					if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
++					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ 						return count ;
+ 
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+-						header_put_be_int (psf, size) ;
++						header_put_be_int (psf, size + (size & 1)) ;
+ 					else
+-						header_put_le_int (psf, size) ;
++						header_put_le_int (psf, size + (size & 1)) ;
+ 					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
++					size += (size & 1) ;
+ 					psf->header.indx += size ;
+ 					psf->header.ptr [psf->header.indx - 1] = 0 ;
+ 					count += 4 + size ;
+@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					*/
+ 					strptr = va_arg (argptr, char *) ;
+ 					size = strlen (strptr) ;
+-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
++					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ 						return count ;
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+ 						header_put_be_int (psf, size) ;
+ 					else
+ 						header_put_le_int (psf, size) ;
+-					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;
++					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;
+ 					size += (size & 1) ;
+ 					psf->header.indx += size ;
+-					psf->header.ptr [psf->header.indx] = 0 ;
+ 					count += 4 + size ;
+ 					break ;
+ 
+@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					size = (size & 1) ? size : size + 1 ;
+ 					size = (size > 254) ? 254 : size ;
+ 
+-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
++					if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
+ 						return count ;
+ 
+ 					header_put_byte (psf, size) ;
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index ba288aa44..39f54437c 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -47,6 +47,7 @@
 (define-public libsndfile
   (package
     (name "libsndfile")
+    (replacement libsndfile/fixed)
     (version "1.0.28")
     (source (origin
              (method url-fetch)
@@ -80,6 +81,15 @@ SPARC.  Hopefully the design of the library will also make it easy to extend
 for reading and writing new sound file formats.")
     (license l:gpl2+)))
 
+(define libsndfile/fixed
+  (package
+    (inherit libsndfile)
+    (source (origin
+              (inherit (package-source libsndfile))
+              (patches (append
+                         (origin-patches (package-source libsndfile))
+                         (search-patches "libsndfile-CVE-2017-12562.patch")))))))
+
 (define-public libsamplerate
   (package
     (name "libsamplerate")                     ; aka. Secret Rabbit Code (SRC)
-- 
2.16.0