[bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.

[bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.

[Pierre Langlois]

[-- Attachment #1: Type: text/plain, Size: 500 bytes --]

Hello Guix!

As I was looking into updating clementine, I noticed it would refuse to
build with the system's taglib saying it may have a bug that corrupts
OGG files. I haven't personally encountered this bug, but I think we
should patch it anyway to be safe. It should be included in the next
release but it's unclear when this is going happen :-/

See https://github.com/taglib/taglib/issues/864 for more details. It
seems other distributions such as Archlinux also apply this fix.

Thanks!
Pierre


[-- Attachment #2: 0001-gnu-taglib-Include-patch-to-prevent-OGG-corruption.patch --]
[-- Type: text/x-patch, Size: 4042 bytes --]

From fb029863097e216111b40c410167ea7e36c3bf3d Mon Sep 17 00:00:00 2001
From: Pierre Langlois <pierre.langlois@gmx.com>
Date: Sun, 16 Aug 2020 16:28:54 +0100
Subject: [PATCH] gnu: taglib: Include patch to prevent OGG corruption.

* gnu/packages/mp3.scm (taglib)[source]: Add patch.
* gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/mp3.scm                          |  8 +++++--
 .../taglib-fix-possible-ogg-packet-loss.patch | 24 +++++++++++++++++++
 3 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index db0f73d881..dc6df1af66 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1574,6 +1574,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/t1lib-CVE-2011-0764.patch		\
   %D%/packages/patches/t1lib-CVE-2011-1552+.patch		\
   %D%/packages/patches/t4k-common-libpng16.patch		\
+  %D%/packages/patches/taglib-fix-possible-ogg-packet-loss.patch	\
   %D%/packages/patches/tao-add-missing-headers.patch		\
   %D%/packages/patches/tao-fix-parser-types.patch		\
   %D%/packages/patches/tar-remove-wholesparse-check.patch	\
diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm
index 92e3d5d5f8..b6d174f7d4 100644
--- a/gnu/packages/mp3.scm
+++ b/gnu/packages/mp3.scm
@@ -4,7 +4,7 @@
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
-;;; Copyright © 2017, 2019 Pierre Langlois <pierre.langlois@gmx.com>
+;;; Copyright © 2017, 2019, 2020 Pierre Langlois <pierre.langlois@gmx.com>
 ;;; Copyright © 2018, 2019, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2019 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2020 Michael Rohleder <mike@rohleder.de>
@@ -167,7 +167,11 @@ a highly stable and efficient implementation.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn"))))
+                "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn"))
+              ;; Fix https://github.com/taglib/taglib/issues/864, which will
+              ;; be included in the next 1.12 release.
+              (patches
+               (search-patches "taglib-fix-possible-ogg-packet-loss.patch"))))
     (build-system cmake-build-system)
     (arguments
       '(#:tests? #f ; Tests are not ran with BUILD_SHARED_LIBS on.
diff --git a/gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch b/gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch
new file mode 100644
index 0000000000..665732888f
--- /dev/null
+++ b/gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch
@@ -0,0 +1,24 @@
+From 9336c82da3a04552168f208cd7a5fa4646701ea4 Mon Sep 17 00:00:00 2001
+From: Tsuda Kageyu <tsuda.kageyu@gmail.com>
+Date: Thu, 1 Dec 2016 11:32:01 +0900
+Subject: [PATCH] Fix possible Ogg packet losses.
+
+See https://github.com/taglib/taglib/issues/864 for details.
+
+---
+ taglib/ogg/oggfile.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/taglib/ogg/oggfile.cpp b/taglib/ogg/oggfile.cpp
+index 86b0b0764..c36e4d46c 100644
+--- a/taglib/ogg/oggfile.cpp
++++ b/taglib/ogg/oggfile.cpp
+@@ -253,7 +253,7 @@ void Ogg::File::writePacket(unsigned int i, const ByteVector &packet)
+   ByteVectorList packets = firstPage->packets();
+   packets[i - firstPage->firstPacketIndex()] = packet;
+ 
+-  if(firstPage != lastPage && lastPage->packetCount() > 2) {
++  if(firstPage != lastPage && lastPage->packetCount() > 1) {
+     ByteVectorList lastPagePackets = lastPage->packets();
+     lastPagePackets.erase(lastPagePackets.begin());
+     packets.append(lastPagePackets);
-- 
2.28.0

[bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.

[Brendan Tildesley]

[-- Attachment #1: Type: text/plain, Size: 496 bytes --]

I should apologise. I also prepared this same patch to submit over a 
year or two ago but ended up neglecting it. I also discovered these two 
CVE patches (attached)  from another distribution that i was going to 
add. Perhaps the best solution is to switch to git-reference and choose 
a more recent commit that includes all these fixes. Your patch is in 
master at 
https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4 
and the two I attached are also in master.



[-- Attachment #2: taglib-CVE-2017-12678.patch --]
[-- Type: text/x-patch, Size: 1340 bytes --]

From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001
From: "Stephen F. Booth" <me@sbooth.org>
Date: Sun, 23 Jul 2017 10:11:09 -0400
Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame

If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame
which causes problems in rebuildAggregateFrames() when it is assumed
that TDRC is a TextIdentificationFrame
---
 taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp
index 759a9b7be..9347ab869 100644
--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp
+++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp
@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const
      tag->frameList("TDAT").size() == 1)
   {
     TextIdentificationFrame *tdrc =
-      static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+      dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
     UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front());
 
-    if(tdrc->fieldList().size() == 1 &&
+    if(tdrc &&
+       tdrc->fieldList().size() == 1 &&
        tdrc->fieldList().front().size() == 4 &&
        tdat->data().size() >= 5)
     {

[-- Attachment #3: taglib-CVE-2018-11439.patch --]
[-- Type: text/x-patch, Size: 1369 bytes --]

From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001
From: Scott Gayou <github.scott@gmail.com>
Date: Mon, 4 Jun 2018 11:34:36 -0400
Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)

CVE-2018-11439 is caused by a failure to check the minimum length
of a ogg flac header. This header is detailed in full at:
https://xiph.org/flac/ogg_mapping.html. Added more strict checking
for entire header.
---
 taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
index 53d04508a..07ea9dccc 100644
--- a/taglib/ogg/flac/oggflacfile.cpp
+++ b/taglib/ogg/flac/oggflacfile.cpp
@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
 
   if(!metadataHeader.startsWith("fLaC"))  {
     // FLAC 1.1.2+
+    // See https://xiph.org/flac/ogg_mapping.html for the header specification.
+    if(metadataHeader.size() < 13)
+      return;
+
+    if(metadataHeader[0] != 0x7f)
+      return;
+
     if(metadataHeader.mid(1, 4) != "FLAC")
       return;
 
-    if(metadataHeader[5] != 1)
-      return; // not version 1
+    if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
+      return; // not version 1.0
+
+    if(metadataHeader.mid(9, 4) != "fLaC")
+      return;
 
     metadataHeader = metadataHeader.mid(13);
   }

[bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.

[Pierre Langlois]

Hi Brendan,

Brendan Tildesley writes:

> I should apologise. I also prepared this same patch to submit over a
> year or two ago but ended up neglecting it. I also discovered these two
> CVE patches (attached)  from another distribution that i was going to
> add. Perhaps the best solution is to switch to git-reference and choose
> a more recent commit that includes all these fixes. Your patch is in
> master at
> https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4
> and the two I attached are also in master.

No worries! Yeah I think it's a good to just use a git-reference in this
case, I'll try that and submit another patch, thanks for the suggestion!

Pierre

[bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.

[Pierre Langlois]

[-- Attachment #1: Type: text/plain, Size: 1060 bytes --]


Pierre Langlois writes:

> Hi Brendan,
>
> Brendan Tildesley writes:
>
>> I should apologise. I also prepared this same patch to submit over a
>> year or two ago but ended up neglecting it. I also discovered these two
>> CVE patches (attached)  from another distribution that i was going to
>> add. Perhaps the best solution is to switch to git-reference and choose
>> a more recent commit that includes all these fixes. Your patch is in
>> master at
>> https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4
>> and the two I attached are also in master.
>
> No worries! Yeah I think it's a good to just use a git-reference in this
> case, I'll try that and submit another patch, thanks for the suggestion!

I wasn't so sure which recent commit to use, but then I saw there was a
1.12-beta-1 pre-release from September 2019 so I thought we'd use that.
Looking at some discussions upstream [0], it might still be a while
until we get a proper release though :-/

0: https://github.com/taglib/taglib/issues/864#issuecomment-631874581


[-- Attachment #2: 0001-gnu-taglib-Update-to-1.12-beta-1.patch --]
[-- Type: text/x-patch, Size: 2642 bytes --]

From 97a5d71bd50c72d2d7562a7d22baca04f4987657 Mon Sep 17 00:00:00 2001
From: Pierre Langlois <pierre.langlois@gmx.com>
Date: Tue, 18 Aug 2020 18:38:01 +0100
Subject: [PATCH] gnu: taglib: Update to 1.12-beta-1.

This switches to a yet unreleased version of taglib, to make sure long
standings issues and CVEs are covered until a proper release is made upstream.

Among these, we have:

- CVE-2017-12678
- CVE-2018-11439
- https://github.com/taglib/taglib/issues/864

* gnu/packges/mp3.scm (taglib): Update to 1.12-beta-1.
[source]: Switch to using git-fetch.
---
 gnu/packages/mp3.scm | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm
index 92e3d5d5f8..7ee009df74 100644
--- a/gnu/packages/mp3.scm
+++ b/gnu/packages/mp3.scm
@@ -4,7 +4,7 @@
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
-;;; Copyright © 2017, 2019 Pierre Langlois <pierre.langlois@gmx.com>
+;;; Copyright © 2017, 2019, 2020 Pierre Langlois <pierre.langlois@gmx.com>
 ;;; Copyright © 2018, 2019, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2019 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2020 Michael Rohleder <mike@rohleder.de>
@@ -50,6 +50,7 @@
   #:use-module (gnu packages video)               ;ffmpeg
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix git-download)
   #:use-module (guix utils)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system python)
@@ -160,14 +161,16 @@ a highly stable and efficient implementation.")
 (define-public taglib
   (package
     (name "taglib")
-    (version "1.11.1")
+    (version "1.12-beta-1")
     (source (origin
-              (method url-fetch)
-              (uri (string-append "http://taglib.github.io/releases/taglib-"
-                                  version ".tar.gz"))
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://github.com/taglib/taglib")
+                    (commit (string-append "v" version))))
+              (file-name (git-file-name name version))
               (sha256
                (base32
-                "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn"))))
+                "1mp6w2ikniw8w6d5wr0h20j0ijg8jw7s9dli5a8k9znpznvxpym4"))))
     (build-system cmake-build-system)
     (arguments
       '(#:tests? #f ; Tests are not ran with BUILD_SHARED_LIBS on.
-- 
2.28.0

[bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.

[Ludovic Courtès]

Hi!

Pierre Langlois <pierre.langlois@gmx.com> skribis:

>>From 97a5d71bd50c72d2d7562a7d22baca04f4987657 Mon Sep 17 00:00:00 2001
> From: Pierre Langlois <pierre.langlois@gmx.com>
> Date: Tue, 18 Aug 2020 18:38:01 +0100
> Subject: [PATCH] gnu: taglib: Update to 1.12-beta-1.
>
> This switches to a yet unreleased version of taglib, to make sure long
> standings issues and CVEs are covered until a proper release is made upstream.
>
> Among these, we have:
>
> - CVE-2017-12678
> - CVE-2018-11439
> - https://github.com/taglib/taglib/issues/864
>
> * gnu/packges/mp3.scm (taglib): Update to 1.12-beta-1.
> [source]: Switch to using git-fetch.

It’s a good idea to add “[security fixes]” or to list CVEs in the
subject line of the commit log.

Otherwise LGTM!

You can now use your new super commit powers to push it.  :-)

Thanks,
Ludo’.

bug#42890: [PATCH] gnu: taglib: Include patch to prevent OGG corruption.

[Pierre Langlois]

[-- Attachment #1: Type: text/plain, Size: 939 bytes --]


Ludovic Courtès writes:

> Hi!
>
> Pierre Langlois <pierre.langlois@gmx.com> skribis:
>
>>>From 97a5d71bd50c72d2d7562a7d22baca04f4987657 Mon Sep 17 00:00:00 2001
>> From: Pierre Langlois <pierre.langlois@gmx.com>
>> Date: Tue, 18 Aug 2020 18:38:01 +0100
>> Subject: [PATCH] gnu: taglib: Update to 1.12-beta-1.
>>
>> This switches to a yet unreleased version of taglib, to make sure long
>> standings issues and CVEs are covered until a proper release is made upstream.
>>
>> Among these, we have:
>>
>> - CVE-2017-12678
>> - CVE-2018-11439
>> - https://github.com/taglib/taglib/issues/864
>>
>> * gnu/packges/mp3.scm (taglib): Update to 1.12-beta-1.
>> [source]: Switch to using git-fetch.
>
> It’s a good idea to add “[security fixes]” or to list CVEs in the
> subject line of the commit log.
>
> Otherwise LGTM!
>
> You can now use your new super commit powers to push it.  :-)

Whoohoo! done :-)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]