From: Brendan Tildesley <mail@brendan.scot>
To: 42890@debbugs.gnu.org
Subject: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
Date: Tue, 18 Aug 2020 13:04:17 +1000 [thread overview]
Message-ID: <98bfcbfa-4142-2985-864f-c146ac8d1f92@brendan.scot> (raw)
In-Reply-To: <87r1s6oam4.fsf@gmx.com>
[-- Attachment #1: Type: text/plain, Size: 496 bytes --]
I should apologise. I also prepared this same patch to submit over a
year or two ago but ended up neglecting it. I also discovered these two
CVE patches (attached) from another distribution that i was going to
add. Perhaps the best solution is to switch to git-reference and choose
a more recent commit that includes all these fixes. Your patch is in
master at
https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4
and the two I attached are also in master.
[-- Attachment #2: taglib-CVE-2017-12678.patch --]
[-- Type: text/x-patch, Size: 1340 bytes --]
From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001
From: "Stephen F. Booth" <me@sbooth.org>
Date: Sun, 23 Jul 2017 10:11:09 -0400
Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame
If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame
which causes problems in rebuildAggregateFrames() when it is assumed
that TDRC is a TextIdentificationFrame
---
taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp
index 759a9b7be..9347ab869 100644
--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp
+++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp
@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const
tag->frameList("TDAT").size() == 1)
{
TextIdentificationFrame *tdrc =
- static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+ dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front());
- if(tdrc->fieldList().size() == 1 &&
+ if(tdrc &&
+ tdrc->fieldList().size() == 1 &&
tdrc->fieldList().front().size() == 4 &&
tdat->data().size() >= 5)
{
[-- Attachment #3: taglib-CVE-2018-11439.patch --]
[-- Type: text/x-patch, Size: 1369 bytes --]
From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001
From: Scott Gayou <github.scott@gmail.com>
Date: Mon, 4 Jun 2018 11:34:36 -0400
Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)
CVE-2018-11439 is caused by a failure to check the minimum length
of a ogg flac header. This header is detailed in full at:
https://xiph.org/flac/ogg_mapping.html. Added more strict checking
for entire header.
---
taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
index 53d04508a..07ea9dccc 100644
--- a/taglib/ogg/flac/oggflacfile.cpp
+++ b/taglib/ogg/flac/oggflacfile.cpp
@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
if(!metadataHeader.startsWith("fLaC")) {
// FLAC 1.1.2+
+ // See https://xiph.org/flac/ogg_mapping.html for the header specification.
+ if(metadataHeader.size() < 13)
+ return;
+
+ if(metadataHeader[0] != 0x7f)
+ return;
+
if(metadataHeader.mid(1, 4) != "FLAC")
return;
- if(metadataHeader[5] != 1)
- return; // not version 1
+ if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
+ return; // not version 1.0
+
+ if(metadataHeader.mid(9, 4) != "fLaC")
+ return;
metadataHeader = metadataHeader.mid(13);
}
next prev parent reply other threads:[~2020-08-18 3:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-16 15:48 [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption Pierre Langlois
2020-08-18 3:04 ` Brendan Tildesley [this message]
2020-08-18 9:21 ` Pierre Langlois
2020-08-18 17:59 ` Pierre Langlois
2020-09-04 9:32 ` Ludovic Courtès
2020-09-04 11:14 ` bug#42890: " Pierre Langlois
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=98bfcbfa-4142-2985-864f-c146ac8d1f92@brendan.scot \
--to=mail@brendan.scot \
--cc=42890@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).