From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id aOLXMmhFO1+bOQAA0tVLHw (envelope-from ) for ; Tue, 18 Aug 2020 03:05:12 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id cMKFLmhFO1+BHQAAbx9fmQ (envelope-from ) for ; Tue, 18 Aug 2020 03:05:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4C131940215 for ; Tue, 18 Aug 2020 03:05:11 +0000 (UTC) Received: from localhost ([::1]:36238 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k7rvx-00080O-CS for larch@yhetil.org; Mon, 17 Aug 2020 23:05:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36328) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k7rvq-00080E-KM for guix-patches@gnu.org; Mon, 17 Aug 2020 23:05:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:50353) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1k7rvq-0001EX-9O for guix-patches@gnu.org; Mon, 17 Aug 2020 23:05:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1k7rvq-000741-3g for guix-patches@gnu.org; Mon, 17 Aug 2020 23:05:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption. References: <87r1s6oam4.fsf@gmx.com> In-Reply-To: <87r1s6oam4.fsf@gmx.com> Resent-From: Brendan Tildesley Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 18 Aug 2020 03:05:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 42890 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 42890@debbugs.gnu.org Received: via spool by 42890-submit@debbugs.gnu.org id=B42890.159771987827121 (code B ref 42890); Tue, 18 Aug 2020 03:05:02 +0000 Received: (at 42890) by debbugs.gnu.org; 18 Aug 2020 03:04:38 +0000 Received: from localhost ([127.0.0.1]:33666 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k7rvS-00073N-4K for submit@debbugs.gnu.org; Mon, 17 Aug 2020 23:04:38 -0400 Received: from mout-p-103.mailbox.org ([80.241.56.161]:44860) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k7rvN-000735-35 for 42890@debbugs.gnu.org; Mon, 17 Aug 2020 23:04:36 -0400 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4BVwk265rlzKmCt for <42890@debbugs.gnu.org>; Tue, 18 Aug 2020 05:04:26 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brendan.scot; s=MBO0001; t=1597719864; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=pa9F3e4rstA/3QCceRKuLv5/+Skzq4C1a3cMkBaElZI=; b=Ntgn4B2XIgB9cVWbXWFASeG3a+cCSam8T9kkDfIxaAQZMz9Q5h/CyjLLmhXe2qaBpjWlru g+8OD2/vOXQBS2mR4L+5OIVlRYrUjXTAX7PnTgT6oF2IyAdGRxv5Nm8W2Bdl9uG07pGSDB bW1MiJAAVPyCBC+uxJOTPMPsvyvU42mknRncSbNaBU7wVLqU3tG5oqw1+YUKqrrUlY5mgc ek63pfiSRFfULfUw/WTJQ6oYh0YbBC7o6qaGWQlbpQHkSSJ0gMtogXUC1vxDGZt0Lp7wPA +K+0H5mC3gBQr2ezcvMKl8JREINF2yw3UG85fUc2AwU9wSh6Dr/KxHvwxNACMg== Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter03.heinlein-hosting.de (spamfilter03.heinlein-hosting.de [80.241.56.117]) (amavisd-new, port 10030) with ESMTP id tEtzMozvkBNu for <42890@debbugs.gnu.org>; Tue, 18 Aug 2020 05:04:22 +0200 (CEST) From: Brendan Tildesley Message-ID: <98bfcbfa-4142-2985-864f-c146ac8d1f92@brendan.scot> Date: Tue, 18 Aug 2020 13:04:17 +1000 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------310F91BD6F2C7385FAA8FABF" Content-Language: en-US X-MBO-SPAM-Probability: X-Rspamd-Score: -6.54 / 15.00 / 15.00 X-Rspamd-Queue-Id: 56D85175A X-Rspamd-UID: e4ac92 X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=brendan.scot header.s=MBO0001 header.b=Ntgn4B2X; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -0.01 X-TUID: oYf2TuoW2ekz This is a multi-part message in MIME format. --------------310F91BD6F2C7385FAA8FABF Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit I should apologise. I also prepared this same patch to submit over a year or two ago but ended up neglecting it. I also discovered these two CVE patches (attached)  from another distribution that i was going to add. Perhaps the best solution is to switch to git-reference and choose a more recent commit that includes all these fixes. Your patch is in master at https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4 and the two I attached are also in master. --------------310F91BD6F2C7385FAA8FABF Content-Type: text/x-patch; charset=UTF-8; name="taglib-CVE-2017-12678.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="taglib-CVE-2017-12678.patch" >From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001 From: "Stephen F. Booth" Date: Sun, 23 Jul 2017 10:11:09 -0400 Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame which causes problems in rebuildAggregateFrames() when it is assumed that TDRC is a TextIdentificationFrame --- taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp index 759a9b7be..9347ab869 100644 --- a/taglib/mpeg/id3v2/id3v2framefactory.cpp +++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp @@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const tag->frameList("TDAT").size() == 1) { TextIdentificationFrame *tdrc = - static_cast(tag->frameList("TDRC").front()); + dynamic_cast(tag->frameList("TDRC").front()); UnknownFrame *tdat = static_cast(tag->frameList("TDAT").front()); - if(tdrc->fieldList().size() == 1 && + if(tdrc && + tdrc->fieldList().size() == 1 && tdrc->fieldList().front().size() == 4 && tdat->data().size() >= 5) { --------------310F91BD6F2C7385FAA8FABF Content-Type: text/x-patch; charset=UTF-8; name="taglib-CVE-2018-11439.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="taglib-CVE-2018-11439.patch" >From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001 From: Scott Gayou Date: Mon, 4 Jun 2018 11:34:36 -0400 Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868) CVE-2018-11439 is caused by a failure to check the minimum length of a ogg flac header. This header is detailed in full at: https://xiph.org/flac/ogg_mapping.html. Added more strict checking for entire header. --- taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp index 53d04508a..07ea9dccc 100644 --- a/taglib/ogg/flac/oggflacfile.cpp +++ b/taglib/ogg/flac/oggflacfile.cpp @@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan() if(!metadataHeader.startsWith("fLaC")) { // FLAC 1.1.2+ + // See https://xiph.org/flac/ogg_mapping.html for the header specification. + if(metadataHeader.size() < 13) + return; + + if(metadataHeader[0] != 0x7f) + return; + if(metadataHeader.mid(1, 4) != "FLAC") return; - if(metadataHeader[5] != 1) - return; // not version 1 + if(metadataHeader[5] != 1 && metadataHeader[6] != 0) + return; // not version 1.0 + + if(metadataHeader.mid(9, 4) != "fLaC") + return; metadataHeader = metadataHeader.mid(13); } --------------310F91BD6F2C7385FAA8FABF--