From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id aOLXMmhFO1+bOQAA0tVLHw
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 18 Aug 2020 03:05:12 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id cMKFLmhFO1+BHQAAbx9fmQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 18 Aug 2020 03:05:12 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 4C131940215
	for <larch@yhetil.org>; Tue, 18 Aug 2020 03:05:11 +0000 (UTC)
Received: from localhost ([::1]:36238 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1k7rvx-00080O-CS
	for larch@yhetil.org; Mon, 17 Aug 2020 23:05:09 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:36328)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1k7rvq-00080E-KM
 for guix-patches@gnu.org; Mon, 17 Aug 2020 23:05:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:50353)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1k7rvq-0001EX-9O
 for guix-patches@gnu.org; Mon, 17 Aug 2020 23:05:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1k7rvq-000741-3g
 for guix-patches@gnu.org; Mon, 17 Aug 2020 23:05:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG
 corruption.
References: <87r1s6oam4.fsf@gmx.com>
In-Reply-To: <87r1s6oam4.fsf@gmx.com>
Resent-From: Brendan Tildesley <mail@brendan.scot>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 18 Aug 2020 03:05:02 +0000
Resent-Message-ID: <handler.42890.B42890.159771987827121@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 42890
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 42890@debbugs.gnu.org
Received: via spool by 42890-submit@debbugs.gnu.org id=B42890.159771987827121
 (code B ref 42890); Tue, 18 Aug 2020 03:05:02 +0000
Received: (at 42890) by debbugs.gnu.org; 18 Aug 2020 03:04:38 +0000
Received: from localhost ([127.0.0.1]:33666 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1k7rvS-00073N-4K
 for submit@debbugs.gnu.org; Mon, 17 Aug 2020 23:04:38 -0400
Received: from mout-p-103.mailbox.org ([80.241.56.161]:44860)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@brendan.scot>) id 1k7rvN-000735-35
 for 42890@debbugs.gnu.org; Mon, 17 Aug 2020 23:04:36 -0400
Received: from smtp2.mailbox.org (smtp2.mailbox.org
 [IPv6:2001:67c:2050:105:465:1:2:0])
 (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
 (No client certificate requested)
 by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4BVwk265rlzKmCt
 for <42890@debbugs.gnu.org>; Tue, 18 Aug 2020 05:04:26 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brendan.scot;
 s=MBO0001; t=1597719864;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type;
 bh=pa9F3e4rstA/3QCceRKuLv5/+Skzq4C1a3cMkBaElZI=;
 b=Ntgn4B2XIgB9cVWbXWFASeG3a+cCSam8T9kkDfIxaAQZMz9Q5h/CyjLLmhXe2qaBpjWlru
 g+8OD2/vOXQBS2mR4L+5OIVlRYrUjXTAX7PnTgT6oF2IyAdGRxv5Nm8W2Bdl9uG07pGSDB
 bW1MiJAAVPyCBC+uxJOTPMPsvyvU42mknRncSbNaBU7wVLqU3tG5oqw1+YUKqrrUlY5mgc
 ek63pfiSRFfULfUw/WTJQ6oYh0YbBC7o6qaGWQlbpQHkSSJ0gMtogXUC1vxDGZt0Lp7wPA
 +K+0H5mC3gBQr2ezcvMKl8JREINF2yw3UG85fUc2AwU9wSh6Dr/KxHvwxNACMg==
Received: from smtp2.mailbox.org ([80.241.60.241])
 by spamfilter03.heinlein-hosting.de (spamfilter03.heinlein-hosting.de
 [80.241.56.117]) (amavisd-new, port 10030)
 with ESMTP id tEtzMozvkBNu for <42890@debbugs.gnu.org>;
 Tue, 18 Aug 2020 05:04:22 +0200 (CEST)
From: Brendan Tildesley <mail@brendan.scot>
Message-ID: <98bfcbfa-4142-2985-864f-c146ac8d1f92@brendan.scot>
Date: Tue, 18 Aug 2020 13:04:17 +1000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------310F91BD6F2C7385FAA8FABF"
Content-Language: en-US
X-MBO-SPAM-Probability: 
X-Rspamd-Score: -6.54 / 15.00 / 15.00
X-Rspamd-Queue-Id: 56D85175A
X-Rspamd-UID: e4ac92
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-Spam-Score: -1.0 (-)
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
Authentication-Results: aspmx1.migadu.com;
	dkim=fail (rsa verify failed) header.d=brendan.scot header.s=MBO0001 header.b=Ntgn4B2X;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Spam-Score: -0.01
X-TUID: oYf2TuoW2ekz

This is a multi-part message in MIME format.
--------------310F91BD6F2C7385FAA8FABF
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

I should apologise. I also prepared this same patch to submit over a 
year or two ago but ended up neglecting it. I also discovered these two 
CVE patches (attached)  from another distribution that i was going to 
add. Perhaps the best solution is to switch to git-reference and choose 
a more recent commit that includes all these fixes. Your patch is in 
master at 
https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4 
and the two I attached are also in master.



--------------310F91BD6F2C7385FAA8FABF
Content-Type: text/x-patch; charset=UTF-8;
 name="taglib-CVE-2017-12678.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="taglib-CVE-2017-12678.patch"

>From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001
From: "Stephen F. Booth" <me@sbooth.org>
Date: Sun, 23 Jul 2017 10:11:09 -0400
Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame

If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame
which causes problems in rebuildAggregateFrames() when it is assumed
that TDRC is a TextIdentificationFrame
---
 taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp
index 759a9b7be..9347ab869 100644
--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp
+++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp
@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const
      tag->frameList("TDAT").size() == 1)
   {
     TextIdentificationFrame *tdrc =
-      static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+      dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
     UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front());
 
-    if(tdrc->fieldList().size() == 1 &&
+    if(tdrc &&
+       tdrc->fieldList().size() == 1 &&
        tdrc->fieldList().front().size() == 4 &&
        tdat->data().size() >= 5)
     {

--------------310F91BD6F2C7385FAA8FABF
Content-Type: text/x-patch; charset=UTF-8;
 name="taglib-CVE-2018-11439.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="taglib-CVE-2018-11439.patch"

>From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001
From: Scott Gayou <github.scott@gmail.com>
Date: Mon, 4 Jun 2018 11:34:36 -0400
Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)

CVE-2018-11439 is caused by a failure to check the minimum length
of a ogg flac header. This header is detailed in full at:
https://xiph.org/flac/ogg_mapping.html. Added more strict checking
for entire header.
---
 taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
index 53d04508a..07ea9dccc 100644
--- a/taglib/ogg/flac/oggflacfile.cpp
+++ b/taglib/ogg/flac/oggflacfile.cpp
@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
 
   if(!metadataHeader.startsWith("fLaC"))  {
     // FLAC 1.1.2+
+    // See https://xiph.org/flac/ogg_mapping.html for the header specification.
+    if(metadataHeader.size() < 13)
+      return;
+
+    if(metadataHeader[0] != 0x7f)
+      return;
+
     if(metadataHeader.mid(1, 4) != "FLAC")
       return;
 
-    if(metadataHeader[5] != 1)
-      return; // not version 1
+    if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
+      return; // not version 1.0
+
+    if(metadataHeader.mid(9, 4) != "fLaC")
+      return;
 
     metadataHeader = metadataHeader.mid(13);
   }

--------------310F91BD6F2C7385FAA8FABF--