* [bug#47194] [PATCH] gnu: mpg321: Fix CVE-2019-14247.
@ 2021-03-16 16:03 Kei Kebreau
2021-03-16 17:58 ` Leo Famulari
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Kei Kebreau @ 2021-03-16 16:03 UTC (permalink / raw)
To: 47194; +Cc: Kei Kebreau
* gnu/packages/patches/mpg321-CVE-2019-14247.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/mp3.scm (mpg321)[source]: Apply it.
---
gnu/local.mk | 1 +
gnu/packages/mp3.scm | 4 +++-
.../patches/mpg321-CVE-2019-14247.patch | 23 +++++++++++++++++++
3 files changed, 27 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/mpg321-CVE-2019-14247.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index cf8849cf59..abb1e2140d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1404,6 +1404,7 @@ dist_patch_DATA = \
%D%/packages/patches/mit-krb5-hurd.patch \
%D%/packages/patches/mit-krb5-qualify-short-hostnames.patch \
%D%/packages/patches/mpc123-initialize-ao.patch \
+ %D%/packages/patches/mpg321-CVE-2019-14247.patch \
%D%/packages/patches/module-init-tools-moduledir.patch \
%D%/packages/patches/monero-use-system-miniupnpc.patch \
%D%/packages/patches/mono-mdoc-timestamping.patch \
diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm
index 34390d3696..dba3e17558 100644
--- a/gnu/packages/mp3.scm
+++ b/gnu/packages/mp3.scm
@@ -408,7 +408,9 @@ command-line tool as well as a C library, libmpg123.")
version "/mpg321-" version ".tar.gz"))
(sha256
(base32
- "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"))))
+ "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"))
+ (patches
+ (search-patches "mpg321-CVE-2019-14247.patch"))))
(build-system gnu-build-system)
(arguments '(#:configure-flags '("--disable-alsa")))
(inputs
diff --git a/gnu/packages/patches/mpg321-CVE-2019-14247.patch b/gnu/packages/patches/mpg321-CVE-2019-14247.patch
new file mode 100644
index 0000000000..03afaccc67
--- /dev/null
+++ b/gnu/packages/patches/mpg321-CVE-2019-14247.patch
@@ -0,0 +1,23 @@
+This patch was downloaded from https://sourceforge.net/p/mpg321/bugs/51/ and
+fixes CVE-2019-14247.
+
+Description: Handle illegal bitrate value
+Author: Chrysostomos Nanakos <cnanakos@debian.org>
+Bug-Debian: https://bugs.debian.org/870406
+Bug-Debian: https://bugs.debian.org/887057
+
+--- mpg321-0.3.2.orig/mad.c
++++ mpg321-0.3.2/mad.c
+@@ -574,6 +574,12 @@ void scan(void const *ptr, ssize_t len,
+
+ if (!is_vbr)
+ {
++ if (header.bitrate <= 0)
++ {
++ fprintf(stderr, "Illegal bit allocation value\n");
++ return;
++ }
++
+ double time = (len * 8.0) / (header.bitrate); /* time in seconds */
+ double timefrac = (double)time - ((long)(time));
+ long nsamples = 32 * MAD_NSBSAMPLES(&header); /* samples per frame */
--
2.30.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [bug#47194] [PATCH] gnu: mpg321: Fix CVE-2019-14247.
2021-03-16 16:03 [bug#47194] [PATCH] gnu: mpg321: Fix CVE-2019-14247 Kei Kebreau
@ 2021-03-16 17:58 ` Leo Famulari
2021-03-16 18:10 ` Léo Le Bouter via Guix-patches via
2021-03-16 18:16 ` bug#47194: " Léo Le Bouter via Guix-patches via
2 siblings, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2021-03-16 17:58 UTC (permalink / raw)
To: Kei Kebreau; +Cc: 47194
On Tue, Mar 16, 2021 at 12:03:12PM -0400, Kei Kebreau wrote:
> * gnu/packages/patches/mpg321-CVE-2019-14247.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/mp3.scm (mpg321)[source]: Apply it.
Thanks! Please push.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#47194] [PATCH] gnu: mpg321: Fix CVE-2019-14247.
2021-03-16 16:03 [bug#47194] [PATCH] gnu: mpg321: Fix CVE-2019-14247 Kei Kebreau
2021-03-16 17:58 ` Leo Famulari
@ 2021-03-16 18:10 ` Léo Le Bouter via Guix-patches via
2021-03-16 18:16 ` bug#47194: " Léo Le Bouter via Guix-patches via
2 siblings, 0 replies; 4+ messages in thread
From: Léo Le Bouter via Guix-patches via @ 2021-03-16 18:10 UTC (permalink / raw)
To: 47194
[-- Attachment #1: Type: text/plain, Size: 7 bytes --]
LGTM!
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#47194: [PATCH] gnu: mpg321: Fix CVE-2019-14247.
2021-03-16 16:03 [bug#47194] [PATCH] gnu: mpg321: Fix CVE-2019-14247 Kei Kebreau
2021-03-16 17:58 ` Leo Famulari
2021-03-16 18:10 ` Léo Le Bouter via Guix-patches via
@ 2021-03-16 18:16 ` Léo Le Bouter via Guix-patches via
2 siblings, 0 replies; 4+ messages in thread
From: Léo Le Bouter via Guix-patches via @ 2021-03-16 18:16 UTC (permalink / raw)
To: Kei Kebreau, 47194-done
[-- Attachment #1: Type: text/plain, Size: 62 bytes --]
Pushed as 109f58444beecd1b9b7c502f2a687a6b91c62dc0
Thanks
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-16 18:41 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-16 16:03 [bug#47194] [PATCH] gnu: mpg321: Fix CVE-2019-14247 Kei Kebreau
2021-03-16 17:58 ` Leo Famulari
2021-03-16 18:10 ` Léo Le Bouter via Guix-patches via
2021-03-16 18:16 ` bug#47194: " Léo Le Bouter via Guix-patches via
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.