This is upstream commit 8ddc442d539ca775d80cdbc7af17a718634a743f
---
main/libsndfile/APKBUILD | 9 +-
...-17457_CVE-2018-19661_CVE-2018-19662.patch | 88 +++++++++++++++++++
2 files changed, 96 insertions(+), 1 deletion(-)
create mode 100644 main/libsndfile/CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch
diff --git a/main/libsndfile/APKBUILD b/main/libsndfile/APKBUILD
index c2e5e77b95..9611731276 100644
--- a/main/libsndfile/APKBUILD
+++ b/main/libsndfile/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libsndfile
pkgver=1.0.28
-pkgrel=5
+pkgrel=6
pkgdesc="A C library for reading and writing files containing sampled sound"
url="http://www.mega-nerd.com/libsndfile"
arch="all"
@@ -16,12 +16,18 @@ source="http://www.mega-nerd.com/$pkgname/files/$pkgname-$pkgver.tar.gz
CVE-2017-8362.patch
CVE-2017-12562.patch
CVE-2018-13139.patch
+ CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch
fix-rf64-varargs-bug.patch
"
# sporadic testsuite failures on armhf
case $CARCH in arm*) options="!check";; esac
# secfixes:
+# 1.0.28-r6:
+# - CVE-2017-17456
+# - CVE-2017-17457
+# - CVE-2018-19661
+# - CVE-2018-19662
# 1.0.28-r4:
# - CVE-2018-13139
# 1.0.28-r2:
@@ -62,4 +68,5 @@ f98c40696fca3e7bca867df993de55bb4145c23428e65d1a669182eb2293046478ac727ae7f94bb7
dfd4b5f1c7471fc416eed5c6040580a020543f145de9103751adaad6ce1c5c6a22abc1cf0ffd381aed3072644cd5ee03ba3598265aa7d202d63167da251cb595 CVE-2017-8362.patch
814139567d90fb07908014e858c341fe933e04dca69b88ad66078910888237bbeba94f85d9e1489883c424f35fca312eb98c21ae2b122d9289bb6418725cd02e CVE-2017-12562.patch
33817e7c85180635fa239e4ea38973b18312878522639f43071188a995f0e1a35dbca6d133555fb0875292b4b609950ae38e747a6b1949f8ae840db9dc3a2805 CVE-2018-13139.patch
+ba3e5321713dbc118f45dac6f86049a15e6ba54fc788776eb267b1b165a0853bec278d8b066c71372cd243c852faa6781bef6a71d108e7cdbc64fb77fa3afc0a CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch
0b7ce6bd6c1ec825521974c36b8c6eb5edd17d3c57d5ae3de287fb34a6be7108bc9511abb497538eef36e5883b84f4137fad6fe9a1d150345111de9f068838f9 fix-rf64-varargs-bug.patch"
diff --git a/main/libsndfile/CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch b/main/libsndfile/CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch
new file mode 100644
index 0000000000..5b58114dbe
--- /dev/null
+++ b/main/libsndfile/CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch
@@ -0,0 +1,88 @@
+commit 8ddc442d539ca775d80cdbc7af17a718634a743f
+Author: Hugo Lefeuvre <hle@owl.eu.com>
+Date: Mon Dec 24 06:43:48 2018 +0100
+
+ a/ulaw: fix multiple buffer overflows (#432)
+
+ i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN
+ properly, leading to buffer underflow. INT_MIN is a special value
+ since - INT_MIN cannot be represented as int.
+
+ In this case round - INT_MIN to INT_MAX and proceed as usual.
+
+ f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN
+ properly, leading to null pointer dereference.
+
+ In this case, arbitrarily set the buffer value to 0.
+
+ This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and
+ fixes #344 (CVE-2017-17456 and CVE-2017-17457).
+
+diff --git a/src/alaw.c b/src/alaw.c
+index 063fd1a2..4220224c 100644
+--- a/src/alaw.c
++++ b/src/alaw.c
+@@ -19,6 +19,7 @@
+ #include "sfconfig.h"
+
+ #include <math.h>
++#include <limits.h>
+
+ #include "sndfile.h"
+ #include "common.h"
+@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer)
+ static inline void
+ i2alaw_array (const int *ptr, int count, unsigned char *buffer)
+ { while (--count >= 0)
+- { if (ptr [count] >= 0)
++ { if (ptr [count] == INT_MIN)
++ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ;
++ else if (ptr [count] >= 0)
+ buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ;
+ else
+ buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ;
+@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
+ static inline void
+ d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
+ { while (--count >= 0)
+- { if (ptr [count] >= 0)
++ { if (!isfinite (ptr [count]))
++ buffer [count] = 0 ;
++ else if (ptr [count] >= 0)
+ buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ;
+ else
+ buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ;
+diff --git a/src/ulaw.c b/src/ulaw.c
+index e50b4cb5..b6070ade 100644
+--- a/src/ulaw.c
++++ b/src/ulaw.c
+@@ -19,6 +19,7 @@
+ #include "sfconfig.h"
+
+ #include <math.h>
++#include <limits.h>
+
+ #include "sndfile.h"
+ #include "common.h"
+@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer)
+ static inline void
+ i2ulaw_array (const int *ptr, int count, unsigned char *buffer)
+ { while (--count >= 0)
+- { if (ptr [count] >= 0)
++ { if (ptr [count] == INT_MIN)
++ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ;
++ else if (ptr [count] >= 0)
+ buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ;
+ else
+ buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ;
+@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact
+ static inline void
+ d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact)
+ { while (--count >= 0)
+- { if (ptr [count] >= 0)
++ { if (!isfinite (ptr [count]))
++ buffer [count] = 0 ;
++ else if (ptr [count] >= 0)
+ buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ;
+ else
+ buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ;
--
2.20.1
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---