From owner-svn-ports-all@freebsd.org Tue Mar 12 06:10:26 2019 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CEDB61546709; Tue, 12 Mar 2019 06:10:26 +0000 (UTC) (envelope-from riggs@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6F0BA76A9C; Tue, 12 Mar 2019 06:10:26 +0000 (UTC) (envelope-from riggs@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 272CD1E891; Tue, 12 Mar 2019 06:10:26 +0000 (UTC) (envelope-from riggs@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x2C6APa6012549; Tue, 12 Mar 2019 06:10:25 GMT (envelope-from riggs@FreeBSD.org) Received: (from riggs@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x2C6AOWL012543; Tue, 12 Mar 2019 06:10:24 GMT (envelope-from riggs@FreeBSD.org) Message-Id: <201903120610.x2C6AOWL012543@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: riggs set sender to riggs@FreeBSD.org using -f From: Thomas Zander Date: Tue, 12 Mar 2019 06:10:24 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r495440 - in head/audio/libsndfile: . files X-SVN-Group: ports-head X-SVN-Commit-Author: riggs X-SVN-Commit-Paths: in head/audio/libsndfile: . files X-SVN-Commit-Revision: 495440 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 6F0BA76A9C X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; NEURAL_HAM_SHORT(-0.96)[-0.963,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Mar 2019 06:10:27 -0000 Author: riggs Date: Tue Mar 12 06:10:24 2019 New Revision: 495440 URL: https://svnweb.freebsd.org/changeset/ports/495440 Log: Backport patches from upstream against all currently known CVEs PR: 227669 Submitted by: p5B2E9A8F@t-online.de MFH: 2019Q1 Security: CVE-2018-19661 CVE-2018-19662 CVE-2017-17456 CVE-2017-17457 CVE-2018-19758 Added: head/audio/libsndfile/files/patch-CVE-2017-17456_2017-17457_2018-19661_2018-19662 (contents, props changed) head/audio/libsndfile/files/patch-CVE-2018-19758 (contents, props changed) head/audio/libsndfile/files/patch-Check-MAX_CHANNELS-in-sndfile-deinterleave (contents, props changed) head/audio/libsndfile/files/patch-rf64_arm (contents, props changed) head/audio/libsndfile/files/patch-typos (contents, props changed) Modified: head/audio/libsndfile/Makefile Modified: head/audio/libsndfile/Makefile ============================================================================== --- head/audio/libsndfile/Makefile Tue Mar 12 05:35:08 2019 (r495439) +++ head/audio/libsndfile/Makefile Tue Mar 12 06:10:24 2019 (r495440) @@ -3,7 +3,7 @@ PORTNAME= libsndfile PORTVERSION= 1.0.28 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= audio MASTER_SITES= http://www.mega-nerd.com/libsndfile/files/ Added: head/audio/libsndfile/files/patch-CVE-2017-17456_2017-17457_2018-19661_2018-19662 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/audio/libsndfile/files/patch-CVE-2017-17456_2017-17457_2018-19661_2018-19662 Tue Mar 12 06:10:24 2019 (r495440) @@ -0,0 +1,90 @@ +From: Hugo Lefeuvre +Date: Mon, 24 Dec 2018 06:43:48 +0100 +Subject: a/ulaw: fix multiple buffer overflows (#432) + +i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN +properly, leading to buffer underflow. INT_MIN is a special value +since - INT_MIN cannot be represented as int. + +In this case round - INT_MIN to INT_MAX and proceed as usual. + +f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN +properly, leading to null pointer dereference. + +In this case, arbitrarily set the buffer value to 0. + +This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and +fixes #344 (CVE-2017-17456 and CVE-2017-17457). +--- + src/alaw.c | 9 +++++++-- + src/ulaw.c | 9 +++++++-- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/src/alaw.c b/src/alaw.c +index 063fd1a..4220224 100644 +--- src/alaw.c ++++ src/alaw.c +@@ -19,6 +19,7 @@ + #include "sfconfig.h" + + #include ++#include + + #include "sndfile.h" + #include "common.h" +@@ -326,7 +327,9 @@ s2alaw_array (const short *ptr, int count, unsigned char *buffer) + static inline void + i2alaw_array (const int *ptr, int count, unsigned char *buffer) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (ptr [count] == INT_MIN) ++ buffer [count] = alaw_encode [INT_MAX >> (16 + 4)] ; ++ else if (ptr [count] >= 0) + buffer [count] = alaw_encode [ptr [count] >> (16 + 4)] ; + else + buffer [count] = 0x7F & alaw_encode [- ptr [count] >> (16 + 4)] ; +@@ -346,7 +349,9 @@ f2alaw_array (const float *ptr, int count, unsigned char *buffer, float normfact + static inline void + d2alaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (!isfinite (ptr [count])) ++ buffer [count] = 0 ; ++ else if (ptr [count] >= 0) + buffer [count] = alaw_encode [lrint (normfact * ptr [count])] ; + else + buffer [count] = 0x7F & alaw_encode [- lrint (normfact * ptr [count])] ; +diff --git a/src/ulaw.c b/src/ulaw.c +index e50b4cb..b6070ad 100644 +--- src/ulaw.c ++++ src/ulaw.c +@@ -19,6 +19,7 @@ + #include "sfconfig.h" + + #include ++#include + + #include "sndfile.h" + #include "common.h" +@@ -827,7 +828,9 @@ s2ulaw_array (const short *ptr, int count, unsigned char *buffer) + static inline void + i2ulaw_array (const int *ptr, int count, unsigned char *buffer) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (ptr [count] == INT_MIN) ++ buffer [count] = ulaw_encode [INT_MAX >> (16 + 2)] ; ++ else if (ptr [count] >= 0) + buffer [count] = ulaw_encode [ptr [count] >> (16 + 2)] ; + else + buffer [count] = 0x7F & ulaw_encode [-ptr [count] >> (16 + 2)] ; +@@ -847,7 +850,9 @@ f2ulaw_array (const float *ptr, int count, unsigned char *buffer, float normfact + static inline void + d2ulaw_array (const double *ptr, int count, unsigned char *buffer, double normfact) + { while (--count >= 0) +- { if (ptr [count] >= 0) ++ { if (!isfinite (ptr [count])) ++ buffer [count] = 0 ; ++ else if (ptr [count] >= 0) + buffer [count] = ulaw_encode [lrint (normfact * ptr [count])] ; + else + buffer [count] = 0x7F & ulaw_encode [- lrint (normfact * ptr [count])] ; Added: head/audio/libsndfile/files/patch-CVE-2018-19758 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/audio/libsndfile/files/patch-CVE-2018-19758 Tue Mar 12 06:10:24 2019 (r495440) @@ -0,0 +1,31 @@ +From: Erik de Castro Lopo +Date: Tue, 1 Jan 2019 20:11:46 +1100 +Subject: src/wav.c: Fix heap read overflow + +This is CVE-2018-19758. + +Closes: https://github.com/erikd/libsndfile/issues/435 +--- + src/wav.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/wav.c b/src/wav.c +index 4b943dc..59015a1 100644 +--- src/wav.c ++++ src/wav.c +@@ -1,5 +1,5 @@ + /* +-** Copyright (C) 1999-2016 Erik de Castro Lopo ++** Copyright (C) 1999-2019 Erik de Castro Lopo + ** Copyright (C) 2004-2005 David Viens + ** + ** This program is free software; you can redistribute it and/or modify +@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length) + psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ + psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; + ++ /* Loop count is signed 16 bit number so we limit it range to something sensible. */ ++ psf->instrument->loop_count &= 0x7fff ; + for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) + { int type ; + Added: head/audio/libsndfile/files/patch-Check-MAX_CHANNELS-in-sndfile-deinterleave ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/audio/libsndfile/files/patch-Check-MAX_CHANNELS-in-sndfile-deinterleave Tue Mar 12 06:10:24 2019 (r495440) @@ -0,0 +1,30 @@ +From: "Brett T. Warden" +Date: Tue, 28 Aug 2018 12:01:17 -0700 +Subject: Check MAX_CHANNELS in sndfile-deinterleave + +Allocated buffer has space for only 16 channels. Verify that input file +meets this limit. + +Fixes #397 +--- + programs/sndfile-deinterleave.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c +index e27593e..cb497e1 100644 +--- programs/sndfile-deinterleave.c ++++ programs/sndfile-deinterleave.c +@@ -89,6 +89,13 @@ main (int argc, char **argv) + exit (1) ; + } ; + ++ if (sfinfo.channels > MAX_CHANNELS) ++ { printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n", ++ argv [1], sfinfo.channels, MAX_CHANNELS) ; ++ exit (1) ; ++ } ; ++ ++ + state.channels = sfinfo.channels ; + sfinfo.channels = 1 ; + Added: head/audio/libsndfile/files/patch-rf64_arm ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/audio/libsndfile/files/patch-rf64_arm Tue Mar 12 06:10:24 2019 (r495440) @@ -0,0 +1,49 @@ +From: Erik de Castro Lopez +Date: Tue, 20 Jun 2017 00:00:00 +0200 +Subject: fix RF64 on armel/armhf archs + +Origin: upstream +Applied-Upstream: 9d470ee5577d3ccedb1c28c7e0a7295ba17feaf5 +Last-Update: 2017-06-20 +--- + src/rf64.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/rf64.c b/src/rf64.c +index c373bb0..60a3309 100644 +--- src/rf64.c ++++ src/rf64.c +@@ -339,6 +339,12 @@ rf64_read_header (SF_PRIVATE *psf, int *blockalign, int *framesperblock) + } ; + break ; + ++ case JUNK_MARKER : ++ case PAD_MARKER : ++ psf_log_printf (psf, "%M : %d\n", marker, chunk_size) ; ++ psf_binheader_readf (psf, "j", chunk_size) ; ++ break ; ++ + default : + if (chunk_size >= 0xffff0000) + { psf_log_printf (psf, "*** Unknown chunk marker (%X) at position %D with length %u. Exiting parser.\n", marker, psf_ftell (psf) - 8, chunk_size) ; +@@ -659,7 +665,7 @@ rf64_write_header (SF_PRIVATE *psf, int calc_length) + + if (wpriv->rf64_downgrade && psf->filelength < RIFF_DOWNGRADE_BYTES) + { psf_binheader_writef (psf, "etm8m", RIFF_MARKER, (psf->filelength < 8) ? 8 : psf->filelength - 8, WAVE_MARKER) ; +- psf_binheader_writef (psf, "m4884", JUNK_MARKER, 20, 0, 0, 0, 0) ; ++ psf_binheader_writef (psf, "m4z", JUNK_MARKER, 24, 24) ; + add_fact_chunk = 1 ; + } + else +@@ -735,9 +741,10 @@ rf64_write_header (SF_PRIVATE *psf, int calc_length) + + #endif + ++ /* Padding may be needed if string data sizes change. */ + pad_size = psf->dataoffset - 16 - psf->header.indx ; + if (pad_size >= 0) +- psf_binheader_writef (psf, "m4z", PAD_MARKER, pad_size, make_size_t (pad_size)) ; ++ psf_binheader_writef (psf, "m4z", PAD_MARKER, (unsigned int) pad_size, make_size_t (pad_size)) ; + + if (wpriv->rf64_downgrade && (psf->filelength < RIFF_DOWNGRADE_BYTES)) + psf_binheader_writef (psf, "tm8", data_MARKER, psf->datalength) ; Added: head/audio/libsndfile/files/patch-typos ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/audio/libsndfile/files/patch-typos Tue Mar 12 06:10:24 2019 (r495440) @@ -0,0 +1,67 @@ +From: IOhannes m zmoelnig +Date: Wed, 5 Oct 2016 00:00:00 +0200 +Subject: fixed spelling errors + +Forwarded: yes +Last-Update: 2016-10-05 + +discovered by lintian +--- + doc/bugs.html | 2 +- + programs/sndfile-convert.c | 2 +- + src/ogg.c | 2 +- + src/wavlike.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/doc/bugs.html b/doc/bugs.html +index 3a441fe..addedb8 100644 +--- doc/bugs.html ++++ doc/bugs.html +@@ -31,7 +31,7 @@ +
    +
  • Compilation problems on new platforms. +
  • Errors being detected during the `make check' process. +-
  • Segmentation faults occuring inside libsndfile. ++
  • Segmentation faults occurring inside libsndfile. +
  • libsndfile hanging when opening a file. +
  • Supported sound file types being incorrectly read or written. +
  • Omissions, errors or spelling mistakes in the documentation. +diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c +index dff7f79..896838f 100644 +--- programs/sndfile-convert.c ++++ programs/sndfile-convert.c +@@ -317,7 +317,7 @@ main (int argc, char * argv []) + if ((sfinfo.format & SF_FORMAT_SUBMASK) == SF_FORMAT_GSM610 && sfinfo.samplerate != 8000) + { printf ( + "WARNING: GSM 6.10 data format only supports 8kHz sample rate. The converted\n" +- "ouput file will contain the input data converted to the GSM 6.10 data format\n" ++ "output file will contain the input data converted to the GSM 6.10 data format\n" + "but not re-sampled.\n" + ) ; + } ; +diff --git a/src/ogg.c b/src/ogg.c +index 0856f77..e01ebe1 100644 +--- src/ogg.c ++++ src/ogg.c +@@ -193,7 +193,7 @@ ogg_stream_classify (SF_PRIVATE *psf, OGG_PRIVATE* odata) + break ; + } ; + +- psf_log_printf (psf, "This Ogg bitstream contains some uknown data type.\n") ; ++ psf_log_printf (psf, "This Ogg bitstream contains some unknown data type.\n") ; + return SFE_UNIMPLEMENTED ; + } /* ogg_stream_classify */ + +diff --git a/src/wavlike.c b/src/wavlike.c +index 86ebf01..c053da3 100644 +--- src/wavlike.c ++++ src/wavlike.c +@@ -161,7 +161,7 @@ wavlike_read_fmt_chunk (SF_PRIVATE *psf, int fmtsize) + { psf_log_printf (psf, " Bit Width : 24\n") ; + + psf_log_printf (psf, "\n" +- " Ambiguous information in 'fmt ' chunk. Possibile file types:\n" ++ " Ambiguous information in 'fmt ' chunk. Possible file types:\n" + " 0) Invalid IEEE float file generated by Syntrillium's Cooledit!\n" + " 1) File generated by ALSA's arecord containing 24 bit samples in 32 bit containers.\n" + " 2) 24 bit file with incorrect Block Align value.\n"