~ruther/guix-local

4373278ea5a5fa2db6889c044267f5a1dc5a9514 — Mark H Weaver 10 years ago ea79dbb 
gnu: libsndfile: Update to 1.0.26 [with follow-up fix CVE-2015-7805].

Note: The previous fix for CVE-2015-7805 was incomplete.

* gnu/packages/patches/libsndfile-CVE-2014-9496.patch,
  gnu/packages/patches/libsndfile-CVE-2015-7805.patch: Delete files.
* gnu-system.am (dist_patch_DATA): Remove them.
* gnu/packages/pulseaudio.scm (libsndfile): Update to 1.0.26.
  [source]: Remove patches.
patch browse .tar.gz 
4 files changed, 3 insertions(+), 158 deletions(-)

M gnu-system.am
D gnu/packages/patches/libsndfile-CVE-2014-9496.patch
D gnu/packages/patches/libsndfile-CVE-2015-7805.patch
M gnu/packages/pulseaudio.scm

M gnu-system.am => gnu-system.am +0 -2
@@ 568,8 568,6 @@ dist_patch_DATA =						\
  gnu/packages/patches/libtiff-oob-accesses-in-decode.patch	\
  gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch	\
  gnu/packages/patches/libtool-skip-tests2.patch		\
  gnu/packages/patches/libsndfile-CVE-2014-9496.patch		\
  gnu/packages/patches/libsndfile-CVE-2015-7805.patch		\
  gnu/packages/patches/libssh-CVE-2014-0017.patch		\
  gnu/packages/patches/libunwind-CVE-2015-3239.patch		\
  gnu/packages/patches/libwmf-CAN-2004-0941.patch		\


D gnu/packages/patches/libsndfile-CVE-2014-9496.patch => gnu/packages/patches/libsndfile-CVE-2014-9496.patch +0 -55
@@ 1,55 0,0 @@
Copied from Fedora.

http://pkgs.fedoraproject.org/cgit/libsndfile.git/plain/libsndfile-1.0.25-cve2014_9496.patch

diff -up libsndfile-1.0.25/src/sd2.c.cve2014_9496 libsndfile-1.0.25/src/sd2.c
--- libsndfile-1.0.25/src/sd2.c.cve2014_9496	2011-01-19 11:10:36.000000000 +0100
+++ libsndfile-1.0.25/src/sd2.c	2015-01-13 17:00:35.920285526 +0100
@@ -395,6 +395,21 @@ read_marker (const unsigned char * data,
 		return 0x666 ;
 } /* read_marker */
 
+static inline int
+read_rsrc_marker (const SD2_RSRC *prsrc, int offset)
+{	const unsigned char * data = prsrc->rsrc_data ;
+
+	if (offset < 0 || offset + 3 >= prsrc->rsrc_len)
+		return 0 ;
+
+	if (CPU_IS_BIG_ENDIAN)
+		return (((uint32_t) data [offset]) << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ;
+	if (CPU_IS_LITTLE_ENDIAN)
+		return data [offset] + (data [offset + 1] << 8) + (data [offset + 2] << 16) + (((uint32_t) data [offset + 3]) << 24) ;
+
+	return 0 ;
+} /* read_rsrc_marker */
+
 static void
 read_str (const unsigned char * data, int offset, char * buffer, int buffer_len)
 {	int k ;
@@ -496,6 +511,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
 
 	rsrc.type_offset = rsrc.map_offset + 30 ;
 
+	if (rsrc.map_offset + 28 > rsrc.rsrc_len)
+	{       psf_log_printf (psf, "Bad map offset.\n") ;
+		goto parse_rsrc_fork_cleanup ;
+		} ;
+
 	rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ;
 	if (rsrc.type_count < 1)
 	{	psf_log_printf (psf, "Bad type count.\n") ;
@@ -512,7 +532,12 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
 
 	rsrc.str_index = -1 ;
 	for (k = 0 ; k < rsrc.type_count ; k ++)
-	{	marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
+	{	if (rsrc.type_offset + k * 8 > rsrc.rsrc_len)
+		{	psf_log_printf (psf, "Bad rsrc marker.\n") ;
+			goto parse_rsrc_fork_cleanup ;
+			} ;
+
+		marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ;
 
 		if (marker == STR_MARKER)
 		{	rsrc.str_index = k ;


D gnu/packages/patches/libsndfile-CVE-2015-7805.patch => gnu/packages/patches/libsndfile-CVE-2015-7805.patch +0 -95
@@ 1,95 0,0 @@
Slightly modified to apply cleanly to libsndfile-1.0.25.

From d2a87385c1ca1d72918e9a2875d24f202a5093e8 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Sat, 7 Feb 2015 15:45:10 +1100
Subject: [PATCH] src/common.c : Fix a header parsing bug.

When the file header is bigger that SF_HEADER_LEN, the code would seek
instead of reading causing file parse errors.

The current header parsing and writing code *badly* needs a re-write.
---
 src/common.c | 27 +++++++++++----------------
 1 file changed, 11 insertions(+), 16 deletions(-)

diff --git a/src/common.c b/src/common.c
index dd4edb7..c6b88cc 100644
--- a/src/common.c
+++ b/src/common.c
@@ -1,5 +1,5 @@
 /*
-** Copyright (C) 1999-2011 Erik de Castro Lopo <erikd@mega-nerd.com>
+** Copyright (C) 1999-2015 Erik de Castro Lopo <erikd@mega-nerd.com>
 **
 ** This program is free software; you can redistribute it and/or modify
 ** it under the terms of the GNU Lesser General Public License as published by
@@ -800,21 +800,16 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes)
 {	int count = 0 ;
 
 	if (psf->headindex >= SIGNED_SIZEOF (psf->header))
-	{	memset (ptr, 0, SIGNED_SIZEOF (psf->header) - psf->headindex) ;
-
-		/* This is the best that we can do. */
-		psf_fseek (psf, bytes, SEEK_CUR) ;
-		return bytes ;
-		} ;
+		return psf_fread (ptr, 1, bytes, psf) ;
 
 	if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header))
 	{	int most ;
 
 		most = SIGNED_SIZEOF (psf->header) - psf->headindex ;
 		psf_fread (psf->header + psf->headend, 1, most, psf) ;
-		memset ((char *) ptr + most, 0, bytes - most) ;
-
-		psf_fseek (psf, bytes - most, SEEK_CUR) ;
+		memcpy (ptr, psf->header + psf->headend, most) ;
+		psf->headend = psf->headindex += most ;
+		psf_fread ((char *) ptr + most, bytes - most, 1, psf) ;
 		return bytes ;
 		} ;
 
@@ -822,7 +817,7 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes)
 	{	count = psf_fread (psf->header + psf->headend, 1, bytes - (psf->headend - psf->headindex), psf) ;
 		if (count != bytes - (int) (psf->headend - psf->headindex))
 		{	psf_log_printf (psf, "Error : psf_fread returned short count.\n") ;
-			return 0 ;
+			return count ;
 			} ;
 		psf->headend += count ;
 		} ;
@@ -836,7 +831,6 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes)
 static void
 header_seek (SF_PRIVATE *psf, sf_count_t position, int whence)
 {
-
 	switch (whence)
 	{	case SEEK_SET :
 			if (position > SIGNED_SIZEOF (psf->header))
@@ -885,8 +879,7 @@ header_seek (SF_PRIVATE *psf, sf_count_t position, int whence)
 
 static int
 header_gets (SF_PRIVATE *psf, char *ptr, int bufsize)
-{
-	int		k ;
+{	int		k ;
 
 	for (k = 0 ; k < bufsize - 1 ; k++)
 	{	if (psf->headindex < psf->headend)
@@ -1073,8 +1066,10 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
 			case 'j' :
 					/* Get the seek position first. */
 					count = va_arg (argptr, size_t) ;
-					header_seek (psf, count, SEEK_CUR) ;
-					byte_count += count ;
+					if (count)
+					{	header_seek (psf, count, SEEK_CUR) ;
+						byte_count += count ;
+						} ;
 					break ;
 
 			default :
-- 
2.6.3



M gnu/packages/pulseaudio.scm => gnu/packages/pulseaudio.scm +3 -6
@@ 1,6 1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;;
;;; This file is part of GNU Guix.
;;;


@@ 43,17 43,14 @@
(define libsndfile
  (package
    (name "libsndfile")
    (version "1.0.25")
    (version "1.0.26")
    (source (origin
             (method url-fetch)
             (uri (string-append "http://www.mega-nerd.com/libsndfile/files/libsndfile-"
                                 version ".tar.gz"))
             (sha256
              (base32
               "10j8mbb65xkyl0kfy0hpzpmrp0jkr12c7mfycqipxgka6ayns0ar"))
             (patches
              (map search-patch '("libsndfile-CVE-2014-9496.patch"
                                  "libsndfile-CVE-2015-7805.patch")))))
               "14jhla289cj45946h0hq2an0a9g4wkwb3v4571bla6ixfvn20rfd"))))
    (build-system gnu-build-system)
    (inputs
     `(("libvorbis" ,libvorbis)