From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1047694-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id E7390138335
	for <garchives@archives.gentoo.org>; Tue, 18 Sep 2018 16:24:28 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 008F0E0A10;
	Tue, 18 Sep 2018 16:24:28 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id B347CE0A10
	for <gentoo-commits@lists.gentoo.org>; Tue, 18 Sep 2018 16:24:27 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 0ECC2335D05
	for <gentoo-commits@lists.gentoo.org>; Tue, 18 Sep 2018 16:24:26 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id E0CA73D9
	for <gentoo-commits@lists.gentoo.org>; Tue, 18 Sep 2018 16:24:23 +0000 (UTC)
From: "Andreas Sturmlechner" <asturm@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Andreas Sturmlechner" <asturm@gentoo.org>
Message-ID: <1537287709.fcefddf42de6342aeff7dce16760923b10a05909.asturm@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: media-libs/libsndfile/, media-libs/libsndfile/files/
X-VCS-Repository: repo/gentoo
X-VCS-Files: media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2017-12562.patch media-libs/libsndfile/libsndfile-1.0.28-r2.ebuild
X-VCS-Directories: media-libs/libsndfile/files/ media-libs/libsndfile/
X-VCS-Committer: asturm
X-VCS-Committer-Name: Andreas Sturmlechner
X-VCS-Revision: fcefddf42de6342aeff7dce16760923b10a05909
X-VCS-Branch: master
Date: Tue, 18 Sep 2018 16:24:23 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: fa655858-1937-4fb3-9431-08ad2bf1a27e
X-Archives-Hash: f4501e5902ca36314cd95a9d697a8456

commit:     fcefddf42de6342aeff7dce16760923b10a05909
Author:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Tue Sep 18 16:21:49 2018 +0000
Commit:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Tue Sep 18 16:21:49 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fcefddf4

media-libs/libsndfile: Fix CVE-2017-12562

Bug: https://bugs.gentoo.org/627152
Package-Manager: Portage-2.3.49, Repoman-2.3.10

 .../files/libsndfile-1.0.28-CVE-2017-12562.patch   | 88 ++++++++++++++++++++++
 media-libs/libsndfile/libsndfile-1.0.28-r2.ebuild  | 65 ++++++++++++++++
 2 files changed, 153 insertions(+)

diff --git a/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2017-12562.patch b/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2017-12562.patch
new file mode 100644
index 00000000000..0ff2b7ef459
--- /dev/null
+++ b/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2017-12562.patch
@@ -0,0 +1,88 @@
+From b6a9d7e95888ffa77d8c75ce3f03e6c7165587cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= <osmanx@problemloesungsmaschine.de>
+Date: Wed, 14 Jun 2017 12:25:40 +0200
+Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings
+ in binheader
+
+Fixes the following problems:
+ 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes.
+ 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the
+    big switch statement by an amount (16 bytes) which is enough for all cases
+    where only a single value gets added. Cases 's', 'S', 'p' however
+    additionally write an arbitrary length block of data and again enlarge the
+    buffer to the required amount. However, the required space calculation does
+    not take into account the size of the length field which gets output before
+    the data.
+ 3. Buffer size requirement calculation in case 'S' does not account for the
+    padding byte ("size += (size & 1) ;" happens after the calculation which
+    uses "size").
+ 4. Case 'S' can overrun the header buffer by 1 byte when no padding is
+    involved
+    ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while
+    the buffer is only guaranteed to have "size" space available).
+ 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte
+    beyond the space which is guaranteed to be allocated in the header buffer.
+ 6. Case 's' can overrun the provided source string by 1 byte if padding is
+    involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;"
+    where "size" is "strlen (strptr) + 1" (which includes the 0 terminator,
+    plus optionally another 1 which is padding and not guaranteed to be
+    readable via the source string pointer).
+
+Closes: https://github.com/erikd/libsndfile/issues/292
+---
+ src/common.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/src/common.c b/src/common.c
+index 1a6204ca..6b2a2ee9 100644
+--- a/src/common.c
++++ b/src/common.c
+@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					/* Write a C string (guaranteed to have a zero terminator). */
+ 					strptr = va_arg (argptr, char *) ;
+ 					size = strlen (strptr) + 1 ;
+-					size += (size & 1) ;
+ 
+-					if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16))
++					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ 						return count ;
+ 
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+-						header_put_be_int (psf, size) ;
++						header_put_be_int (psf, size + (size & 1)) ;
+ 					else
+-						header_put_le_int (psf, size) ;
++						header_put_le_int (psf, size + (size & 1)) ;
+ 					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;
++					size += (size & 1) ;
+ 					psf->header.indx += size ;
+ 					psf->header.ptr [psf->header.indx - 1] = 0 ;
+ 					count += 4 + size ;
+@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					*/
+ 					strptr = va_arg (argptr, char *) ;
+ 					size = strlen (strptr) ;
+-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
++					if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1)))
+ 						return count ;
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+ 						header_put_be_int (psf, size) ;
+ 					else
+ 						header_put_le_int (psf, size) ;
+-					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;
++					memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ;
+ 					size += (size & 1) ;
+ 					psf->header.indx += size ;
+-					psf->header.ptr [psf->header.indx] = 0 ;
+ 					count += 4 + size ;
+ 					break ;
+ 
+@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...)
+ 					size = (size & 1) ? size : size + 1 ;
+ 					size = (size > 254) ? 254 : size ;
+ 
+-					if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size))
++					if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size))
+ 						return count ;
+ 
+ 					header_put_byte (psf, size) ;

diff --git a/media-libs/libsndfile/libsndfile-1.0.28-r2.ebuild b/media-libs/libsndfile/libsndfile-1.0.28-r2.ebuild
new file mode 100644
index 00000000000..dda9e8b990d
--- /dev/null
+++ b/media-libs/libsndfile/libsndfile-1.0.28-r2.ebuild
@@ -0,0 +1,65 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} pypy{,3} )
+
+inherit python-any-r1 multilib-minimal
+
+MY_P=${P/_pre/pre}
+
+DESCRIPTION="C library for reading and writing files containing sampled sound"
+HOMEPAGE="http://www.mega-nerd.com/libsndfile"
+if [[ ${MY_P} == ${P} ]]; then
+	SRC_URI="http://www.mega-nerd.com/libsndfile/files/${P}.tar.gz"
+else
+	SRC_URI="http://www.mega-nerd.com/tmp/${MY_P}b.tar.gz"
+fi
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="alsa minimal sqlite static-libs test"
+
+RDEPEND="
+	!minimal? (
+		>=media-libs/flac-1.2.1-r5[${MULTILIB_USEDEP}]
+		>=media-libs/libogg-1.3.0[${MULTILIB_USEDEP}]
+		>=media-libs/libvorbis-1.3.3-r1[${MULTILIB_USEDEP}]
+	)
+	alsa? ( media-libs/alsa-lib )
+	sqlite? ( >=dev-db/sqlite-3.2 )"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig
+	test? ( ${PYTHON_DEPS} )"
+
+S=${WORKDIR}/${MY_P}
+
+PATCHES=(
+	"${FILESDIR}"/${P}-arm-varargs-failure.patch
+	"${FILESDIR}"/${P}-CVE-2017-12562.patch
+)
+
+pkg_setup() {
+	use test && python-any-r1_pkg_setup
+}
+
+multilib_src_configure() {
+	ECONF_SOURCE="${S}" econf \
+		--disable-octave \
+		--enable-gcc-pipe \
+		--enable-gcc-opt \
+		$(use_enable static-libs static) \
+		$(use_enable !minimal external-libs) \
+		$(multilib_native_enable full-suite) \
+		$(multilib_native_use_enable alsa) \
+		$(multilib_native_use_enable sqlite)
+}
+
+multilib_src_install_all() {
+	einstalldocs
+
+	# package provides .pc files
+	find "${D}" -name '*.la' -delete || die
+}