commit libmodplug for openSUSE:13.1

23 Oct 2013

Hello community,

here is the log from the commit of package libmodplug for openSUSE:13.1 checked in at 2013-10-23 10:09:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.1/libmodplug (Old)
 and      /work/SRC/openSUSE:13.1/.libmodplug.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libmodplug"

Changes:
--------
--- /work/SRC/openSUSE:13.1/libmodplug/libmodplug.changes	2013-09-23 10:57:44.000000000 +0200
+++ /work/SRC/openSUSE:13.1/.libmodplug.new/libmodplug.changes	2013-10-23 10:10:20.000000000 +0200
@@ -1,0 +2,7 @@
+Tue Oct 22 16:42:30 CEST 2013 - sbrabec@suse.cz
+
+- Two security fixes (bnc#834483):
+  * Fix integer overflow (CVE-2013-4233, CVE-2013-4233.patch).
+  * Fix heap overflows (CVE-2013-4234, CVE-2013-4234.patch).
+
+-------------------------------------------------------------------

New:
----
  CVE-2013-4233.patch
  CVE-2013-4234.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libmodplug.spec ++++++
--- /var/tmp/diff_new_pack.7IdD36/_old	2013-10-23 10:10:20.000000000 +0200
+++ /var/tmp/diff_new_pack.7IdD36/_new	2013-10-23 10:10:20.000000000 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package libmodplug
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,10 +20,10 @@
 
 Name:           libmodplug
 Summary:        A MOD playing library
-Version:        0.8.8.4
-Release:        2
-Group:          System/Libraries
 License:        SUSE-Public-Domain
+Group:          System/Libraries
+Version:        0.8.8.4
+Release:        0
 Url:            http://modplug-xmms.sourceforge.net
 Source:         %{name}-%{version}.tar.bz2
 Source1:        baselibs.conf
@@ -31,7 +31,13 @@
 Patch1:         libmodplug-timidity.patch
 # PATCH-FIX-OPENSUSE Fix buffer overflow
 Patch2:         libmodplug-overflow.patch
-BuildRequires:  dos2unix gcc-c++ pkg-config
+# PATCH-FIX-UPSTREAM CVE-2013-4233.patch bnc834483 CVE-2013-4233 sbrabec@suse.cz -- Fix integer overflow.
+Patch3:         CVE-2013-4233.patch
+# PATCH-FIX-UPSTREAM CVE-2013-4234.patch bnc834483 CVE-2013-4234 sbrabec@suse.cz -- Fix heap overflows.
+Patch4:         CVE-2013-4234.patch
+BuildRequires:  dos2unix
+BuildRequires:  gcc-c++
+BuildRequires:  pkg-config
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -42,7 +48,6 @@
 
 %package -n libmodplug%{soname}
 
-License:        SUSE-Public-Domain
 Summary:        Development files for libmodplug
 Group:          Development/Libraries/C and C++
 
@@ -55,7 +60,6 @@
 - plays textfiles written in the ABC music notation (*.abc).
 
 %package devel
-License:        SUSE-Public-Domain
 Summary:        Development files for libmodplug
 Group:          Development/Libraries/C and C++
 Requires:       libmodplug%{soname} = %{version}
@@ -67,6 +71,8 @@
 %setup -q
 %patch1
 %patch2 -p1
+%patch3 -p2
+%patch4 -p2
 # Fix eol encoding.
 dos2unix -o ChangeLog
 

++++++ CVE-2013-4233.patch ++++++
...
From c4d4e047862649a75f6dba905c613aff0df81309 Mon Sep 17 00:00:00 2001
From: Konstanty Bialkowski 
Date: Wed, 14 Aug 2013 14:15:27 +1000
Subject: [PATCH] CVE-2013-4233 Fix
Integer overflow in j variable

-- reported by Florian "Agix" Gaultier
---
 libmodplug/src/load_abc.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp
index 9f4b328..ecb7b62 100644
--- a/libmodplug/src/load_abc.cpp
+++ b/libmodplug/src/load_abc.cpp
@@ -1814,7 +1814,7 @@ static int abc_extract_tempo(const char *p, int invoice)
 
 static void	abc_set_parts(char **d, char *p)
 {
-	int i,j,k,m,n;
+	int i,j,k,m,n,size;
 	char *q;
 #ifdef NEWMIKMOD
 	static MM_ALLOC *h;
@@ -1852,10 +1852,11 @@ static void	abc_set_parts(char **d, char *p)
 			i += n-1;
 		}
 	}
-	q = (char *)_mm_calloc(h, j+1, sizeof(char));	// enough storage for the worst case
+	size = (j + 1) > 0 ? j+1 : j;
+	q = (char *)_mm_calloc(h, size, sizeof(char));	// enough storage for the worst case
 	// now copy bytes from p to *d, taking parens and digits in account
 	j = 0;
-	for( i=0; p[i] && p[i] != '%'; i++ ) {
+	for( i=0; p[i] && p[i] != '%' && j < size; i++ ) {
 		if( isdigit(p[i]) || isupper(p[i]) || p[i] == '(' || p[i] == ')' ) {
 			if( p[i] == ')' ) {
 				for( n=j; n > 0 && q[n-1] != '('; n-- )	;	// find open paren in q
-- 
1.8.4

++++++ CVE-2013-4234.patch ++++++
...
From 5de53a46283e7c463115444a9339978011dab961 Mon Sep 17 00:00:00 2001
From: Konstanty Bialkowski 
Date: Wed, 14 Aug 2013 15:15:09 +1000
Subject: [PATCH] CVE-2013-4234 Fix
Heap overflow in abc_MIDI_drum + abc_MIDI_gchord

-- reported by Florian "Agix" Gaultier
---
 libmodplug/src/load_abc.cpp | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp
index ecb7b62..dd9cc6b 100644
--- a/libmodplug/src/load_abc.cpp
+++ b/libmodplug/src/load_abc.cpp
@@ -3205,27 +3205,33 @@ static void abc_MIDI_chordname(const char *p)
 static int abc_MIDI_drum(const char *p, ABCHANDLE *h)
 {
 	char *q;
-	int i,n,m;
+	int i, n, m, len;
 	while( isspace(*p) ) p++;
 	if( !strncmp(p,"on",2) && (isspace(p[2]) || p[2] == '\0') ) return 2;
 	if( !strncmp(p,"off",3) && (isspace(p[3]) || p[3] == '\0') ) return 1;
-	n = 0;
+	n = 0; len = 0;
 	for( q = h->drum; *p && !isspace(*p); p++ ) {
 		if( !strchr("dz0123456789",*p) ) break;
-		*q++ = *p;
-		if( !isdigit(*p) ) {
-			if( !isdigit(p[1]) ) *q++ = '1';
+		*q++ = *p; len++;
+		if( !isdigit(*p) && len < sizeof(h->drum)-1 ) {
+			if( !isdigit(p[1]) ) { *q++ = '1'; len ++; }
 			n++; // count the silences too....
 		}
+		if (len >= sizeof(h->drum)-1) {
+			// consume the rest of the input
+			// definitely enough "drum last state" stored.
+			while ( *p && !isspace(*p) ) p++;
+			break;
+		}
 	}
 	*q = '\0';
 	q = h->drumins;
 	for( i = 0; idrum[i*2] == 'd' ) {
-			while( isspace(*p) ) p++;
+			while( *p && isspace(*p) ) p++;
 			if( !isdigit(*p) ) {
 				m = 0;
-				while( !isspace(*p) ) p++;
+				while( *p && !isspace(*p) ) p++;
 			}
 			else
 				p += abc_getnumber(p,&m);
@@ -3236,10 +3242,10 @@ static int abc_MIDI_drum(const char *p, ABCHANDLE *h)
 	q = h->drumvol;
 	for( i = 0; idrum[i*2] == 'd' ) {
-			while( isspace(*p) ) p++;
+			while( *p && isspace(*p) ) p++;
 			if( !isdigit(*p) ) {
 				m = 0;
-				while( !isspace(*p) ) p++;
+				while( *p && !isspace(*p) ) p++;
 			}
 			else
 				p += abc_getnumber(p,&m);
@@ -3254,13 +3260,19 @@ static int abc_MIDI_drum(const char *p, ABCHANDLE *h)
 static int abc_MIDI_gchord(const char *p, ABCHANDLE *h)
 {
 	char *q;
+	int len = 0;
 	while( isspace(*p) ) p++;
 	if( !strncmp(p,"on",2) && (isspace(p[2]) || p[2] == '\0') ) return 2;
 	if( !strncmp(p,"off",3) && (isspace(p[3]) || p[3] == '\0') ) return 1;
 	for( q = h->gchord; *p && !isspace(*p); p++ ) {
 		if( !strchr("fbcz0123456789ghijGHIJ",*p) ) break;
-		*q++ = *p;
-		if( !isdigit(*p) && !isdigit(p[1]) ) *q++ = '1';
+		*q++ = *p; len++;
+		if( !isdigit(*p) && len < sizeof(h->gchord)-1 && !isdigit(p[1]) ) { *q++ = '1'; len ++; }
+		if (len >= sizeof(h->gchord)-1) {
+			// consume the rest of the input
+			// definitely enough "drum last state" stored.
+			while ( *p && !isspace(*p) ) p++;
+		}
 	}
 	*q = '\0';
 	return 0;
-- 
1.8.4

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org

    

commit libmodplug for openSUSE:13.1

root＠hilbert.suse.de