Hello community, here is the log from the commit of package libmodplug for openSUSE:13.1 checked in at 2013-10-23 10:09:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1/libmodplug (Old) and /work/SRC/openSUSE:13.1/.libmodplug.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libmodplug" Changes: -------- --- /work/SRC/openSUSE:13.1/libmodplug/libmodplug.changes 2013-09-23 10:57:44.000000000 +0200 +++ /work/SRC/openSUSE:13.1/.libmodplug.new/libmodplug.changes 2013-10-23 10:10:20.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Oct 22 16:42:30 CEST 2013 - sbrabec@suse.cz + +- Two security fixes (bnc#834483): + * Fix integer overflow (CVE-2013-4233, CVE-2013-4233.patch). + * Fix heap overflows (CVE-2013-4234, CVE-2013-4234.patch). + +------------------------------------------------------------------- New: ---- CVE-2013-4233.patch CVE-2013-4234.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libmodplug.spec ++++++ --- /var/tmp/diff_new_pack.7IdD36/_old 2013-10-23 10:10:20.000000000 +0200 +++ /var/tmp/diff_new_pack.7IdD36/_new 2013-10-23 10:10:20.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package libmodplug # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,10 +20,10 @@ Name: libmodplug Summary: A MOD playing library -Version: 0.8.8.4 -Release: 2 -Group: System/Libraries License: SUSE-Public-Domain +Group: System/Libraries +Version: 0.8.8.4 +Release: 0 Url: http://modplug-xmms.sourceforge.net Source: %{name}-%{version}.tar.bz2 Source1: baselibs.conf @@ -31,7 +31,13 @@ Patch1: libmodplug-timidity.patch # PATCH-FIX-OPENSUSE Fix buffer overflow Patch2: libmodplug-overflow.patch -BuildRequires: dos2unix gcc-c++ pkg-config +# PATCH-FIX-UPSTREAM CVE-2013-4233.patch bnc834483 CVE-2013-4233 sbrabec@suse.cz -- Fix integer overflow. +Patch3: CVE-2013-4233.patch +# PATCH-FIX-UPSTREAM CVE-2013-4234.patch bnc834483 CVE-2013-4234 sbrabec@suse.cz -- Fix heap overflows. +Patch4: CVE-2013-4234.patch +BuildRequires: dos2unix +BuildRequires: gcc-c++ +BuildRequires: pkg-config BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -42,7 +48,6 @@ %package -n libmodplug%{soname} -License: SUSE-Public-Domain Summary: Development files for libmodplug Group: Development/Libraries/C and C++ @@ -55,7 +60,6 @@ - plays textfiles written in the ABC music notation (*.abc). %package devel -License: SUSE-Public-Domain Summary: Development files for libmodplug Group: Development/Libraries/C and C++ Requires: libmodplug%{soname} = %{version} @@ -67,6 +71,8 @@ %setup -q %patch1 %patch2 -p1 +%patch3 -p2 +%patch4 -p2 # Fix eol encoding. dos2unix -o ChangeLog ++++++ CVE-2013-4233.patch ++++++
From c4d4e047862649a75f6dba905c613aff0df81309 Mon Sep 17 00:00:00 2001 From: Konstanty Bialkowski
Date: Wed, 14 Aug 2013 14:15:27 +1000 Subject: [PATCH] CVE-2013-4233 Fix
Integer overflow in j variable -- reported by Florian "Agix" Gaultier --- libmodplug/src/load_abc.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp index 9f4b328..ecb7b62 100644 --- a/libmodplug/src/load_abc.cpp +++ b/libmodplug/src/load_abc.cpp @@ -1814,7 +1814,7 @@ static int abc_extract_tempo(const char *p, int invoice) static void abc_set_parts(char **d, char *p) { - int i,j,k,m,n; + int i,j,k,m,n,size; char *q; #ifdef NEWMIKMOD static MM_ALLOC *h; @@ -1852,10 +1852,11 @@ static void abc_set_parts(char **d, char *p) i += n-1; } } - q = (char *)_mm_calloc(h, j+1, sizeof(char)); // enough storage for the worst case + size = (j + 1) > 0 ? j+1 : j; + q = (char *)_mm_calloc(h, size, sizeof(char)); // enough storage for the worst case // now copy bytes from p to *d, taking parens and digits in account j = 0; - for( i=0; p[i] && p[i] != '%'; i++ ) { + for( i=0; p[i] && p[i] != '%' && j < size; i++ ) { if( isdigit(p[i]) || isupper(p[i]) || p[i] == '(' || p[i] == ')' ) { if( p[i] == ')' ) { for( n=j; n > 0 && q[n-1] != '('; n-- ) ; // find open paren in q -- 1.8.4 ++++++ CVE-2013-4234.patch ++++++
From 5de53a46283e7c463115444a9339978011dab961 Mon Sep 17 00:00:00 2001 From: Konstanty Bialkowski
Date: Wed, 14 Aug 2013 15:15:09 +1000 Subject: [PATCH] CVE-2013-4234 Fix
Heap overflow in abc_MIDI_drum + abc_MIDI_gchord
-- reported by Florian "Agix" Gaultier
---
libmodplug/src/load_abc.cpp | 34 +++++++++++++++++++++++-----------
1 file changed, 23 insertions(+), 11 deletions(-)
diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp
index ecb7b62..dd9cc6b 100644
--- a/libmodplug/src/load_abc.cpp
+++ b/libmodplug/src/load_abc.cpp
@@ -3205,27 +3205,33 @@ static void abc_MIDI_chordname(const char *p)
static int abc_MIDI_drum(const char *p, ABCHANDLE *h)
{
char *q;
- int i,n,m;
+ int i, n, m, len;
while( isspace(*p) ) p++;
if( !strncmp(p,"on",2) && (isspace(p[2]) || p[2] == '\0') ) return 2;
if( !strncmp(p,"off",3) && (isspace(p[3]) || p[3] == '\0') ) return 1;
- n = 0;
+ n = 0; len = 0;
for( q = h->drum; *p && !isspace(*p); p++ ) {
if( !strchr("dz0123456789",*p) ) break;
- *q++ = *p;
- if( !isdigit(*p) ) {
- if( !isdigit(p[1]) ) *q++ = '1';
+ *q++ = *p; len++;
+ if( !isdigit(*p) && len < sizeof(h->drum)-1 ) {
+ if( !isdigit(p[1]) ) { *q++ = '1'; len ++; }
n++; // count the silences too....
}
+ if (len >= sizeof(h->drum)-1) {
+ // consume the rest of the input
+ // definitely enough "drum last state" stored.
+ while ( *p && !isspace(*p) ) p++;
+ break;
+ }
}
*q = '\0';
q = h->drumins;
for( i = 0; i