vorbis-tools: patch CVE-2023-43361

This is inactive project, so no official CVE fix will be available
anymore. That however does not mean that there is no fix available.
Following tries to prove that patch provided here is valid.

NVD CVE report [1] links issue [2] where this is reported.
Based on the report, fix was proposed in [3].
There was some review however the patch autor was not active.
[4] was later created trying to adddress the comments, but the project
was not active anymore. In this PR the patch was shrunk to a one-liner
in discussion.

I have tested the poc and it is real.
The patch fixes it, while not breaking the execution if good file path
is provided as argument.

[1] https://nvd.nist.gov/vuln/detail/CVE-2023-43361
[2] https://github.com/xiph/vorbis-tools/issues/41
[3] https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/7
[4] https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/8

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

2 files changed, 39 insertions, 0 deletions

diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch
new file mode 100644
index 0000000000..7f5b634115
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch
@@ -0,0 +1,38 @@
+From 6ca16244ba70cd1c0c8d062d1416bdc79bf20898 Mon Sep 17 00:00:00 2001
+From: Peter Marko <peter.marko@siemens.com>
+Date: Fri, 17 Jan 2025 18:49:12 +0100
+Subject: [PATCH] oggenc: Don't assume the output path ends in a file name.
+
+oggenc attempts to create any specified directories in the output
+file path if they don't exist. The parser was assuming there was
+a final filename after the last directory separator, and so would
+try to read off the end of the argument if it was a bare directory
+such as `./` or `outdir/`. This adds a check to make sure the
+scan isn't starting off the end of the path string.
+
+Thanks to Frank-Z7 (Zeng Yunxiang) at Huazhong University of Science
+and Technology (cse.hust.edu.cn) for the report.
+
+CVE: CVE-2023-43361
+Upstream-Status: Submitted [https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/7]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ oggenc/platform.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/oggenc/platform.c b/oggenc/platform.c
+index 6d9f4ef..1ff02ca 100644
+--- a/oggenc/platform.c
++++ b/oggenc/platform.c
+@@ -147,7 +147,7 @@ int create_directories(char *fn, int isutf8)
+         start = start+2;
+ #endif
+ 
+-    while((end = strpbrk(start+1, PATH_SEPS)) != NULL)
++    while((end = strpbrk(start + strspn(start, PATH_SEPS), PATH_SEPS)) != NULL)
+     {
+         int rv;
+         memcpy(segment, fn, end-fn);
+-- 
+2.30.2
+
diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb
index 61a4aedb85..2cbd840138 100644
--- a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb
+++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb
@@ -13,6 +13,7 @@ DEPENDS = "libogg libvorbis"
 SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.gz \
            file://gettext.patch \
            file://0001-ogginfo-Include-utf8.h-for-missing-utf8_decode.patch \
+           file://CVE-2023-43361.patch \
           "
 
 SRC_URI[md5sum] = "998fca293bd4e4bdc2b96fb70f952f4e"