From c7d64c705976024bdb537a2cec33c9223777c0d8 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Fri, 17 Jan 2025 19:26:43 +0100 Subject: vorbis-tools: patch CVE-2023-43361 This is inactive project, so no official CVE fix will be available anymore. That however does not mean that there is no fix available. Following tries to prove that patch provided here is valid. NVD CVE report [1] links issue [2] where this is reported. Based on the report, fix was proposed in [3]. There was some review however the patch autor was not active. [4] was later created trying to adddress the comments, but the project was not active anymore. In this PR the patch was shrunk to a one-liner in discussion. I have tested the poc and it is real. The patch fixes it, while not breaking the execution if good file path is provided as argument. [1] https://nvd.nist.gov/vuln/detail/CVE-2023-43361 [2] https://github.com/xiph/vorbis-tools/issues/41 [3] https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/7 [4] https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/8 Signed-off-by: Peter Marko Signed-off-by: Khem Raj (cherry picked from commit 67d94fecb0dbd4f979b09a439c614ee4f01fc0c2) Signed-off-by: Armin Kuster --- .../vorbis-tools/vorbis-tools/CVE-2023-43361.patch | 38 ++++++++++++++++++++++ .../vorbis-tools/vorbis-tools_1.4.2.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch new file mode 100644 index 0000000000..7f5b634115 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/CVE-2023-43361.patch @@ -0,0 +1,38 @@ +From 6ca16244ba70cd1c0c8d062d1416bdc79bf20898 Mon Sep 17 00:00:00 2001 +From: Peter Marko +Date: Fri, 17 Jan 2025 18:49:12 +0100 +Subject: [PATCH] oggenc: Don't assume the output path ends in a file name. + +oggenc attempts to create any specified directories in the output +file path if they don't exist. The parser was assuming there was +a final filename after the last directory separator, and so would +try to read off the end of the argument if it was a bare directory +such as `./` or `outdir/`. This adds a check to make sure the +scan isn't starting off the end of the path string. + +Thanks to Frank-Z7 (Zeng Yunxiang) at Huazhong University of Science +and Technology (cse.hust.edu.cn) for the report. + +CVE: CVE-2023-43361 +Upstream-Status: Submitted [https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/7] +Signed-off-by: Peter Marko +--- + oggenc/platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/oggenc/platform.c b/oggenc/platform.c +index 6d9f4ef..1ff02ca 100644 +--- a/oggenc/platform.c ++++ b/oggenc/platform.c +@@ -147,7 +147,7 @@ int create_directories(char *fn, int isutf8) + start = start+2; + #endif + +- while((end = strpbrk(start+1, PATH_SEPS)) != NULL) ++ while((end = strpbrk(start + strspn(start, PATH_SEPS), PATH_SEPS)) != NULL) + { + int rv; + memcpy(segment, fn, end-fn); +-- +2.30.2 + diff --git a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb index 61a4aedb85..2cbd840138 100644 --- a/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb +++ b/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb @@ -13,6 +13,7 @@ DEPENDS = "libogg libvorbis" SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.gz \ file://gettext.patch \ file://0001-ogginfo-Include-utf8.h-for-missing-utf8_decode.patch \ + file://CVE-2023-43361.patch \ " SRC_URI[md5sum] = "998fca293bd4e4bdc2b96fb70f952f4e" -- cgit v1.2.3-54-g00ecf