diff options
author | Leo <thinkabit.ukim@gmail.com> | 2019-07-29 08:01:06 -0300 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-07-29 15:12:47 +0200 |
commit | 86cb13bd338f8f4a3c69e861d77fbe8140ce5335 (patch) | |
tree | a5a660de401eccec2eba8dd409cbb26fc464da42 | |
parent | f684a98ab9869cab9dcbc59ffef6134e4db1a03e (diff) |
main/libebml: fix CVE-2019-13615
ref #10697
-rw-r--r-- | main/libebml/APKBUILD | 13 | ||||
-rw-r--r-- | main/libebml/CVE-2019-13615.patch | 85 |
2 files changed, 95 insertions, 3 deletions
diff --git a/main/libebml/APKBUILD b/main/libebml/APKBUILD index 686fdb0aa06..d5f64bc41f5 100644 --- a/main/libebml/APKBUILD +++ b/main/libebml/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Timo Teräs <timo.teras@iki.fi> pkgname=libebml pkgver=1.3.5 -pkgrel=0 +pkgrel=1 pkgdesc="a C++ library to parse Extensible Binary Meta-Language files" url="https://www.matroska.org/" arch="all" @@ -12,9 +12,15 @@ depends_dev="" makedepends="$depends_dev" install="" subpackages="$pkgname-dev" -source="http://dl.matroska.org/downloads/$pkgname/$pkgname-$pkgver.tar.xz" +source="http://dl.matroska.org/downloads/$pkgname/$pkgname-$pkgver.tar.xz + CVE-2019-13615.patch + " options="!check" +# secfixes: +# 1.3.5-r1: +# - CVE-2019-13615 + _builddir="$srcdir"/$pkgname-$pkgver prepare() { local i @@ -42,4 +48,5 @@ package() { make install DESTDIR="$pkgdir" } -sha512sums="cdf05015724919b19281bf99c562bb7e0bdf16990da274010f664ff316b6ce95ecbeaa1e479f03505281a7f45d5796aee6e7750a9e1c0596b630911d220dca24 libebml-1.3.5.tar.xz" +sha512sums="cdf05015724919b19281bf99c562bb7e0bdf16990da274010f664ff316b6ce95ecbeaa1e479f03505281a7f45d5796aee6e7750a9e1c0596b630911d220dca24 libebml-1.3.5.tar.xz +9cdda162a58c77541065121edafe09643f6c37ffb7b94851903f80a2fb5bf2e4729c6d97b5a23d05257b65abada0f5bf10d9d245cc3b4fd07653bb5ad3c29f0a CVE-2019-13615.patch" diff --git a/main/libebml/CVE-2019-13615.patch b/main/libebml/CVE-2019-13615.patch new file mode 100644 index 00000000000..0c8e24c820d --- /dev/null +++ b/main/libebml/CVE-2019-13615.patch @@ -0,0 +1,85 @@ +diff --git a/src/EbmlElement.cpp b/src/EbmlElement.cpp +index 143f439..871247c 100644 +--- a/src/EbmlElement.cpp ++++ b/src/EbmlElement.cpp +@@ -372,11 +372,12 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe + int PossibleSizeLength; + uint64 SizeUnknown; + int ReadIndex = 0; // trick for the algo, start index at 0 +- uint32 ReadSize = 0; ++ uint32 ReadSize = 0, IdStart = 0; + uint64 SizeFound; + int SizeIdx; + bool bFound; + int UpperLevel_original = UpperLevel; ++ uint64 ParseStart = DataStream.getFilePointer(); + + do { + // read a potential ID +@@ -402,14 +403,17 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe + // ID not found + // shift left the read octets + memmove(&PossibleIdNSize[0],&PossibleIdNSize[1], --ReadIndex); ++ IdStart++; + } + ++ if (MaxDataSize <= ReadSize) ++ break; + if (DataStream.read(&PossibleIdNSize[ReadIndex++], 1) == 0) { + return NULL; // no more data ? + } + ReadSize++; + +- } while (!bFound && MaxDataSize > ReadSize); ++ } while (!bFound); + + if (!bFound) + // we reached the maximum we could read without a proper ID +@@ -432,6 +436,10 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe + bFound = false; + break; + } ++ if (MaxDataSize <= ReadSize) { ++ bFound = false; ++ break; ++ } + if( DataStream.read( &PossibleIdNSize[SizeIdx++], 1 ) == 0 ) { + return NULL; // no more data ? + } +@@ -454,16 +462,15 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe + // 0 : child + // 1 : same level + // + : further parent +- if (Result->ValidateSize() && (SizeFound == SizeUnknown || UpperLevel > 0 || MaxDataSize == 0 || MaxDataSize >= (PossibleID_Length + PossibleSizeLength + SizeFound))) { +- if (SizeFound == SizeUnknown) { +- Result->SetSizeInfinite(); ++ if (Result->ValidateSize() && (SizeFound == SizeUnknown || UpperLevel > 0 || MaxDataSize == 0 || ++ MaxDataSize >= (IdStart + PossibleID_Length + _SizeLength + SizeFound))) { ++ if (SizeFound != SizeUnknown || Result->SetSizeInfinite()) { ++ Result->ElementPosition = ParseStart + IdStart; ++ Result->SizePosition = Result->ElementPosition + PossibleID_Length; ++ // place the file at the beggining of the data ++ DataStream.setFilePointer(Result->SizePosition + _SizeLength); ++ return Result; + } +- +- Result->SizePosition = DataStream.getFilePointer() - SizeIdx + EBML_ID_LENGTH(PossibleID); +- Result->ElementPosition = Result->SizePosition - EBML_ID_LENGTH(PossibleID); +- // place the file at the beggining of the data +- DataStream.setFilePointer(Result->SizePosition + _SizeLength); +- return Result; + } + } + delete Result; +@@ -473,8 +480,9 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe + // recover all the data in the buffer minus one byte + ReadIndex = SizeIdx - 1; + memmove(&PossibleIdNSize[0], &PossibleIdNSize[1], ReadIndex); ++ IdStart++; + UpperLevel = UpperLevel_original; +- } while ( MaxDataSize > DataStream.getFilePointer() - SizeIdx + PossibleID_Length ); ++ } while ( MaxDataSize >= ReadSize ); + + return NULL; + } + |