projects / buildroot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3321eef)
package/libvorbis: annote CVE-2018-10393
authorFabrice Fontaine <fontaine.fabrice@gmail.com>
Sun, 1 Mar 2020 18:02:26 +0000 (19:02 +0100)
committerYann E. MORIN <yann.morin.1998@free.fr>
Sun, 1 Mar 2020 18:13:45 +0000 (19:13 +0100)
bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a
stack-based buffer over-read.

Same patch as for CVE-2017-14160

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
  - update 0001-*.patch to also reference CVE-2018-10393
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
package/libvorbis/0001-CVE-2017-14160-fix-bounds-check-on-very-low-sample-rates.patch patch | blob | history
package/libvorbis/libvorbis.mk patch | blob | history

diff --git a/package/libvorbis/0001-CVE-2017-14160-fix-bounds-check-on-very-low-sample-rates.patch b/package/libvorbis/0001-CVE-2017-14160-fix-bounds-check-on-very-low-sample-rates.patch
index e84f3d4799e6d83e1f6d87351b8e002313ebeaec..94dc4c614bbfe4ac188343f89a0a51a5f87a7ec4 100644 (file)
--- a/package/libvorbis/0001-CVE-2017-14160-fix-bounds-check-on-very-low-sample-rates.patch
+++ b/package/libvorbis/0001-CVE-2017-14160-fix-bounds-check-on-very-low-sample-rates.patch
@@ -4,11 +4,14 @@ Subject: CVE-2017-14160: fix bounds check on very low sample rates.
 X-Git-Url: https://git.xiph.org/?p=vorbis.git;a=commitdiff_plain;h=018ca26dece618457dd13585cad52941193c4a25
 
 CVE-2017-14160: fix bounds check on very low sample rates.
+CVE-2018-10393: Out-of-bounds Read
 
 Downloaded from upstream commit
 https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=018ca26dece618457dd13585cad52941193c4a25
 
 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+[yann.morin.1998@free.fr: also fixes CVE-2018-10393]
+Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
 ---
 
 diff --git a/lib/psy.c b/lib/psy.c
diff --git a/package/libvorbis/libvorbis.mk b/package/libvorbis/libvorbis.mk
index bf479a3900abaebe4b088491a8709c6f22d20bad..708f3364ec7e1bd815fadc9e759a75169ece591c 100644 (file)
--- a/package/libvorbis/libvorbis.mk
+++ b/package/libvorbis/libvorbis.mk
@@ -13,6 +13,9 @@ LIBVORBIS_DEPENDENCIES = host-pkgconf libogg
 LIBVORBIS_LICENSE = BSD-3-Clause
 LIBVORBIS_LICENSE_FILES = COPYING
 
+# 0001-CVE-2017-14160-fix-bounds-check-on-very-low-sample-rates.patch
+LIBVORBIS_IGNORE_CVES += CVE-2018-10393
+
 # 0002-Sanity-check-number-of-channels-in-setup.patch
 LIBVORBIS_IGNORE_CVES += CVE-2018-10392