From: Fabrice Fontaine Date: Sun, 1 Mar 2020 18:02:26 +0000 (+0100) Subject: package/libvorbis: annote CVE-2018-10393 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=e21730db5c2d4ac305f3d944cad359623a31d638;p=buildroot.git package/libvorbis: annote CVE-2018-10393 bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a stack-based buffer over-read. Same patch as for CVE-2017-14160 Signed-off-by: Fabrice Fontaine [yann.morin.1998@free.fr: - update 0001-*.patch to also reference CVE-2018-10393 ] Signed-off-by: Yann E. MORIN --- diff --git a/package/libvorbis/0001-CVE-2017-14160-fix-bounds-check-on-very-low-sample-rates.patch b/package/libvorbis/0001-CVE-2017-14160-fix-bounds-check-on-very-low-sample-rates.patch index e84f3d4799..94dc4c614b 100644 --- a/package/libvorbis/0001-CVE-2017-14160-fix-bounds-check-on-very-low-sample-rates.patch +++ b/package/libvorbis/0001-CVE-2017-14160-fix-bounds-check-on-very-low-sample-rates.patch @@ -4,11 +4,14 @@ Subject: CVE-2017-14160: fix bounds check on very low sample rates. X-Git-Url: https://git.xiph.org/?p=vorbis.git;a=commitdiff_plain;h=018ca26dece618457dd13585cad52941193c4a25 CVE-2017-14160: fix bounds check on very low sample rates. +CVE-2018-10393: Out-of-bounds Read Downloaded from upstream commit https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=018ca26dece618457dd13585cad52941193c4a25 Signed-off-by: Bernd Kuhls +[yann.morin.1998@free.fr: also fixes CVE-2018-10393] +Signed-off-by: Yann E. MORIN --- diff --git a/lib/psy.c b/lib/psy.c diff --git a/package/libvorbis/libvorbis.mk b/package/libvorbis/libvorbis.mk index bf479a3900..708f3364ec 100644 --- a/package/libvorbis/libvorbis.mk +++ b/package/libvorbis/libvorbis.mk @@ -13,6 +13,9 @@ LIBVORBIS_DEPENDENCIES = host-pkgconf libogg LIBVORBIS_LICENSE = BSD-3-Clause LIBVORBIS_LICENSE_FILES = COPYING +# 0001-CVE-2017-14160-fix-bounds-check-on-very-low-sample-rates.patch +LIBVORBIS_IGNORE_CVES += CVE-2018-10393 + # 0002-Sanity-check-number-of-channels-in-setup.patch LIBVORBIS_IGNORE_CVES += CVE-2018-10392