From 3cf7c3ef441822c889356fd1812ebf2944a59851 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Tue, 25 Aug 2020 10:45:55 +0100 Subject: gentoo resync : 25.08.2020 --- media-libs/libmp4v2/Manifest | 6 ++ .../files/libmp4v2-2.0.0-CVE-2018-14054.patch | 35 ++++++++ .../files/libmp4v2-2.0.0-CVE-2018-14325.patch | 60 ++++++++++++++ .../files/libmp4v2-2.0.0-CVE-2018-14379.patch | 33 ++++++++ .../files/libmp4v2-2.0.0-CVE-2018-14403.patch | 28 +++++++ .../files/libmp4v2-2.0.0-unsigned-int-cast.patch | 96 ++++++++++++++++++++++ media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild | 53 ++++++++++++ 7 files changed, 311 insertions(+) create mode 100644 media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14054.patch create mode 100644 media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch create mode 100644 media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14379.patch create mode 100644 media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14403.patch create mode 100644 media-libs/libmp4v2/files/libmp4v2-2.0.0-unsigned-int-cast.patch create mode 100644 media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild (limited to 'media-libs/libmp4v2') diff --git a/media-libs/libmp4v2/Manifest b/media-libs/libmp4v2/Manifest index d8610cc475e7..7d4debad90fd 100644 --- a/media-libs/libmp4v2/Manifest +++ b/media-libs/libmp4v2/Manifest @@ -1,6 +1,12 @@ +AUX libmp4v2-2.0.0-CVE-2018-14054.patch 1772 BLAKE2B 8e6dfca134866d14689dc2470dadba0c1bfd90559682fd9bed22663b75ad3193f56c556e5c6d8d624ea93a2fd217dbf30113668f8f591257b57d2c2a04321e82 SHA512 3a18c5266efcd20c808d7d0d26c45bcbe4aaf3005eff5b7fe6c4fd918de476c2fea4433eeca928016611b472192a9bd0c03a41e086c47afc1b30e60c0de769a4 +AUX libmp4v2-2.0.0-CVE-2018-14325.patch 2849 BLAKE2B 8ea91b19d07037e6b5d9a7ce01d299f990e955f2163e990b3f64406248f471332d9df3a7320f3e3dae6ba2cffbc0a5359a5ae9e78973c8ec4fee42cd6727994c SHA512 f8a95ba51e4845074b606d2f10baf4e776927735480e4b3b776453be1a5adc28c43a41f1d26f7767881b8e4b9d37be22f858c496c83c90d4dc97eba15a43ff49 +AUX libmp4v2-2.0.0-CVE-2018-14379.patch 1373 BLAKE2B 436923f9ef86d2a05d244a3630d8fab5e1db98016a1c3d90f5bbbbd12f50c04c287823292f80edaac3ddeb98dd9560827fbca5ed2092ba8912724990d47b2eb7 SHA512 fe1b4c6735de7849e2b5dbfaf605c816d7d39247fa2bb470bd454d73a558b4a6e75b361458bdcb810cdf0ec4dc4362b766009a1272d003986e2d03271c627998 +AUX libmp4v2-2.0.0-CVE-2018-14403.patch 949 BLAKE2B 434fe9accaf6dafe9461f97b10c6278cef3af7d5cff7ee975424cff92557485880b4db83de32e3f80dcdaf362b7213ca89abd1e3427b85743ebf93c500e6ab69 SHA512 7ad5278ed37ee10ba04c88bcf9a10445c037bbf3cfea30720e7e8ddf1efd2e681796f223b8f749bee9bdde4d0c0448dee4f057f672305020e412568ef20775f3 AUX libmp4v2-2.0.0-clang.patch 1157 BLAKE2B cf4763c29017840322d0d31fd859057b2c5151ecb226bcab1d7fab972b4594659dfd9aaed0f7b828d687bf9e05f569cd4d42daf5ce21e6bdb44c0204f1af2028 SHA512 5015dfbd2126d180c7f1b57aecbde592b33fc56d45dc7a4178b0ec88b0ed2dcec23a3a09707bc52dbb6fbeebec1fd272d7625b77e986c7f880994cf6441125fb AUX libmp4v2-2.0.0-gcc7.patch 747 BLAKE2B 5bed55f8c9e9593261d9738871de162fdfaec6239078e3ffc0fc85352e60687ba93e37f63edd8fbaf576ffa5966aef07fd58171366ec60ac5969a80eb92f6016 SHA512 18433209711b88cf4a09dcf6ad26d7d717d6593d9b006258e80aac85fee01da17bbf7e67e60c75c82e18652eaddcdb2d945dec52f2f75aa0f236bd5328aab760 AUX libmp4v2-2.0.0-mp4tags-corruption.patch 642 BLAKE2B 86a1b614dfc2e4dbcee97ebe9b029feac2078eb3d6c25793f291f625ad1e0dc1df85d028813fe96e980e2d8fef4a5eb821da8622f3ce3f8b28835dd020812d7f SHA512 565959560941ec0503b17a1e6a9cae85a03d6f97e4f4ea66cf457c941de96148606f23471525bf786bd95f78097b3376020a40d53fc7a4675c1db9819e7e8593 +AUX libmp4v2-2.0.0-unsigned-int-cast.patch 2922 BLAKE2B 660ee262d6a21540b9646aa87f911373042c1f1f879b18a913d07fd267fa2275556f8a0e18e86c28ce4a737f136d53c2dbd21602635b12b490535f3e8d8e0ef7 SHA512 89cb78624096e4182056c4e9099cc13cb6251330d741ccaabe557eeb21c2df77d71367da21c16d2c33b1a7dde49429f57c7673d49be0e9a459af491a00305f37 DIST mp4v2-2.0.0.tar.bz2 495672 BLAKE2B 966c90b443bd6f7a81c96fd12f95b00c3ec89cd476aa0fff3e0450b315d54543578ef953c5e3f28d52ca800a0768c601dddc8e99a32ff512767cd65c12832bd5 SHA512 15eb882f33d72d4209053b54c883b67715f539c33096705a0e7bc79015b93f6f3ac80ae29c65a0ffe9eab1bf0dedf07198bdee23fa6eafcd6ccb34f984484be0 EBUILD libmp4v2-2.0.0-r1.ebuild 1100 BLAKE2B cf62899ba1af8904780a9c8189425fb01262772d399f6ad0392e9eb7cd93debd2e6e08efda58cda604b8f741789cf135a56e41a5b4e3bf6e65b40ccb254ce0f8 SHA512 d6f894b90ef4638bf66ebb9e19b0c65bc8fbbd40b08973cb5e524f7828b6b02b4d02f787c390a9555b14f44725a12311410ee5be027c3c61aaea89ee3a24f9c9 +EBUILD libmp4v2-2.0.0-r2.ebuild 1321 BLAKE2B 55189e2e94ab83ac8de0057031569bd2246e753189f039a900c6b4abb74c157c5254b18e1c8d37b56f7317b12500c1bb29c77ecfb5f851a2ec262b0009e13ef3 SHA512 c48ec1fc00589aa99caa976a0497177bbeb3d094d43274f64e3b306324ad0ee9bd76aa687fba0175dfa10b7b3239efcf8896c17fca38de4f46fc5db9b9aa51c1 MISC metadata.xml 402 BLAKE2B ed37dabc480f00cf0f23df37f1e1f9203d81415f9c030f307f1265f9550f5e6a2466de8387b0f16eb7c40dd6e3705bff031df7b264594a7319751ba83c1c7d6b SHA512 63643195e04ecdb3a79a862991760894a4fc52aa073ee1aba1efba4babdd926002fe271d04f82e4e40dbf4cad2fa77fd7853620fe11badb14cc83d27c342ad70 diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14054.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14054.patch new file mode 100644 index 000000000000..3ff3e731b93c --- /dev/null +++ b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14054.patch @@ -0,0 +1,35 @@ +Upstream: https://github.com/sergiomb2/libmp4v2/commit/3410bc66fb91f46325ab1d008b6a421dd8240949 +Gentoo Bug: https://bugs.gentoo.org/661582 + +From 3410bc66fb91f46325ab1d008b6a421dd8240949 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= +Date: Sat, 2 Nov 2019 04:21:17 +0000 +Subject: [PATCH] Null out pointer after free to prevent double free + +If an exception occurs (because of a crafted MP4) before the value is reassigned, then a double free can occur. By setting the pointer to NULL after the first free, we prevent the double free in this case. +Addresses: https://nvd.nist.gov/vuln/detail/CVE-2018-14054 + +copied form https://github.com/TechSmith/mp4v2/commit/f09cceeee5bd7f783fd31f10e8b3c440ccf4c743 +From: Dave O'Rourke +Date: Wed, 20 Mar 2019 08:57:29 -0400 +--- + src/mp4property.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/mp4property.cpp b/src/mp4property.cpp +index 9a5b1e3..1b8e1d2 100644 +--- a/src/mp4property.cpp ++++ b/src/mp4property.cpp +@@ -391,8 +391,10 @@ void MP4StringProperty::Read( MP4File& file, uint32_t index ) + char*& value = m_values[i]; + + // Generally a default atom setting, e.g. see atom_avc1.cpp, "JVT/AVC Coding"; we'll leak this string if +- // we don't free. Note that MP4Free checks for null. +- MP4Free(value); ++ // we don't free. Note that this code checks for null before calling free and sets the pointer to null ++ // after freeing it, to prevent a double free in case an exception occurs before the value is reassigned. ++ MP4Free( value ); ++ value = NULL; + + if( m_useCountedFormat ) { + value = file.ReadCountedString( (m_useUnicode ? 2 : 1), m_useExpandedCount, m_fixedLength ); diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch new file mode 100644 index 000000000000..eb23926bb49d --- /dev/null +++ b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch @@ -0,0 +1,60 @@ +Upstream: https://github.com/sergiomb2/libmp4v2/commit/9084868fd9f86bee118001c23171e832f15009f4 +Gentoo Bug: https://bugs.gentoo.org/661582 + + +From 9084868fd9f86bee118001c23171e832f15009f4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= +Date: Fri, 8 Nov 2019 02:01:32 +0000 +Subject: [PATCH] Fix v3 Integer underflow/overflow in MP4v2 2.0.0 + +Reference: https://www.openwall.com/lists/oss-security/2018/07/16/1 + +For the overflow, we could check the result of the integer multiplication: + +fix vulnerability where an atom list size is enormous +and calculating the number of bytes needed to hold the list overflows +https://github.com/TechSmith/mp4v2/pull/27/commits/70d823ccd8e2d7d0ed9e62fb7e8983d21e6acbeb + +Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14326 and https://nvd.nist.gov/vuln/detail/CVE-2018-14446 + +For the underflow, we could check if `dataSize >= hdrSize` satisfies: +Throw exception when invalid atom size would cause integer underflow +The calculation `hdrSize - dataSize` can underflow the 64-bit unsigned int dataSize type, which can lead to incorrect results. We throw an exception to stop the code from going any further. + +Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14325 +Based on https://github.com/TechSmith/mp4v2/commit/e475013c6ef78093055a02b0d035eda0f9f01451 +--- + src/mp4array.h | 2 ++ + src/mp4atom.cpp | 6 ++++++ + 2 files changed, 8 insertions(+) + +diff --git a/src/mp4array.h b/src/mp4array.h +index c49d59b..69d470a 100644 +--- a/src/mp4array.h ++++ b/src/mp4array.h +@@ -102,6 +102,8 @@ class MP4Array { + void Resize(MP4ArrayIndex newSize) { \ + m_numElements = newSize; \ + m_maxNumElements = newSize; \ ++ if ( (uint64_t) m_maxNumElements * sizeof(type) > 0xFFFFFFFF ) \ ++ throw new PlatformException("requested array size exceeds 4GB", ERANGE, __FILE__, __LINE__, __FUNCTION__); /* prevent overflow */ \ + m_elements = (type*)MP4Realloc(m_elements, \ + m_maxNumElements * sizeof(type)); \ + } \ +diff --git a/src/mp4atom.cpp b/src/mp4atom.cpp +index 7a0a53f..f5d5dc0 100644 +--- a/src/mp4atom.cpp ++++ b/src/mp4atom.cpp +@@ -143,6 +143,12 @@ MP4Atom* MP4Atom::ReadAtom(MP4File& file, MP4Atom* pParentAtom) + dataSize = file.GetSize() - pos; + } + ++ if(dataSize < hdrSize) { ++ ostringstream oss; ++ oss << "Invalid atom size in '" << type << "' atom, dataSize = " << dataSize << " cannot be less than hdrSize = " << static_cast( hdrSize ); ++ log.errorf( "%s: \"%s\": %s", __FUNCTION__, file.GetFilename().c_str(), oss.str().c_str() ); ++ throw new Exception( oss.str().c_str(), __FILE__, __LINE__, __FUNCTION__ ); ++ } + dataSize -= hdrSize; + + log.verbose1f("\"%s\": type = \"%s\" data-size = %" PRIu64 " (0x%" PRIx64 ") hdr %u", diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14379.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14379.patch new file mode 100644 index 000000000000..487dc709af39 --- /dev/null +++ b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14379.patch @@ -0,0 +1,33 @@ +Upstream: https://github.com/sergiomb2/libmp4v2/commit/bb920de948c85e3db4a52292ac7250a50e3bfc86 +Gentoo Bug: https://bugs.gentoo.org/661582 + +From bb920de948c85e3db4a52292ac7250a50e3bfc86 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= +Date: Sat, 2 Nov 2019 04:19:27 +0000 +Subject: [PATCH] Fix v2 Type confusion in MP4v2 2.0.0 + +The bug is caused by the wrong assumption that the child of an `ilst` +can never be an `ilst`. So we could fix it by simply adding an ASSERT. + +Reference: https://www.openwall.com/lists/oss-security/2018/07/17/1 +Addresses: https://nvd.nist.gov/vuln/detail/CVE-2018-14379 +--- + src/mp4atom.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/mp4atom.cpp b/src/mp4atom.cpp +index 520cbc8..7a0a53f 100644 +--- a/src/mp4atom.cpp ++++ b/src/mp4atom.cpp +@@ -778,8 +778,10 @@ MP4Atom::factory( MP4File &file, MP4Atom* parent, const char* type ) + const char* const ptype = parent->GetType(); + + if( descendsFrom( parent, "ilst" )) { +- if( ATOMID( ptype ) == ATOMID( "ilst" )) ++ if( ATOMID( ptype ) == ATOMID( "ilst" )) { ++ ASSERT(ATOMID( type ) != ATOMID( "ilst" )); + return new MP4ItemAtom( file, type ); ++ } + + if( ATOMID( type ) == ATOMID( "data" )) + return new MP4DataAtom(file); diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14403.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14403.patch new file mode 100644 index 000000000000..e7bea4e1dee1 --- /dev/null +++ b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14403.patch @@ -0,0 +1,28 @@ +Upstream: https://github.com/sergiomb2/libmp4v2/commit/a94a3372c6ef66a2276cc6cd92f7ec07a9c8bb6b +Gentoo Bug: https://bugs.gentoo.org/661582 + +From a94a3372c6ef66a2276cc6cd92f7ec07a9c8bb6b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= +Date: Wed, 17 Oct 2018 16:13:06 +0100 +Subject: [PATCH] Fix Out-of-bounds memory access in MP4v2 2.0.0 + +The bug can be fixed by more checks when doing type comparison. +Reference: https://www.openwall.com/lists/oss-security/2018/07/18/3 + +Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14403 +--- + src/mp4util.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/mp4util.cpp b/src/mp4util.cpp +index 47bd74e..696dab4 100644 +--- a/src/mp4util.cpp ++++ b/src/mp4util.cpp +@@ -46,6 +46,7 @@ bool MP4NameFirstMatches(const char* s1, const char* s2) + s1++; + s2++; + } ++ if(*s2 != '[' && *s2 != '.' && *s2 != '\0') return false; + return true; + } + diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-unsigned-int-cast.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-unsigned-int-cast.patch new file mode 100644 index 000000000000..25830bc596be --- /dev/null +++ b/media-libs/libmp4v2/files/libmp4v2-2.0.0-unsigned-int-cast.patch @@ -0,0 +1,96 @@ +From a5ca35b044bbf13c0b16f0066bf24646604bb218 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Thu, 6 Aug 2020 15:22:04 +0200 +Subject: [PATCH] Static cast to unsigned int for cases + +Signed-off-by: Jason A. Donenfeld +--- + libutil/Utility.cpp | 2 +- + util/mp4art.cpp | 2 +- + util/mp4chaps.cpp | 2 +- + util/mp4file.cpp | 2 +- + util/mp4subtitle.cpp | 2 +- + util/mp4track.cpp | 2 +- + 6 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/libutil/Utility.cpp b/libutil/Utility.cpp +index 76cdd12..d6739d4 100644 +--- a/libutil/Utility.cpp ++++ b/libutil/Utility.cpp +@@ -493,7 +493,7 @@ Utility::process_impl() + if( codes.find( code ) == codes.end() ) + continue; + +- switch( code ) { ++ switch( static_cast( code ) ) { + case 'z': + _optimize = true; + break; +diff --git a/util/mp4art.cpp b/util/mp4art.cpp +index add935e..6e7f531 100644 +--- a/util/mp4art.cpp ++++ b/util/mp4art.cpp +@@ -376,7 +376,7 @@ ArtUtility::utility_option( int code, bool& handled ) + { + handled = true; + +- switch( code ) { ++ switch( static_cast ( code ) ) { + case LC_ART_ANY: + _artFilter = numeric_limits::max(); + break; +diff --git a/util/mp4chaps.cpp b/util/mp4chaps.cpp +index 98400f8..ccc8b70 100644 +--- a/util/mp4chaps.cpp ++++ b/util/mp4chaps.cpp +@@ -632,7 +632,7 @@ ChapterUtility::utility_option( int code, bool& handled ) + { + handled = true; + +- switch( code ) { ++ switch( static_cast ( code ) ) { + case 'A': + case LC_CHPT_ANY: + _ChapterType = MP4ChapterTypeAny; +diff --git a/util/mp4file.cpp b/util/mp4file.cpp +index c27844b..b127cd1 100644 +--- a/util/mp4file.cpp ++++ b/util/mp4file.cpp +@@ -189,7 +189,7 @@ FileUtility::utility_option( int code, bool& handled ) + { + handled = true; + +- switch( code ) { ++ switch( static_cast( code ) ) { + case LC_LIST: + _action = &FileUtility::actionList; + break; +diff --git a/util/mp4subtitle.cpp b/util/mp4subtitle.cpp +index 7462153..19d977d 100644 +--- a/util/mp4subtitle.cpp ++++ b/util/mp4subtitle.cpp +@@ -164,7 +164,7 @@ SubtitleUtility::utility_option( int code, bool& handled ) + { + handled = true; + +- switch( code ) { ++ switch( static_cast( code ) ) { + case LC_LIST: + _action = &SubtitleUtility::actionList; + break; +diff --git a/util/mp4track.cpp b/util/mp4track.cpp +index d550506..cd63d7e 100644 +--- a/util/mp4track.cpp ++++ b/util/mp4track.cpp +@@ -788,7 +788,7 @@ TrackUtility::utility_option( int code, bool& handled ) + { + handled = true; + +- switch( code ) { ++ switch( static_cast( code ) ) { + case LC_TRACK_WILDCARD: + _trackMode = TM_WILDCARD; + break; +-- +2.28.0 + diff --git a/media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild b/media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild new file mode 100644 index 000000000000..aff5b31e231a --- /dev/null +++ b/media-libs/libmp4v2/libmp4v2-2.0.0-r2.ebuild @@ -0,0 +1,53 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +MY_P=${P/lib} + +inherit libtool + +DESCRIPTION="Functions for accessing ISO-IEC:14496-1:2001 MPEG-4 standard" +HOMEPAGE="https://code.google.com/p/mp4v2/" +SRC_URI="https://mp4v2.googlecode.com/files/${MY_P}.tar.bz2" + +LICENSE="MPL-1.1" +SLOT="0" +KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x86-solaris" +IUSE="static-libs utils" +# Tests need DejaGnu but are non-existent (just an empty framework) +RESTRICT="test" + +BDEPEND="utils? ( sys-apps/help2man )" + +DOCS=( doc/{Authors,BuildSource,Documentation,ReleaseNotes,ToolGuide}.txt README ) + +S="${WORKDIR}/${MY_P}" + +PATCHES=( + "${FILESDIR}/${P}-gcc7.patch" + "${FILESDIR}/${P}-mp4tags-corruption.patch" + "${FILESDIR}/${P}-clang.patch" + "${FILESDIR}/${P}-CVE-2018-14054.patch" + "${FILESDIR}/${P}-CVE-2018-14325.patch" + "${FILESDIR}/${P}-CVE-2018-14379.patch" + "${FILESDIR}/${P}-CVE-2018-14403.patch" + "${FILESDIR}/${P}-unsigned-int-cast.patch" +) + +src_prepare() { + default + elibtoolize +} + +src_configure() { + econf \ + --disable-gch \ + $(use_enable utils util) \ + $(use_enable static-libs static) +} + +src_install() { + default + find "${D}" -name '*.la' -delete || die +} -- cgit v1.2.3