From 8e2040da767da56b4681b27a997ecc5ccc430c6c Mon Sep 17 00:00:00 2001 From: liningjie Date: Tue, 10 Oct 2023 15:52:04 +0800 Subject: [PATCH] Fix CVE-2023-43641 (cherry picked from commit 189bfb1c9e4ba146b389e96b7de5bc7a17585890) --- backport-CVE-2023-43641.patch | 27 +++++++++++++++++++++++++++ libcue.spec | 8 +++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-43641.patch diff --git a/backport-CVE-2023-43641.patch b/backport-CVE-2023-43641.patch new file mode 100644 index 0000000..2104238 --- /dev/null +++ b/backport-CVE-2023-43641.patch @@ -0,0 +1,27 @@ +From fdf72c8bded8d24cfa0608b8e97f2eed210a920e Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Wed, 27 Sep 2023 20:22:43 +0100 +Subject: [PATCH] Check that the array index isn't negative. This fixes + CVE-2023-43641. + +Signed-off-by: Kevin Backhouse +--- + cd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cd.c b/cd.c +index cf77a18..4bbea19 100644 +--- a/cd.c ++++ b/cd.c +@@ -339,7 +339,7 @@ track_get_rem(const Track* track) + + void track_set_index(Track *track, int i, long ind) + { +- if (i > MAXINDEX) { ++ if (i < 0 || i > MAXINDEX) { + fprintf(stderr, "too many indexes\n"); + return; + } +-- +2.41.0.windows.3 + diff --git a/libcue.spec b/libcue.spec index 0ff99ef..03cc067 100644 --- a/libcue.spec +++ b/libcue.spec @@ -1,11 +1,14 @@ Name: libcue Version: 2.2.1 -Release: 1 +Release: 2 Summary: Cue sheet parser library License: GPLv2 and BSD URL: https://github.com/lipnitsk/%{name} Source0: https://github.com/lipnitsk/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz + +Patch0: backport-CVE-2023-43641.patch + BuildRequires: bison BuildRequires: cmake BuildRequires: flex @@ -60,5 +63,8 @@ make test %{_libdir}/pkgconfig/%{name}.pc %changelog +* Tue Oct 10 2023 liningjie - 2.2.1-2 +- Fix CVE-2023-43641 + * Thu May 13 2021 He Rengui - 2.2.1-1 - packge init