Fix CVE-2023-43641

(cherry picked from commit 189bfb1c9e4ba146b389e96b7de5bc7a17585890)
2023-10-10 15:52:04 +08:00 · 2023-10-10 15:52:04 +08:00 · 8e2040da76
commit 8e2040da76
parent 44a1acb35e
2 changed files with 34 additions and 1 deletions
--- a/backport-CVE-2023-43641.patch
+++ b/backport-CVE-2023-43641.patch
@ -0,0 +1,27 @@
+From fdf72c8bded8d24cfa0608b8e97f2eed210a920e Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 27 Sep 2023 20:22:43 +0100
+Subject: [PATCH] Check that the array index isn't negative. This fixes
+ CVE-2023-43641.
+
+Signed-off-by: Kevin Backhouse <kevinbackhouse@github.com>
+---
+ cd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cd.c b/cd.c
+index cf77a18..4bbea19 100644
+--- a/cd.c
+++ b/cd.c
+@@ -339,7 +339,7 @@ track_get_rem(const Track* track)
+ 
+ void track_set_index(Track *track, int i, long ind)
+ {
+-	if (i > MAXINDEX) {
+	if (i < 0 || i > MAXINDEX) {
+ 		fprintf(stderr, "too many indexes\n");
+                 return;
+         }
+-- 
+2.41.0.windows.3
+
--- a/libcue.spec
+++ b/libcue.spec
@ -1,11 +1,14 @@
 Name:		libcue
 Version:	2.2.1
-Release:	1
+Release:	2
 Summary:	Cue sheet parser library

 License:	GPLv2 and BSD
 URL:		https://github.com/lipnitsk/%{name}
 Source0:	https://github.com/lipnitsk/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
+
+Patch0:    backport-CVE-2023-43641.patch
+
 BuildRequires:	bison
 BuildRequires:	cmake
 BuildRequires:	flex
@ -60,5 +63,8 @@ make test
 %{_libdir}/pkgconfig/%{name}.pc

 %changelog
+* Tue Oct 10 2023 liningjie <liningjie@xfusion.com> - 2.2.1-2
+- Fix CVE-2023-43641
+
 * Thu May 13 2021 He Rengui <herengui@uniontech.com> - 2.2.1-1
 - packge init