fix CVE-2017-11550
This commit is contained in:
ultra_planet
parent
3e2056a2a4
commit
1816783f61
42
CVE-2017-11550.patch
Normal file
42
CVE-2017-11550.patch
Normal file
@ -0,0 +1,42 @@
|
||||
References: https://sources.debian.org/src/libid3tag/0.15.1b-13/debian/patches/11_unknown_encoding.dpatch/
|
||||
From: Karol Babioch <kbabioch@suse.com>
|
||||
Date: Wed Feb 21 13:23:47 CET 2018
|
||||
Upstream: dead
|
||||
Subject: Fix unknown encoding when parsing ID3 tags
|
||||
|
||||
Fixes the handling of unknown encodings when parsing ID3 tags. (CVE-2017-11550 bsc#1081962 CVE-2008-2109 bsc#387731)
|
||||
|
||||
---
|
||||
compat.gperf | 3 +++
|
||||
parse.c | 4 ++++
|
||||
2 files changed, 7 insertions(+)
|
||||
|
||||
Index: libid3tag-0.15.1b/compat.gperf
|
||||
===================================================================
|
||||
--- libid3tag-0.15.1b.orig/compat.gperf
|
||||
+++ libid3tag-0.15.1b/compat.gperf
|
||||
@@ -241,6 +241,9 @@ int id3_compat_fixup(struct id3_tag *tag
|
||||
encoding = id3_parse_uint(&data, 1);
|
||||
string = id3_parse_string(&data, end - data, encoding, 0);
|
||||
|
||||
+ if (!string)
|
||||
+ continue;
|
||||
+
|
||||
if (id3_ucs4_length(string) < 4) {
|
||||
free(string);
|
||||
continue;
|
||||
Index: libid3tag-0.15.1b/parse.c
|
||||
===================================================================
|
||||
--- libid3tag-0.15.1b.orig/parse.c
|
||||
+++ libid3tag-0.15.1b/parse.c
|
||||
@@ -165,6 +165,10 @@ id3_ucs4_t *id3_parse_string(id3_byte_t
|
||||
case ID3_FIELD_TEXTENCODING_UTF_8:
|
||||
ucs4 = id3_utf8_deserialize(ptr, length);
|
||||
break;
|
||||
+
|
||||
+ default:
|
||||
+ /* FIXME: Unknown encoding! Print warning? */
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
if (ucs4 && !full) {
|
||||
@ -1,12 +1,13 @@
|
||||
Name: libid3tag
|
||||
Version: 0.15.1b
|
||||
Release: 19
|
||||
Release: 20
|
||||
Summary: ID3 tag manipulation library
|
||||
License: GPLv2+
|
||||
URL: http://www.underbit.com/products/mad/
|
||||
Source0: http://downloads.sourceforge.net/mad/%{name}-%{version}.tar.gz
|
||||
Patch0: libid3tag-0.15.1b-fix_overflow.patch
|
||||
Patch6000: CVE-2004-2779.patch
|
||||
Patch6001: CVE-2017-11550.patch
|
||||
BuildRequires: zlib-devel >= 1.1.4 libtool
|
||||
|
||||
%description
|
||||
@ -24,6 +25,7 @@ ID3 tag library development files.
|
||||
%setup -q
|
||||
%patch0 -p0 -b .CVE-2008-2109
|
||||
%patch6000 -p1
|
||||
%patch6001 -p1
|
||||
touch NEWS AUTHORS ChangeLog
|
||||
autoreconf -i -f
|
||||
|
||||
@ -69,6 +71,12 @@ install -Dpm 644 %{name}.pc $RPM_BUILD_ROOT%{_libdir}/pkgconfig/id3tag.pc
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Mar 20 2020 lingsheng<lingsheng@huawei.com> - 0.15.1b-20
|
||||
- Type:cves
|
||||
- ID:CVE-2017-11550
|
||||
- SUG:restart
|
||||
- DESC: fix CVE-2017-11550
|
||||
|
||||
* Tue Dec 24 2019 daiqianwen<daiqianwen@huawei.com> - 0.15.1b-19
|
||||
- Type:cves
|
||||
- ID:CVE-2004-2779
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user