sox-devel@lists.sourceforge.net unofficial mirror
 help / color / mirror / Atom feed
* New CVE bug
@ 2017-11-20  9:17 Jaromír Mikeš
  2017-11-20 11:05 ` [PATCH] aiff: fix crash on empty comment chunk (CVE-2017-15642) Mans Rullgard
  0 siblings, 1 reply; 3+ messages in thread
From: Jaromír Mikeš @ 2017-11-20  9:17 UTC (permalink / raw)
  To: sox-devel, Måns Rullgård, Eric Wong


[-- Attachment #1.1: Type: text/plain, Size: 320 bytes --]

Hi there,

there is some new CVE security bug
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882144
https://sourceforge.net/p/sox/bugs/298/

can you also check some other bugs in debian can be closed by 14.4.2
release please?

https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=sox

best regards

mira

[-- Attachment #1.2: Type: text/html, Size: 1080 bytes --]

[-- Attachment #2: Type: text/plain, Size: 202 bytes --]

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

[-- Attachment #3: Type: text/plain, Size: 158 bytes --]

_______________________________________________
SoX-devel mailing list
SoX-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sox-devel

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH] aiff: fix crash on empty comment chunk (CVE-2017-15642)
  2017-11-20  9:17 New CVE bug Jaromír Mikeš
@ 2017-11-20 11:05 ` Mans Rullgard
  2017-11-20 12:22   ` Jaromír Mikeš
  0 siblings, 1 reply; 3+ messages in thread
From: Mans Rullgard @ 2017-11-20 11:05 UTC (permalink / raw)
  To: sox-devel

This fixes a use after free and double free if an empty comment
chunk follows a non-empty one.
---
 src/aiff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/aiff.c b/src/aiff.c
index e34286be0a97..197ccd4e5d20 100644
--- a/src/aiff.c
+++ b/src/aiff.c
@@ -63,7 +63,6 @@ int lsx_aiffstartread(sox_format_t * ft)
   size_t ssndsize = 0;
   char *annotation;
   char *author;
-  char *comment = NULL;
   char *copyright;
   char *nametext;
 
@@ -271,6 +270,7 @@ int lsx_aiffstartread(sox_format_t * ft)
       free(annotation);
     }
     else if (strncmp(buf, "COMT", (size_t)4) == 0) {
+      char *comment = NULL;
       rc = commentChunk(&comment, "Comment:", ft);
       if (rc) {
         /* Fail already called in function */
-- 
2.15.0


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
SoX-devel mailing list
SoX-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sox-devel

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] aiff: fix crash on empty comment chunk (CVE-2017-15642)
  2017-11-20 11:05 ` [PATCH] aiff: fix crash on empty comment chunk (CVE-2017-15642) Mans Rullgard
@ 2017-11-20 12:22   ` Jaromír Mikeš
  0 siblings, 0 replies; 3+ messages in thread
From: Jaromír Mikeš @ 2017-11-20 12:22 UTC (permalink / raw)
  To: sox-devel


[-- Attachment #1.1: Type: text/plain, Size: 1403 bytes --]

2017-11-20 12:05 GMT+01:00 Mans Rullgard <mans@mansr.com>:

> This fixes a use after free and double free if an empty comment
> chunk follows a non-empty one.
> ---
>  src/aiff.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/aiff.c b/src/aiff.c
> index e34286be0a97..197ccd4e5d20 100644
> --- a/src/aiff.c
> +++ b/src/aiff.c
> @@ -63,7 +63,6 @@ int lsx_aiffstartread(sox_format_t * ft)
>    size_t ssndsize = 0;
>    char *annotation;
>    char *author;
> -  char *comment = NULL;
>    char *copyright;
>    char *nametext;
>
> @@ -271,6 +270,7 @@ int lsx_aiffstartread(sox_format_t * ft)
>        free(annotation);
>      }
>      else if (strncmp(buf, "COMT", (size_t)4) == 0) {
> +      char *comment = NULL;
>        rc = commentChunk(&comment, "Comment:", ft);
>        if (rc) {
>>
>> 2.15.0
>
>
>>
>>
>> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
> _______________________________________________
>
> SoX-devel mailing list
>
> SoX-devel@lists.sourceforge.net
>
> https://lists.sourceforge.net/lists/listinfo/sox-devel
>
>          /* Fail already called in function */
> --
>

​Thank you! Applied in debian repo.

best regards

mira​

[-- Attachment #1.2: Type: text/html, Size: 3681 bytes --]

[-- Attachment #2: Type: text/plain, Size: 202 bytes --]

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

[-- Attachment #3: Type: text/plain, Size: 158 bytes --]

_______________________________________________
SoX-devel mailing list
SoX-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sox-devel

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-11-20 12:23 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-20  9:17 New CVE bug Jaromír Mikeš
2017-11-20 11:05 ` [PATCH] aiff: fix crash on empty comment chunk (CVE-2017-15642) Mans Rullgard
2017-11-20 12:22   ` Jaromír Mikeš

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).