libvorbis: add patch for CVE-2017-14632 and CVE-2017-14633

author Ted Hess <thess@kitschensync.net>

Sat, 10 Feb 2018 14:34:54 +0000 (09:34 -0500)

committer Ted Hess <thess@kitschensync.net>

Sat, 10 Feb 2018 14:38:59 +0000 (09:38 -0500)
author Ted Hess <thess@kitschensync.net>
Sat, 10 Feb 2018 14:34:54 +0000 (09:34 -0500)
committer Ted Hess <thess@kitschensync.net>
Sat, 10 Feb 2018 14:38:59 +0000 (09:38 -0500)
diff --git a/libs/libvorbis/Makefile b/libs/libvorbis/Makefile

index 653f0910018c6dc7ac074fb73ac2558944cf9d9e..550954e0292db4e3b14b2f5680960c19cf6af0bc 100644 (file)
--- a/libs/libvorbis/Makefile
+++ b/libs/libvorbis/Makefile
@@ -1,6 +1,4 @@
  #
-# Copyright (C) 2008-2015 OpenWrt.org
-#
  # This is free software, licensed under the GNU General Public License v2.
  # See /LICENSE for more information.
  #
@@ -9,7 +7,7 @@ include $(TOPDIR)/rules.mk
  
  PKG_NAME:=libvorbis
  PKG_VERSION:=1.3.5
-PKG_RELEASE:=1
+PKG_RELEASE:=2
  
  PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
  PKG_SOURCE_URL:=http://downloads.xiph.org/releases/vorbis/
diff --git a/libs/libvorbis/patches/100-CVE-2017-14632-CVE-2017-14633.patch b/libs/libvorbis/patches/100-CVE-2017-14632-CVE-2017-14633.patch

new file mode 100644 (file)

index 0000000..84601ff
--- /dev/null
+++ b/libs/libvorbis/patches/100-CVE-2017-14632-CVE-2017-14633.patch
@@ -0,0 +1,12 @@
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -583,7 +583,8 @@ int vorbis_analysis_headerout(vorbis_dsp
+   oggpack_buffer opb;
+   private_state *b=v->backend_state;
+ 
+-  if(!b||vi->channels<=0){
++  if(!b||vi->channels<=0||vi->channels>255){
++    b = NULL;
+     ret=OV_EFAULT;
+     goto err_out;
+   }
author	Ted Hess <thess@kitschensync.net>
	Sat, 10 Feb 2018 14:34:54 +0000 (09:34 -0500)
committer	Ted Hess <thess@kitschensync.net>
	Sat, 10 Feb 2018 14:38:59 +0000 (09:38 -0500)
libs/libvorbis/Makefile		patch \| blob \| history
libs/libvorbis/patches/100-CVE-2017-14632-CVE-2017-14633.patch	[new file with mode: 0644]	patch \| blob