diff --git a/CVE-2023-43361.patch b/CVE-2023-43361.patch new file mode 100644 index 0000000000000000000000000000000000000000..bf3a98919610ebee8a66abd131dc9fc458fe1083 --- /dev/null +++ b/CVE-2023-43361.patch @@ -0,0 +1,63 @@ +From 69dfbe06ce02e6199444245397acf79fb6857b4c Mon Sep 17 00:00:00 2001 +From: Ralph Giles +Date: Sun, 17 Sep 2023 11:49:12 -0700 +Subject: [PATCH] oggenc: Don't assume the output path ends in a file name. + +Origin: https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/7 + +oggenc attempts to create any specified directories in the output +file path if they don't exist. The parser was assuming there was +a final filename after the last directory separator, and so would +try to read off the end of the argument if it was a bare directory +such as `./` or `outdir/`. This adds a check to make sure the +scan isn't starting off the end of the path string. + +Thanks to Frank-Z7 (Zeng Yunxiang) at Huazhong University of Science +and Technology (cse.hust.edu.cn) for the report. +--- + oggenc/platform.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/oggenc/platform.c b/oggenc/platform.c +index 6d9f4ef..ee0b7ce 100644 +--- a/oggenc/platform.c ++++ b/oggenc/platform.c +@@ -136,18 +136,23 @@ int create_directories(char *fn, int isutf8) + { + char *end, *start; + struct stat statbuf; +- char *segment = malloc(strlen(fn)+1); ++ const size_t fn_len = strlen(fn); ++ char *segment = malloc(fn_len+1); + #ifdef _WIN32 + wchar_t seg[MAX_PATH+1]; + #endif + + start = fn; + #ifdef _WIN32 +- if(strlen(fn) >= 3 && isalpha(fn[0]) && fn[1]==':') ++ // Strip drive prefix ++ if(fn_len >= 3 && isalpha(fn[0]) && fn[1]==':') { + start = start+2; ++ } + #endif + +- while((end = strpbrk(start+1, PATH_SEPS)) != NULL) ++ // Loop through path segments, creating directories if necessary ++ while((start+1 - fn < fn_len) && ++ (end = strpbrk(start+1, PATH_SEPS)) != NULL) + { + int rv; + memcpy(segment, fn, end-fn); +@@ -159,7 +164,7 @@ int create_directories(char *fn, int isutf8) + rv = _wstat(seg,&statbuf); + } else + #endif +- rv = stat(segment,&statbuf); ++ rv = stat(segment, &statbuf); + if(rv) { + if(errno == ENOENT) { + #ifdef _WIN32 +-- +GitLab + diff --git a/vorbis-tools.spec b/vorbis-tools.spec index bc868cddcc8fbd6bc98bc88c6414cc26afff149d..534594c61017d1b8e39a39529a1f192efacd3172 100644 --- a/vorbis-tools.spec +++ b/vorbis-tools.spec @@ -1,7 +1,7 @@ Name: vorbis-tools Summary: Several Ogg Vorbis Tools Version: 1.4.0 -Release: 32 +Release: 33 Epoch: 1 License: GPLv2 URL: http://www.xiph.org/ @@ -15,6 +15,7 @@ Patch4: vorbis-tools-1.4.0-bz1185558.patch Patch5: vorbis-tools-1.4.0-CVE-2014-9638-CVE-2014-9639.patch Patch6: vorbis-tools-1.4.0-CVE-2015-6749.patch Patch7: CVE-2014-9640.patch +Patch8: CVE-2023-43361.patch BuildRequires: flac-devel gettext gcc libao-devel libcurl-devel libvorbis-devel speex-devel chrpath @@ -56,6 +57,9 @@ chrpath -d %{buildroot}%{_bindir}/* %exclude %{_docdir}/%{name}* %changelog +* Thu Oct 24 2024 wangkai <13474090681@163.com> - 1:1.4.0-33 +- Fix CVE-2023-43361 + * Tue Oct 10 2023 wangkai <13474090681@163.com> - 1:1.4.0-32 - Remove rpath