From 0253b6413b755ca553b0525d67eef4c2e58070e7 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Tue, 18 Mar 2025 16:28:39 +0800 Subject: [PATCH] Fix CVE-2025-2173,CVE-2025-2174,CVE-2025-2176 and CVE-2025-2177 (cherry picked from commit ec38b21d4ac51878e458486634e20295ee780574) --- CVE-2025-2173.patch | 35 ++++++ ...025-2174_CVE-2025-2176_CVE-2025-2177.patch | 116 ++++++++++++++++++ zvbi.spec | 7 +- 3 files changed, 157 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-2173.patch create mode 100644 CVE-2025-2174_CVE-2025-2176_CVE-2025-2177.patch diff --git a/CVE-2025-2173.patch b/CVE-2025-2173.patch new file mode 100644 index 0000000..e5b2f9c --- /dev/null +++ b/CVE-2025-2173.patch @@ -0,0 +1,35 @@ +From 8def647eea27f7fd7ad33ff79c2d6d3e39948dce Mon Sep 17 00:00:00 2001 +From: Ileana Dumitrescu +Date: Mon, 10 Mar 2025 20:36:05 +0200 +Subject: [PATCH] src/conv.c: Check src_length to avoid an unitinialized heap + read + +--- + src/conv.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/conv.c b/src/conv.c +index 9a2a418..3099202 100644 +--- a/src/conv.c ++++ b/src/conv.c +@@ -578,8 +578,8 @@ strndup_iconv_from_ucs2 (unsigned long * out_size, + * @returns + * A pointer to the allocated buffer. You must free() the buffer + * when it is no longer needed. The function returns @c NULL when +- * the conversion fails, when it runs out of memory or when @a src +- * is @c NULL. ++ * the conversion fails, when it runs out of memory, src_length is ++ * set to zero, or when @a src is @c NULL. + * + * @since 0.2.23 + */ +@@ -593,6 +593,9 @@ vbi_strndup_iconv_ucs2 (const char * dst_codeset, + char *result; + unsigned long size; + ++ if (0 == src_length) ++ return NULL; ++ + buffer = strndup_iconv_from_ucs2 (&size, + dst_codeset, + src, src_length, diff --git a/CVE-2025-2174_CVE-2025-2176_CVE-2025-2177.patch b/CVE-2025-2174_CVE-2025-2176_CVE-2025-2177.patch new file mode 100644 index 0000000..903ed64 --- /dev/null +++ b/CVE-2025-2174_CVE-2025-2176_CVE-2025-2177.patch @@ -0,0 +1,116 @@ +From ca1672134b3e2962cd392212c73f44f8f4cb489f Mon Sep 17 00:00:00 2001 +From: Ileana Dumitrescu +Date: Mon, 10 Mar 2025 20:36:32 +0200 +Subject: [PATCH] src/conv.c, src/io-sim.c, src/search.c: Avoid integer + overflow leading to heap overflow + +--- + src/conv.c | 18 ++++++++++++++---- + src/io-sim.c | 5 ++++- + src/search.c | 13 ++++++++++--- + 3 files changed, 28 insertions(+), 8 deletions(-) + +diff --git a/src/conv.c b/src/conv.c +index 3099202..aa8fb8d 100644 +--- a/src/conv.c ++++ b/src/conv.c +@@ -338,7 +338,8 @@ vbi_strlen_ucs2 (const uint16_t * src) + * @returns + * A pointer to the allocated buffer. You must free() the buffer + * when it is no longer needed. The function returns @c NULL when +- * it runs out of memory, or when @a src is @c NULL. ++ * it runs out of memory, src_size is too large, or when @a src ++ * is @c NULL. + * + * @since 0.2.23 + */ +@@ -349,7 +350,11 @@ strndup_identity (unsigned long * out_size, + { + char *buffer; + +- buffer = vbi_malloc (src_size + 4); ++ unsigned long check_buffer_size = (src_size + 4); ++ if (src_size > check_buffer_size) ++ return NULL; ++ ++ buffer = vbi_malloc (check_buffer_size); + if (NULL == buffer) { + if (NULL != out_size) + *out_size = 0; +@@ -381,7 +386,8 @@ strndup_identity (unsigned long * out_size, + * @returns + * A pointer to the allocated buffer. You must free() the buffer + * when it is no longer needed. The function returns @c NULL when +- * it runs out of memory, or when @a src is @c NULL. ++ * it runs out of memory, src_length is too large, or when @a src ++ * is @c NULL. + * + * @since 0.2.23 + */ +@@ -403,7 +409,11 @@ strndup_utf8_ucs2 (unsigned long * out_size, + if (src_length < 0) + src_length = vbi_strlen_ucs2 (src); + +- buffer = vbi_malloc (src_length * 3 + 1); ++ unsigned long check_buffer_size = (src_length * 3 + 1); ++ if (src_length > check_buffer_size) ++ return NULL; ++ ++ buffer = vbi_malloc (check_buffer_size); + if (NULL == buffer) + return NULL; + +diff --git a/src/io-sim.c b/src/io-sim.c +index 831c668..f5a48eb 100644 +--- a/src/io-sim.c ++++ b/src/io-sim.c +@@ -1898,7 +1898,10 @@ vbi_capture_sim_load_caption (vbi_capture * cap, + } + + if (b->size >= b->capacity) { +- if (!extend_buffer (b, b->capacity + 256)) ++ unsigned int check_buffer_size = (b->capacity + 256); ++ if (b->capacity > check_buffer_size) ++ return FALSE; ++ if (!extend_buffer (b, check_buffer_size)) + return FALSE; + } + +diff --git a/src/search.c b/src/search.c +index b325eed..f0feada 100644 +--- a/src/search.c ++++ b/src/search.c +@@ -2,7 +2,7 @@ + * libzvbi -- Teletext page cache search functions + * + * Copyright (C) 2000, 2001, 2002 Michael H. Schimek +- * Copyright (C) 2000, 2001 Iñaki G. Etxebarria ++ * Copyright (C) 2000, 2001 I�aki G. Etxebarria + * + * Originally based on AleVT 1.5.1 by Edgar Toernig + * +@@ -470,7 +470,8 @@ ucs2_strlen(const void *string) + * All this has yet to be addressed. + * + * @return +- * A vbi_search context or @c NULL on error. ++ * A vbi_search context or @c NULL on error or pattern string length ++ * is too large. + */ + vbi_search * + vbi_search_new(vbi_decoder *vbi, +@@ -490,7 +491,13 @@ vbi_search_new(vbi_decoder *vbi, + return NULL; + + if (!regexp) { +- if (!(esc_pat = malloc(sizeof(ucs2_t) * pat_len * 2))) { ++ unsigned int check_size = (sizeof(ucs2_t) * pat_len * 2); ++ if (pat_len > check_size) { ++ free(s); ++ return NULL; ++ } ++ ++ if (!(esc_pat = malloc(check_size))) { + free(s); + return NULL; + } diff --git a/zvbi.spec b/zvbi.spec index 809a06a..1a0d479 100644 --- a/zvbi.spec +++ b/zvbi.spec @@ -1,6 +1,6 @@ Name: zvbi Version: 0.2.42 -Release: 3 +Release: 4 Summary: A library provides functions to capture and decode VBI data License: LGPLv2+ and GPLv2+ and BSD URL: https://github.com/zapping-vbi/zvbi @@ -8,6 +8,8 @@ Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz Patch0001: %{name}-0.2.24-tvfonts.patch Patch0002: %{name}-0.2.25-openfix.patch +Patch0003: CVE-2025-2173.patch +Patch0004: CVE-2025-2174_CVE-2025-2176_CVE-2025-2177.patch BuildRequires: gcc-c++ doxygen fontconfig gettext >= 0.21.0 libpng-devel BuildRequires: libICE-devel xorg-x11-font-utils systemd-units @@ -136,6 +138,9 @@ fi %{_mandir}/man1/* %changelog +* Tue Mar 18 2025 yaoxin <1024769339@qq.com> - 0.2.42-4 +- Fix CVE-2025-2173,CVE-2025-2174,CVE-2025-2176 and CVE-2025-2177 + * Sun Feb 04 2024 lvgenggeng 0.2.42-3 - move license file to prefered dir -- Gitee