| author | David Runge
<dvzrv@archlinux.org> 2025-08-25 19:54:27 UTC |
| committer | David Runge
<dvzrv@archlinux.org> 2025-08-25 19:54:27 UTC |
| parent | b85d957a09b93a7d063a6db565edf08d55f1e8fe |
| .SRCINFO | +2 | -0 |
| 14_CVE-2022-24599.patch | +83 | -0 |
| PKGBUILD | +3 | -1 |
| REUSE.toml | +1 | -0 |
diff --git a/.SRCINFO b/.SRCINFO index 288951b..6a51879 100644 --- a/.SRCINFO +++ b/.SRCINFO @@ -26,6 +26,7 @@ pkgbase = audiofile source = 11_CVE-2018-13440.patch source = 12_CVE-2018-17095.patch source = 13_CVE-2019-13147.patch + source = 14_CVE-2022-24599.patch sha512sums = f9a1182d93e405c21eba79c5cc40962347bff13f1b3b732d9a396e3d1675297515188bd6eb43033aaa00e9bde74ff4628c1614462456529cabba464f03c1d5fa sha512sums = ae11735970eaddb664251614743cb46ae029b4073f4f8ea7cd4570d50c0f4b7f7b426399901b011d1ea799bb99d4ac648e76be97f13a51e32d7a63f97b38a89f sha512sums = 76ce5a29beaa394f3a24e7db7c40864f26119857e78087b6780853d06d4f44e80656c418b2c99d95224d29b69c23c51c54a4c8edac5dbaa4038a9d6c1ef7be06 @@ -40,5 +41,6 @@ pkgbase = audiofile sha512sums = e29ab46b2edcbbeb048a7d9e6210d0faac8b75d9a48a663f62b37881e03d34fa97ffaa05d61da53b49404f60f0cadfcbbbb58438ae82af40dd37d0117bf8c631 sha512sums = ace83995606f900543f65ce6199fe1a69c757b7b37e92561be1c49c2f827676f888e36132ab3fedf3b9f77d4382ea933480fe326859c092aa95ba2c24e777363 sha512sums = bb60d5c90fcadd1790e873aaee10bfef458242c2767b242aefff64687ae00c3b82350284f7b327c296aba7770c78623ab1bffe06e4b289ca47cba99c809fa372 + sha512sums = 4c5a341e1d8e49a43041574be6f572d2352b2397a61a71259f64d20d49a61f8a3fef04149b13e2744982f3e86841a847dfc3e6eda6cc06eca3f5d6851038663f pkgname = audiofile diff --git a/14_CVE-2022-24599.patch b/14_CVE-2022-24599.patch new file mode 100644 index 0000000..9299f6e --- /dev/null +++ b/14_CVE-2022-24599.patch @@ -0,0 +1,83 @@ +commit 4d3238843385b9929d7a1ab9034a6fc13949c7b4 +Author: Bastien Roucariès <rouca@debian.org> +Date: Sat Nov 11 15:58:50 2023 +0000 + + Fix CVE-2022-24599 + + Memory-leak bug in printfileinfo, due to memcpy on an non allocated memory buffer + with a user declared string. + + Fix it by calloc(declaredsize+1,1) that zeros the buffer and terminate by '\0' + for printf + + Avoid also a buffer overflow by refusing to allocating more than INT_MAX-1. + + Before under valgrind: + libtool --mode=execute valgrind --track-origins=yes ./sfinfo heapleak_poc.aiff + + Duration -inf seconds + ==896222== Invalid read of size 1 + ==896222== at 0x4846794: strlen (vg_replace_strmem.c:494) + ==896222== by 0x49246C8: __printf_buffer (vfprintf-process-arg.c:435) + ==896222== by 0x4924D90: __vfprintf_internal (vfprintf-internal.c:1459) + ==896222== by 0x49DE986: __printf_chk (printf_chk.c:33) + ==896222== by 0x10985C: printf (stdio2.h:86) + ==896222== by 0x10985C: printfileinfo (printinfo.c:134) + ==896222== by 0x10930A: main (sfinfo.c:113) + ==896222== Address 0x4e89bd1 is 0 bytes after a block of size 1 alloc'd + ==896222== at 0x48407B4: malloc (vg_replace_malloc.c:381) + ==896222== by 0x109825: copyrightstring (printinfo.c:163) + ==896222== by 0x109825: printfileinfo (printinfo.c:131) + ==896222== by 0x10930A: main (sfinfo.c:113) + ==896222== + Copyright C + + After: + Duration -inf seconds + Copyright C + +diff --git a/sfcommands/printinfo.c b/sfcommands/printinfo.c +index 60e6947..f5cf925 100644 +--- a/sfcommands/printinfo.c ++++ b/sfcommands/printinfo.c +@@ -37,6 +37,7 @@ + #include <stdint.h> + #include <stdio.h> + #include <stdlib.h> ++#include <limits.h> + + static char *copyrightstring (AFfilehandle file); + +@@ -147,7 +148,11 @@ static char *copyrightstring (AFfilehandle file) + int i, misccount; + + misccount = afGetMiscIDs(file, NULL); +- miscids = (int *) malloc(sizeof (int) * misccount); ++ if(!misccount) ++ return NULL; ++ miscids = (int *) calloc(misccount, sizeof(int)); ++ if(!miscids) ++ return NULL; + afGetMiscIDs(file, miscids); + + for (i=0; i<misccount; i++) +@@ -159,13 +164,16 @@ static char *copyrightstring (AFfilehandle file) + If this code executes, the miscellaneous chunk is a + copyright chunk. + */ +- int datasize = afGetMiscSize(file, miscids[i]); +- char *data = (char *) malloc(datasize); ++ size_t datasize = afGetMiscSize(file, miscids[i]); ++ if(datasize >= INT_MAX -1 ) { ++ goto error; ++ } ++ char *data = (char *) calloc(datasize + 1, 1); + afReadMisc(file, miscids[i], data, datasize); + copyright = data; + break; + } +- ++error: + free(miscids); + + return copyright; diff --git a/PKGBUILD b/PKGBUILD index 2634275..b67b3a8 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -35,6 +35,7 @@ source=( 11_CVE-2018-13440.patch 12_CVE-2018-17095.patch 13_CVE-2019-13147.patch + 14_CVE-2022-24599.patch ) sha512sums=('f9a1182d93e405c21eba79c5cc40962347bff13f1b3b732d9a396e3d1675297515188bd6eb43033aaa00e9bde74ff4628c1614462456529cabba464f03c1d5fa' 'ae11735970eaddb664251614743cb46ae029b4073f4f8ea7cd4570d50c0f4b7f7b426399901b011d1ea799bb99d4ac648e76be97f13a51e32d7a63f97b38a89f' @@ -49,7 +50,8 @@ sha512sums=('f9a1182d93e405c21eba79c5cc40962347bff13f1b3b732d9a396e3d16752975151 '234b0b520eebccc8e7782735615ad8fb2f7c03937da2b7dec0b091ca35b8a542d4e5c7ad22ed6715f019cdb36992838d7458ef58980bfb4fa80062e764d18ae2' 'e29ab46b2edcbbeb048a7d9e6210d0faac8b75d9a48a663f62b37881e03d34fa97ffaa05d61da53b49404f60f0cadfcbbbb58438ae82af40dd37d0117bf8c631' 'ace83995606f900543f65ce6199fe1a69c757b7b37e92561be1c49c2f827676f888e36132ab3fedf3b9f77d4382ea933480fe326859c092aa95ba2c24e777363' - 'bb60d5c90fcadd1790e873aaee10bfef458242c2767b242aefff64687ae00c3b82350284f7b327c296aba7770c78623ab1bffe06e4b289ca47cba99c809fa372') + 'bb60d5c90fcadd1790e873aaee10bfef458242c2767b242aefff64687ae00c3b82350284f7b327c296aba7770c78623ab1bffe06e4b289ca47cba99c809fa372' + '4c5a341e1d8e49a43041574be6f572d2352b2397a61a71259f64d20d49a61f8a3fef04149b13e2744982f3e86841a847dfc3e6eda6cc06eca3f5d6851038663f') prepare() { cd $pkgname-$pkgver diff --git a/REUSE.toml b/REUSE.toml index 3d41600..e129c27 100644 --- a/REUSE.toml +++ b/REUSE.toml @@ -36,6 +36,7 @@ path = [ "11_CVE-2018-13440.patch", "12_CVE-2018-17095.patch", "13_CVE-2019-13147.patch", + "14_CVE-2022-24599.patch", ] SPDX-FileCopyrightText = "audiofile contributors" SPDX-License-Identifier = "Apache-2.0 OR GPL-2.0-or-later OR LGPL-2.1-or-later"