CVS commit: pkgsrc/www/seamonkey

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/seamonkey
From: "Maya Rashish" <maya%netbsd.org@localhost>
Date: Fri, 16 Mar 2018 23:25:56 +0000

Module Name:    pkgsrc
Committed By:   maya
Date:           Fri Mar 16 23:25:56 UTC 2018

Modified Files:
        pkgsrc/www/seamonkey: Makefile distinfo
Added Files:
        pkgsrc/www/seamonkey/patches: patch-CVE-2018-5146

Log Message:
seamonkey: apply patch from firefox52 to fix CVE-2018-5146
remote code execution via ogg files.

Note firefox52 nor this patches tremor, so the vulnerability still exists
for ARM (which uses tremor rather than vorbis).

Blind commit. I don't have the resources to build so many firefoxes.
However it is based off firefox52.

PKGREVISION++


To generate a diff of this commit:
cvs rdiff -u -r1.171 -r1.172 pkgsrc/www/seamonkey/Makefile
cvs rdiff -u -r1.148 -r1.149 pkgsrc/www/seamonkey/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/www/seamonkey/patches/patch-CVE-2018-5146

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/seamonkey/Makefile
diff -u pkgsrc/www/seamonkey/Makefile:1.171 pkgsrc/www/seamonkey/Makefile:1.172
--- pkgsrc/www/seamonkey/Makefile:1.171 Mon Mar 12 11:17:47 2018
+++ pkgsrc/www/seamonkey/Makefile       Fri Mar 16 23:25:56 2018
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.171 2018/03/12 11:17:47 wiz Exp $
+# $NetBSD: Makefile,v 1.172 2018/03/16 23:25:56 maya Exp $
 
 DISTNAME=      seamonkey-${SM_VER}.source
 PKGNAME=       seamonkey-${SM_VER:S/b/beta/}
-PKGREVISION=   1
+PKGREVISION=   2
 SM_VER=                2.49.2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_MOZILLA:=seamonkey/releases/${SM_VER}/source/}

Index: pkgsrc/www/seamonkey/distinfo
diff -u pkgsrc/www/seamonkey/distinfo:1.148 pkgsrc/www/seamonkey/distinfo:1.149
--- pkgsrc/www/seamonkey/distinfo:1.148 Sat Mar  3 22:14:41 2018
+++ pkgsrc/www/seamonkey/distinfo       Fri Mar 16 23:25:56 2018
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.148 2018/03/03 22:14:41 ryoon Exp $
+$NetBSD: distinfo,v 1.149 2018/03/16 23:25:56 maya Exp $
 
 SHA1 (seamonkey-2.49.2.source.tar.xz) = 843ff7e74e488d03bdbf72237a1973c50887494b
 RMD160 (seamonkey-2.49.2.source.tar.xz) = 9f79789a5d44985d96f8549f537ad01f23c1fc2c
 SHA512 (seamonkey-2.49.2.source.tar.xz) = 6f69f7fb0a2de8086231b615b62b350edf6c903d2fde90ee4c79e316cfcf5a413097df9afe1397dbfe680e264f6be14c2c147be7ba11c5dbd73a1e9e01b8857e
 Size (seamonkey-2.49.2.source.tar.xz) = 229980312 bytes
+SHA1 (patch-CVE-2018-5146) = 121d8511b4aef0a784ae12d12c35cd4282c9ab83
 SHA1 (patch-ao) = e466058ed1899a64a9ab5b57290ff2baad1ea03c
 SHA1 (patch-ldap_c-sdk_include_portable.h) = ce0b643fa031b74bf7d74eedc4f3729807aef799
 SHA1 (patch-mail_app_Makefile.in) = da6ac87ffdcff733f11218cb11f8ef316bb1bc18

Added files:

Index: pkgsrc/www/seamonkey/patches/patch-CVE-2018-5146
diff -u /dev/null pkgsrc/www/seamonkey/patches/patch-CVE-2018-5146:1.1
--- /dev/null   Fri Mar 16 23:25:56 2018
+++ pkgsrc/www/seamonkey/patches/patch-CVE-2018-5146    Fri Mar 16 23:25:56 2018
@@ -0,0 +1,82 @@
+$NetBSD: patch-CVE-2018-5146,v 1.1 2018/03/16 23:25:56 maya Exp $
+
+CVE-2018-5146: Prevent out-of-bounds write in codebook decoding.
+
+Codebooks that are not an exact divisor of the partition size are now
+truncated to fit within the partition.
+
+--- mozilla/media/libvorbis/lib/vorbis_codebook.c.orig 2018-02-05 11:49:22.000000000 +0000
++++ mozilla/media/libvorbis/lib/vorbis_codebook.c
+@@ -387,7 +387,7 @@ long vorbis_book_decodevs_add(codebook *
+       t[i] = book->valuelist+entry[i]*book->dim;
+     }
+     for(i=0,o=0;i<book->dim;i++,o+=step)
+-      for (j=0;j<step;j++)
++      for (j=0;o+j<n && j<step;j++)
+         a[o+j]+=t[j][i];
+   }
+   return(0);
+@@ -399,41 +399,12 @@ long vorbis_book_decodev_add(codebook *b
+     int i,j,entry;
+     float *t;
+ 
+-    if(book->dim>8){
+-      for(i=0;i<n;){
+-        entry = decode_packed_entry_number(book,b);
+-        if(entry==-1)return(-1);
+-        t     = book->valuelist+entry*book->dim;
+-        for (j=0;j<book->dim;)
+-          a[i++]+=t[j++];
+-      }
+-    }else{
+-      for(i=0;i<n;){
+-        entry = decode_packed_entry_number(book,b);
+-        if(entry==-1)return(-1);
+-        t     = book->valuelist+entry*book->dim;
+-        j=0;
+-        switch((int)book->dim){
+-        case 8:
+-          a[i++]+=t[j++];
+-        case 7:
+-          a[i++]+=t[j++];
+-        case 6:
+-          a[i++]+=t[j++];
+-        case 5:
+-          a[i++]+=t[j++];
+-        case 4:
+-          a[i++]+=t[j++];
+-        case 3:
+-          a[i++]+=t[j++];
+-        case 2:
+-          a[i++]+=t[j++];
+-        case 1:
+-          a[i++]+=t[j++];
+-        case 0:
+-          break;
+-        }
+-      }
++    for(i=0;i<n;){
++      entry = decode_packed_entry_number(book,b);
++      if(entry==-1)return(-1);
++      t     = book->valuelist+entry*book->dim;
++      for(j=0;i<n && j<book->dim;)
++        a[i++]+=t[j++];
+     }
+   }
+   return(0);
+@@ -471,12 +442,13 @@ long vorbis_book_decodevv_add(codebook *
+   long i,j,entry;
+   int chptr=0;
+   if(book->used_entries>0){
+-    for(i=offset/ch;i<(offset+n)/ch;){
++    int m=(offset+n)/ch;
++    for(i=offset/ch;i<m;){
+       entry = decode_packed_entry_number(book,b);
+       if(entry==-1)return(-1);
+       {
+         const float *t = book->valuelist+entry*book->dim;
+-        for (j=0;j<book->dim;j++){
++        for (j=0;i<m && j<book->dim;j++){
+           a[chptr++][i]+=t[j];
+           if(chptr==ch){
+             chptr=0;

Prev by Date: CVS commit: [pkgsrc-2017Q4] pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: [pkgsrc-2017Q4] pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index