Fix security bug #255363 (CVE-2007-6720 and CVE-2009-0179).

(Portage version: 2.2_rc61/cvs/Linux x86_64)

4 files changed, 199 insertions, 2 deletions

diff --git a/media-libs/libmikmod/ChangeLog b/media-libs/libmikmod/ChangeLog
index b0cb170c63ca..1dcea4c95efe 100644
--- a/media-libs/libmikmod/ChangeLog
+++ b/media-libs/libmikmod/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for media-libs/libmikmod
-# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/libmikmod/ChangeLog,v 1.62 2009/09/12 16:24:21 armin76 Exp $
+# Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/libmikmod/ChangeLog,v 1.63 2010/01/03 18:19:16 ssuominen Exp $
+
+*libmikmod-3.2.0_beta2-r1 (03 Jan 2010)
+
+  03 Jan 2010; Samuli Suominen <ssuominen@gentoo.org>
+  +libmikmod-3.2.0_beta2-r1.ebuild, +files/libmikmod-CVE-2007-6720.patch,
+  +files/libmikmod-CVE-2009-0179.patch:
+  Fix security bug #255363 (CVE-2007-6720 and CVE-2009-0179).
 
   12 Sep 2009; Raúl Porcel <armin76@gentoo.org> libmikmod-3.1.11-r5.ebuild:
   arm/ia64/sh/sparc stable wrt #278857
diff --git a/media-libs/libmikmod/files/libmikmod-CVE-2007-6720.patch b/media-libs/libmikmod/files/libmikmod-CVE-2007-6720.patch
new file mode 100644
index 000000000000..45cc355aee43
--- /dev/null
+++ b/media-libs/libmikmod/files/libmikmod-CVE-2007-6720.patch
@@ -0,0 +1,112 @@
+This patch fixes "buffer overflow due to md_numchn - ID: 1630158"
+
+diff -ru libmikmod-3.1.12.orig/playercode/mplayer.c libmikmod-3.1.12/playercode/mplayer.c
+--- libmikmod-3.1.12.orig/playercode/mplayer.c	2007-12-15 01:26:28.000000000 -0800
++++ libmikmod-3.1.12/playercode/mplayer.c	2009-10-04 23:48:36.000000000 -0700
+@@ -52,6 +52,8 @@
+    will wait */
+ /*static*/ MODULE *pf = NULL;
+ 
++#define NUMVOICES(mod)	(md_sngchn < (mod)->numvoices ? md_sngchn : (mod)->numvoices)
++
+ #define	HIGH_OCTAVE		2	/* number of above-range octaves */
+ 
+ static	UWORD oldperiods[OCTAVE*2]={
+@@ -248,14 +250,14 @@
+ 	MP_VOICE *a;
+ 	ULONG t,k,tvol,pp;
+ 
+-	for (t=0;t<md_sngchn;t++)
++	for (t=0;t<NUMVOICES(mod);t++)
+ 		if (((mod->voice[t].main.kick==KICK_ABSENT)||
+ 			 (mod->voice[t].main.kick==KICK_ENV))&&
+ 		   Voice_Stopped_internal(t))
+ 			return t;
+ 
+ 	tvol=0xffffffUL;t=-1;a=mod->voice;
+-	for (k=0;k<md_sngchn;k++,a++) {
++	for (k=0;k<NUMVOICES(mod);k++,a++) {
+ 		/* allow us to take over a nonexisting sample */
+ 		if (!a->main.s)
+ 			return k;
+@@ -2249,12 +2251,12 @@
+ 
+ 	switch (dat) {
+ 	case 0x0: /* past note cut */
+-		for (t=0;t<md_sngchn;t++)
++		for (t=0;t<NUMVOICES(mod);t++)
+ 			if (mod->voice[t].master==a)
+ 				mod->voice[t].main.fadevol=0;
+ 		break;
+ 	case 0x1: /* past note off */
+-		for (t=0;t<md_sngchn;t++)
++		for (t=0;t<NUMVOICES(mod);t++)
+ 			if (mod->voice[t].master==a) {
+ 				mod->voice[t].main.keyoff|=KEY_OFF;
+ 				if ((!(mod->voice[t].venv.flg & EF_ON))||
+@@ -2263,7 +2265,7 @@
+ 			}
+ 		break;
+ 	case 0x2: /* past note fade */
+-		for (t=0;t<md_sngchn;t++)
++		for (t=0;t<NUMVOICES(mod);t++)
+ 			if (mod->voice[t].master==a)
+ 				mod->voice[t].main.keyoff|=KEY_FADE;
+ 		break;
+@@ -2318,7 +2320,7 @@
+ 	SAMPLE *s;
+ 
+ 	mod->totalchn=mod->realchn=0;
+-	for (channel=0;channel<md_sngchn;channel++) {
++	for (channel=0;channel<NUMVOICES(mod);channel++) {
+ 		aout=&mod->voice[channel];
+ 		i=aout->main.i;
+ 		s=aout->main.s;
+@@ -2736,7 +2738,7 @@
+ 			if (a->dct!=DCT_OFF) {
+ 				int t;
+ 
+-				for (t=0;t<md_sngchn;t++)
++				for (t=0;t<NUMVOICES(mod);t++)
+ 					if ((!Voice_Stopped_internal(t))&&
+ 					   (mod->voice[t].masterchn==channel)&&
+ 					   (a->main.sample==mod->voice[t].main.sample)) {
+@@ -2978,6 +2980,11 @@
+ 	if (!(mod->voice=(MP_VOICE*)_mm_calloc(md_sngchn,sizeof(MP_VOICE))))
+ 		return 1;
+ 
++	/* mod->numvoices was used during loading to clamp md_sngchn.
++	   After loading it's used to remember how big mod->voice is.
++	*/
++	mod->numvoices = md_sngchn;
++
+ 	Player_Init_internal(mod);
+ 	return 0;
+ }
+@@ -3086,7 +3093,7 @@
+ 		pf->patbrk=0;
+ 		pf->vbtick=pf->sngspd;
+ 
+-		for (t=0;t<md_sngchn;t++) {
++		for (t=0;t<NUMVOICES(pf);t++) {
+ 			Voice_Stop_internal(t);
+ 			pf->voice[t].main.i=NULL;
+ 			pf->voice[t].main.s=NULL;
+@@ -3111,7 +3118,7 @@
+ 		pf->patbrk=0;
+ 		pf->vbtick=pf->sngspd;
+ 
+-		for (t=0;t<md_sngchn;t++) {
++		for (t=0;t<NUMVOICES(pf);t++) {
+ 			Voice_Stop_internal(t);
+ 			pf->voice[t].main.i=NULL;
+ 			pf->voice[t].main.s=NULL;
+@@ -3138,7 +3145,7 @@
+ 		pf->sngpos=pos;
+ 		pf->vbtick=pf->sngspd;
+ 
+-		for (t=0;t<md_sngchn;t++) {
++		for (t=0;t<NUMVOICES(pf);t++) {
+ 			Voice_Stop_internal(t);
+ 			pf->voice[t].main.i=NULL;
+ 			pf->voice[t].main.s=NULL;
diff --git a/media-libs/libmikmod/files/libmikmod-CVE-2009-0179.patch b/media-libs/libmikmod/files/libmikmod-CVE-2009-0179.patch
new file mode 100644
index 000000000000..0c47e6545575
--- /dev/null
+++ b/media-libs/libmikmod/files/libmikmod-CVE-2009-0179.patch
@@ -0,0 +1,33 @@
+diff -ur libmikmod-3.1.11.orig/loaders/load_xm.c libmikmod-3.1.11/loaders/load_xm.c
+--- libmikmod-3.1.11.orig/loaders/load_xm.c	2004-01-21 18:43:53.000000000 +0100
++++ libmikmod-3.1.11/loaders/load_xm.c	2008-04-16 04:30:45.000000000 +0200
+@@ -622,7 +622,8 @@
+ 				/* read the remainder of the header */
+ 				for(u=headend-_mm_ftell(modreader);u;u--) _mm_read_UBYTE(modreader);
+ 
+-				if(_mm_eof(modreader)) {
++				/* last instrument is at the end of file in version 0x0104 */
++				if(_mm_eof(modreader) && (mh->version<0x0104 || t<of.numins-1)) {
+ 					free(nextwav);free(wh);
+ 					nextwav=NULL;wh=NULL;
+ 					_mm_errno = MMERR_LOADING_SAMPLEINFO;
+diff -ur libmikmod-3.1.11.orig/playercode/mloader.c libmikmod-3.1.11/playercode/mloader.c
+--- libmikmod-3.1.11.orig/playercode/mloader.c	2004-01-21 18:43:53.000000000 +0100
++++ libmikmod-3.1.11/playercode/mloader.c	2008-04-16 04:30:45.000000000 +0200
+@@ -450,10 +450,12 @@
+ 	if (!l->Init || l->Init()) {
+ 		_mm_rewind(modreader);
+ 		ok = l->Load(curious);
+-		/* propagate inflags=flags for in-module samples */
+-		for (t = 0; t < of.numsmp; t++)
+-			if (of.samples[t].inflags == 0)
+-				of.samples[t].inflags = of.samples[t].flags;
++		if (ok) {
++			/* propagate inflags=flags for in-module samples */
++			for (t = 0; t < of.numsmp; t++)
++				if (of.samples[t].inflags == 0)
++					of.samples[t].inflags = of.samples[t].flags;
++		}
+ 	} else
+ 		ok = 0;
+ 
diff --git a/media-libs/libmikmod/libmikmod-3.2.0_beta2-r1.ebuild b/media-libs/libmikmod/libmikmod-3.2.0_beta2-r1.ebuild
new file mode 100644
index 000000000000..b1bf1770ea12
--- /dev/null
+++ b/media-libs/libmikmod/libmikmod-3.2.0_beta2-r1.ebuild
@@ -0,0 +1,45 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/libmikmod/libmikmod-3.2.0_beta2-r1.ebuild,v 1.1 2010/01/03 18:19:16 ssuominen Exp $
+
+EAPI=2
+MY_P=${P/_/-}
+inherit autotools eutils
+
+DESCRIPTION="A library to play a wide range of module formats"
+HOMEPAGE="http://mikmod.raphnet.net/"
+SRC_URI="http://mikmod.raphnet.net/files/${MY_P}.tar.gz"
+
+LICENSE="|| ( LGPL-2.1 LGPL-2 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~x86-fbsd"
+# Enable OSS by default since ALSA support isn't available, look below
+IUSE="+oss"
+
+S=${WORKDIR}/${MY_P}
+
+src_prepare() {
+	epatch "${FILESDIR}"/${P}-64bit.patch \
+		"${FILESDIR}"/${P}-autotools.patch \
+		"${FILESDIR}"/${P}-info.patch \
+		"${FILESDIR}"/${P}-doubleRegister.patch \
+		"${FILESDIR}"/${PN}-CVE-2007-6720.patch \
+		"${FILESDIR}"/${PN}-CVE-2009-0179.patch
+	AT_M4DIR=${S} eautoreconf
+}
+
+src_configure() {
+	# * af is something called AF/AFlib.h and -lAF, not audiofile in tree
+	# * alsa support is for deprecated API and doesn't work
+	econf \
+		--disable-af \
+		--disable-alsa \
+		--disable-esd \
+		$(use_enable oss)
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die
+	dodoc AUTHORS NEWS README TODO
+	dohtml docs/*.html
+}