Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: gpac

gpac (0.5.2-426-gc5ad4e4+dfsg5-4ubuntu1) disco; urgency=medium * SECURITY UPDATE: Fix multiple buffer overflow issues - debian/patches/CVE-2018-7752-CVE-2018-1000100.patch: fix buffer overflow in the gf_media_avc_read_sps. - debian/patches/CVE-2018-13005-CVE-2018-13006.patch: fixed 2 possible heap overflows. - debian/patches/CVE-2018-20760.patch: check error code on call to gf_utf8_wcstombs. - debian/patches/CVE-2018-20761-CVE-2018-20762.patch: fix some overflows due to strcpy. - debian/patches/CVE-2018-20763.patch: add some boundary checks on gf_text_get_utf8_line. - CVE-2018-7752 - CVE-2018-13005 - CVE-2018-13006 - CVE-2018-20760 - CVE-2018-20761 - CVE-2018-20762 - CVE-2018-20763 - CVE-2018-1000100 -- Paulo Flabiano Smorigo <pfsmorigo@canonical.com> Wed, 10 Apr 2019 12:16:47 -0300 gpac (0.5.2-426-gc5ad4e4+dfsg5-4build1) cosmic; urgency=medium * No-change rebuild for ffmpeg soname changes. -- Matthias Klose <doko@ubuntu.com> Thu, 19 Jul 2018 08:46:43 +0000

Modifications :
  1. Download patch debian/control

    --- 0.5.2-426-gc5ad4e4+dfsg5-4/debian/control 2018-05-25 13:37:43.000000000 +0000 +++ 0.5.2-426-gc5ad4e4+dfsg5-4ubuntu1/debian/control 2019-04-10 15:16:47.000000000 +0000 @@ -1,7 +1,8 @@ Source: gpac Section: graphics Priority: optional -Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> Uploaders: Reinhard Tartler <siretart@tauware.de>, Alessio Treglia <alessio@debian.org>,
  2. Download patch debian/patches/CVE-2018-20761-CVE-2018-20762.patch

    --- 0.5.2-426-gc5ad4e4+dfsg5-4/debian/patches/CVE-2018-20761-CVE-2018-20762.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.5.2-426-gc5ad4e4+dfsg5-4ubuntu1/debian/patches/CVE-2018-20761-CVE-2018-20762.patch 2019-04-10 15:16:47.000000000 +0000 @@ -0,0 +1,153 @@ +From 35ab4475a7df9b2a4bcab235e379c0c3ec543658 Mon Sep 17 00:00:00 2001 +From: Aurelien David <aurelien.david@telecom-paristech.fr> +Date: Fri, 11 Jan 2019 11:32:54 +0100 +Subject: [PATCH] fix some overflows due to strcpy + +fixes #1184, #1186, #1187 among other things +--- + applications/mp4box/fileimport.c | 20 +++++++++++++++++++ + applications/mp4client/main.c | 33 +++++++++++++++++++++++++++---- + modules/ffmpeg_in/ffmpeg_demux.c | 7 +++++-- + src/scene_manager/scene_manager.c | 4 ++++ + 4 files changed, 58 insertions(+), 6 deletions(-) + +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/applications/mp4box/fileimport.c ++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/applications/mp4box/fileimport.c +@@ -2119,17 +2119,33 @@ GF_Err cat_multiple_files(GF_ISOFile *de + cat_enum.align_timelines = align_timelines; + cat_enum.allow_add_in_command = allow_add_in_command; + ++ if (strlen(fileName) >= sizeof(cat_enum.szPath)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName)); ++ return GF_NOT_SUPPORTED; ++ } + strcpy(cat_enum.szPath, fileName); + sep = strrchr(cat_enum.szPath, GF_PATH_SEPARATOR); + if (!sep) sep = strrchr(cat_enum.szPath, '/'); + if (!sep) { + strcpy(cat_enum.szPath, "."); ++ if (strlen(fileName) >= sizeof(cat_enum.szRad1)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName)); ++ return GF_NOT_SUPPORTED; ++ } + strcpy(cat_enum.szRad1, fileName); + } else { ++ if (strlen(sep + 1) >= sizeof(cat_enum.szRad1)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1))); ++ return GF_NOT_SUPPORTED; ++ } + strcpy(cat_enum.szRad1, sep+1); + sep[0] = 0; + } + sep = strchr(cat_enum.szRad1, '*'); ++ if (strlen(sep + 1) >= sizeof(cat_enum.szRad2)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1))); ++ return GF_NOT_SUPPORTED; ++ } + strcpy(cat_enum.szRad2, sep+1); + sep[0] = 0; + sep = strchr(cat_enum.szRad2, '%'); +@@ -2137,6 +2153,10 @@ GF_Err cat_multiple_files(GF_ISOFile *de + if (!sep) sep = strchr(cat_enum.szRad2, ':'); + strcpy(cat_enum.szOpt, ""); + if (sep) { ++ if (strlen(sep) >= sizeof(cat_enum.szOpt)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("Invalid option: %s.\n", sep)); ++ return GF_NOT_SUPPORTED; ++ } + strcpy(cat_enum.szOpt, sep); + sep[0] = 0; + } +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/applications/mp4client/main.c ++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/applications/mp4client/main.c +@@ -885,7 +885,8 @@ Bool GPAC_EventProc(void *ptr, GF_Event + break; + case GF_EVENT_NAVIGATE: + if (gf_term_is_supported_url(term, evt->navigate.to_url, 1, no_mime_check)) { +- strcpy(the_url, evt->navigate.to_url); ++ strncpy(the_url, evt->navigate.to_url, sizeof(the_url)-1); ++ the_url[sizeof(the_url) - 1] = 0; + fprintf(stderr, "Navigating to URL %s\n", the_url); + gf_term_navigate_to(term, evt->navigate.to_url); + return 1; +@@ -1534,7 +1535,14 @@ int main (int argc, char **argv) + else if (!gui_mode && url_arg) { + char *ext; + +- strcpy(the_url, url_arg); ++ if (strlen(url_arg) >= sizeof(the_url)) { ++ fprintf(stderr, "Input url %s is too long, truncating to %d chars.\n", url_arg, (int)(sizeof(the_url) - 1)); ++ strncpy(the_url, url_arg, sizeof(the_url)-1); ++ the_url[sizeof(the_url) - 1] = 0; ++ } ++ else { ++ strcpy(the_url, url_arg); ++ } + ext = strrchr(the_url, '.'); + if (ext && (!stricmp(ext, ".m3u") || !stricmp(ext, ".pls"))) { + GF_Err e = GF_OK; +@@ -1546,7 +1554,10 @@ int main (int argc, char **argv) + GF_DownloadSession *sess = gf_dm_sess_new(term->downloader, the_url, GF_NETIO_SESSION_NOT_THREADED, NULL, NULL, &e); + if (sess) { + e = gf_dm_sess_process(sess); +- if (!e) strcpy(the_url, gf_dm_sess_get_cache_name(sess)); ++ if (!e) { ++ strncpy(the_url, gf_dm_sess_get_cache_name(sess), sizeof(the_url) - 1); ++ the_url[sizeof(the_cfg) - 1] = 0; ++ } + gf_dm_sess_del(sess); + } + } +@@ -1574,7 +1585,8 @@ int main (int argc, char **argv) + fprintf(stderr, "Hit 'h' for help\n\n"); + str = gf_cfg_get_key(cfg_file, "General", "StartupFile"); + if (str) { +- strcpy(the_url, "MP4Client "GPAC_FULL_VERSION); ++ strncpy(the_url, "MP4Client "GPAC_FULL_VERSION , sizeof(the_url)-1); ++ the_url[sizeof(the_url) - 1] = 0; + gf_term_connect(term, str); + startup_file = 1; + is_connected = 1; +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/modules/ffmpeg_in/ffmpeg_demux.c ++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/modules/ffmpeg_in/ffmpeg_demux.c +@@ -227,7 +227,7 @@ static Bool FFD_CanHandleURL(GF_InputSer + AVFormatContext *ctx; + AVOutputFormat *fmt_out; + Bool ret = 0; +- char *ext, szName[1000], szExt[20]; ++ char *ext, szName[1024], szExt[20]; + const char *szExtList; + FFDemux *ffd; + if (!plug || !url) +@@ -243,6 +243,9 @@ static Bool FFD_CanHandleURL(GF_InputSer + + ffd = plug->priv; + ++ if (strlen(url) >= sizeof(szName)) ++ return GF_FALSE; ++ + strcpy(szName, url); + ext = strrchr(szName, '#'); + if (ext) ext[0] = 0; +@@ -252,7 +255,7 @@ static Bool FFD_CanHandleURL(GF_InputSer + ext = strrchr(szName, '.'); + if (ext && strlen(ext) > 19) ext = NULL; + +- if (ext && strlen(ext) > 1) { ++ if (ext && strlen(ext) > 1 && strlen(ext) <= sizeof(szExt)) { + strcpy(szExt, &ext[1]); + strlwr(szExt); + #ifndef FFMPEG_DEMUX_ENABLE_MPEG2TS +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/scene_manager/scene_manager.c ++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/scene_manager/scene_manager.c +@@ -642,6 +642,10 @@ GF_Err gf_sm_load_init(GF_SceneLoader *l + ext[0] = '.'; + ext = anext; + } ++ if (strlen(ext) < 2 || strlen(ext) > sizeof(szExt)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_SCENE, ("[Scene Manager] invalid extension in file name %s\n", load->fileName)); ++ return GF_NOT_SUPPORTED; ++ } + strcpy(szExt, &ext[1]); + strlwr(szExt); + if (strstr(szExt, "bt")) load->type = GF_SM_LOAD_BT;
  3. Download patch debian/patches/CVE-2018-13005-CVE-2018-13006.patch

    --- 0.5.2-426-gc5ad4e4+dfsg5-4/debian/patches/CVE-2018-13005-CVE-2018-13006.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.5.2-426-gc5ad4e4+dfsg5-4ubuntu1/debian/patches/CVE-2018-13005-CVE-2018-13006.patch 2019-04-10 15:16:47.000000000 +0000 @@ -0,0 +1,44 @@ +From bceb03fd2be95097a7b409ea59914f332fb6bc86 Mon Sep 17 00:00:00 2001 +From: Aurelien David <aurelien.david@telecom-paristech.fr> +Date: Thu, 28 Jun 2018 13:34:08 +0200 +Subject: [PATCH] fixed 2 possible heap overflows (inc. #1088) + +--- + include/gpac/internal/isomedia_dev.h | 2 +- + src/isomedia/box_code_base.c | 2 +- + src/isomedia/box_dump.c | 14 +++++++------- + 3 files changed, 9 insertions(+), 9 deletions(-) + +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/include/gpac/internal/isomedia_dev.h ++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/include/gpac/internal/isomedia_dev.h +@@ -2988,7 +2988,7 @@ GF_GenericSubtitleSample *gf_isom_parse_ + char __ptype[5];\ + strcpy(__ptype, gf_4cc_to_str(__parent->type) );\ + GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[iso file] extra box %s found in %s, deleting\n", gf_4cc_to_str(__abox->type), __ptype)); \ +- gf_isom_box_del(a);\ ++ gf_isom_box_del(__abox);\ + return GF_OK;\ + } + +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/isomedia/box_code_base.c ++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/isomedia/box_code_base.c +@@ -619,7 +619,7 @@ GF_Err urn_Read(GF_Box *s, GF_BitStream + + //then get the break + i = 0; +- while ( (tmpName[i] != 0) && (i < to_read) ) { ++ while ( (i < to_read) && (tmpName[i] != 0) ) { + i++; + } + //check the data is consistent +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/isomedia/box_dump.c ++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/isomedia/box_dump.c +@@ -988,7 +988,7 @@ GF_Err dpin_dump(GF_Box *a, FILE * trace + GF_Err hdlr_dump(GF_Box *a, FILE * trace) + { + GF_HandlerBox *p = (GF_HandlerBox *)a; +- if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8+1)) { ++ if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8)-1) { + fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8+1); + } else { + fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8);
  4. Download patch debian/patches/series

    --- 0.5.2-426-gc5ad4e4+dfsg5-4/debian/patches/series 2018-05-25 13:40:59.000000000 +0000 +++ 0.5.2-426-gc5ad4e4+dfsg5-4ubuntu1/debian/patches/series 2019-04-10 15:16:47.000000000 +0000 @@ -6,3 +6,8 @@ dont-err-build-on-uknown-system.patch skip-swf-test.patch ffmpeg_2.9.patch ffmpeg_4.patch +CVE-2018-7752-CVE-2018-1000100.patch +CVE-2018-13005-CVE-2018-13006.patch +CVE-2018-20760.patch +CVE-2018-20761-CVE-2018-20762.patch +CVE-2018-20763.patch
  5. Download patch debian/patches/CVE-2018-20760.patch

    --- 0.5.2-426-gc5ad4e4+dfsg5-4/debian/patches/CVE-2018-20760.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.5.2-426-gc5ad4e4+dfsg5-4ubuntu1/debian/patches/CVE-2018-20760.patch 2019-04-10 15:16:47.000000000 +0000 @@ -0,0 +1,20 @@ +From 4c1360818fc8948e9307059fba4dc47ba8ad255d Mon Sep 17 00:00:00 2001 +From: Aurelien David <aurelien.david@telecom-paristech.fr> +Date: Thu, 13 Dec 2018 14:39:21 +0100 +Subject: [PATCH] check error code on call to gf_utf8_wcstombs (#1177) + +--- + src/media_tools/text_import.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/media_tools/text_import.c ++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/media_tools/text_import.c +@@ -259,6 +259,8 @@ char *gf_text_get_utf8_line(char *szLine + } + sptr = (u16 *)szLine; + i = (u32) gf_utf8_wcstombs(szLineConv, 1024, (const unsigned short **) &sptr); ++ if (i >= (u32)ARRAY_LENGTH(szLineConv)) ++ return NULL; + szLineConv[i] = 0; + strcpy(szLine, szLineConv); + /*this is ugly indeed: since input is UTF16-LE, there are many chances the fgets never reads the \0 after a \n*/
  6. Download patch debian/patches/CVE-2018-20763.patch

    --- 0.5.2-426-gc5ad4e4+dfsg5-4/debian/patches/CVE-2018-20763.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.5.2-426-gc5ad4e4+dfsg5-4ubuntu1/debian/patches/CVE-2018-20763.patch 2019-04-10 15:16:47.000000000 +0000 @@ -0,0 +1,125 @@ +From 1c449a34fe0b50aaffb881bfb9d7c5ab0bb18cdd Mon Sep 17 00:00:00 2001 +From: Aurelien David <aurelien.david@telecom-paristech.fr> +Date: Fri, 11 Jan 2019 14:05:16 +0100 +Subject: [PATCH] add some boundary checks on gf_text_get_utf8_line (#1188) + +--- + applications/mp4client/main.c | 2 +- + src/media_tools/text_import.c | 77 +++++++++++++++++++++++------------ + 2 files changed, 53 insertions(+), 26 deletions(-) + +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/applications/mp4client/main.c ++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/applications/mp4client/main.c +@@ -1556,7 +1556,7 @@ int main (int argc, char **argv) + e = gf_dm_sess_process(sess); + if (!e) { + strncpy(the_url, gf_dm_sess_get_cache_name(sess), sizeof(the_url) - 1); +- the_url[sizeof(the_cfg) - 1] = 0; ++ the_url[sizeof(the_url) - 1] = 0; + } + gf_dm_sess_del(sess); + } +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/media_tools/text_import.c ++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/media_tools/text_import.c +@@ -195,49 +195,76 @@ char *gf_text_get_utf8_line(char *szLine + if (unicode_type<=1) { + j=0; + len = (u32) strlen(szLine); +- for (i=0; i<len; i++) { ++ for (i=0; i<len && j < sizeof(szLineConv) - 1; i++, j++) { ++ + if (!unicode_type && (szLine[i] & 0x80)) { + /*non UTF8 (likely some win-CP)*/ + if ((szLine[i+1] & 0xc0) != 0x80) { +- szLineConv[j] = 0xc0 | ( (szLine[i] >> 6) & 0x3 ); +- j++; +- szLine[i] &= 0xbf; ++ if (j + 1 < sizeof(szLineConv) - 1) { ++ szLineConv[j] = 0xc0 | ((szLine[i] >> 6) & 0x3); ++ j++; ++ szLine[i] &= 0xbf; ++ } ++ else ++ break; + } + /*UTF8 2 bytes char*/ + else if ( (szLine[i] & 0xe0) == 0xc0) { +- szLineConv[j] = szLine[i]; +- i++; +- j++; ++ ++ // don't cut multibyte in the middle in there is no more room in dest ++ if (j + 1 < sizeof(szLineConv) - 1 && i + 1 < len) { ++ szLineConv[j] = szLine[i]; ++ i++; ++ j++; ++ } ++ else { ++ break; ++ } + } + /*UTF8 3 bytes char*/ + else if ( (szLine[i] & 0xf0) == 0xe0) { +- szLineConv[j] = szLine[i]; +- i++; +- j++; +- szLineConv[j] = szLine[i]; +- i++; +- j++; ++ if (j + 2 < sizeof(szLineConv) - 1 && i + 2 < len) { ++ szLineConv[j] = szLine[i]; ++ i++; ++ j++; ++ szLineConv[j] = szLine[i]; ++ i++; ++ j++; ++ } ++ else { ++ break; ++ } + } + /*UTF8 4 bytes char*/ + else if ( (szLine[i] & 0xf8) == 0xf0) { +- szLineConv[j] = szLine[i]; +- i++; +- j++; +- szLineConv[j] = szLine[i]; +- i++; +- j++; +- szLineConv[j] = szLine[i]; +- i++; +- j++; ++ if (j + 3 < sizeof(szLineConv) - 1 && i + 3 < len) { ++ szLineConv[j] = szLine[i]; ++ i++; ++ j++; ++ szLineConv[j] = szLine[i]; ++ i++; ++ j++; ++ szLineConv[j] = szLine[i]; ++ i++; ++ j++; ++ } ++ else { ++ break; ++ } + } else { + i+=1; + continue; + } + } +- szLineConv[j] = szLine[i]; +- j++; ++ if (j < sizeof(szLineConv)-1 && i<len) ++ szLineConv[j] = szLine[i]; ++ + } +- szLineConv[j] = 0; ++ if (j >= sizeof(szLineConv)) ++ szLineConv[sizeof(szLineConv) - 1] = 0; ++ else ++ szLineConv[j] = 0; ++ + strcpy(szLine, szLineConv); + return sOK; + }
  7. Download patch debian/patches/CVE-2018-7752-CVE-2018-1000100.patch

    --- 0.5.2-426-gc5ad4e4+dfsg5-4/debian/patches/CVE-2018-7752-CVE-2018-1000100.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.5.2-426-gc5ad4e4+dfsg5-4ubuntu1/debian/patches/CVE-2018-7752-CVE-2018-1000100.patch 2019-04-10 15:16:47.000000000 +0000 @@ -0,0 +1,34 @@ +From 90dc7f853d31b0a4e9441cba97feccf36d8b69a4 Mon Sep 17 00:00:00 2001 +From: Aurelien David <aurelien.david@telecom-paristech.fr> +Date: Tue, 6 Mar 2018 11:23:31 +0100 +Subject: [PATCH] fix some exploitable overflows (#994, #997) + +--- + include/gpac/tools.h | 1 + + src/isomedia/avc_ext.c | 2 ++ + src/media_tools/av_parsers.c | 4 ++++ + 3 files changed, 7 insertions(+) + +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/include/gpac/tools.h ++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/include/gpac/tools.h +@@ -999,6 +999,7 @@ void gf_fm_request_call(u32 type, u32 pa + } + #endif + ++#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0])) + + #endif /*_GF_CORE_H_*/ + +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/media_tools/av_parsers.c ++++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/media_tools/av_parsers.c +@@ -2160,6 +2160,10 @@ s32 gf_media_avc_read_sps(const char *sp + sps->offset_for_non_ref_pic = bs_get_se(bs); + sps->offset_for_top_to_bottom_field = bs_get_se(bs); + sps->poc_cycle_length = bs_get_ue(bs); ++ if (sps->poc_cycle_length > ARRAY_LENGTH(sps->offset_for_ref_frame)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[avc-h264] offset_for_ref_frame overflow from poc_cycle_length\n")); ++ goto exit; ++ } + for(i=0; i<sps->poc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs); + } + if (sps->poc_type > 2) {
  1. gpac