[xmp/f17] fix CVE-2013-1890

Dominik Mierzejewski rathann at fedoraproject.org
Sun Apr 28 16:11:21 UTC 2013 

commit e6bb0b2641b2bbe12fb2c6dc3909d644571d850d
Author: Dominik Mierzejewski <rpm at greysector.net>
Date:   Sun Apr 28 18:10:52 2013 +0200

    fix CVE-2013-1890

 xmp-3.5.0-cve-2013-1980.patch |   20 ++++++++++++++++++++
 xmp.spec                      |    8 +++++++-
 2 files changed, 27 insertions(+), 1 deletions(-)
---
diff --git a/xmp-3.5.0-cve-2013-1980.patch b/xmp-3.5.0-cve-2013-1980.patch
new file mode 100644
index 0000000..3a98c22
--- /dev/null
+++ b/xmp-3.5.0-cve-2013-1980.patch
@@ -0,0 +1,20 @@
+diff -U0 xmp-3.5.0/docs/ChangeLog.cve-2013-1980 xmp-3.5.0/docs/ChangeLog
+--- xmp-3.5.0/docs/ChangeLog.cve-2013-1980	2012-01-27 17:40:58.000000000 +0100
++++ xmp-3.5.0/docs/ChangeLog	2013-04-28 13:05:05.559593911 +0200
+@@ -26,0 +27 @@
++	- fix buffer overflow in MASI loader (reported by Douglas Carmichael)
+diff -up xmp-3.5.0/src/loaders/masi_load.c.cve-2013-1980 xmp-3.5.0/src/loaders/masi_load.c
+--- xmp-3.5.0/src/loaders/masi_load.c.cve-2013-1980	2012-01-21 13:35:14.000000000 +0100
++++ xmp-3.5.0/src/loaders/masi_load.c	2013-04-28 13:04:15.398503982 +0200
+@@ -144,9 +144,9 @@ static void get_dsmp(struct xmp_context
+ 	i = cur_ins;
+ 	m->xxi[i] = calloc(sizeof(struct xxm_instrument), 1);
+ 
+-	fread(&m->xxih[i].name, 1, 34, f);
++	fread(&m->xxih[i].name, 1, 31, f);
+ 	str_adj((char *)m->xxih[i].name);
+-	fseek(f, 5, SEEK_CUR);
++	fseek(f, 8, SEEK_CUR);
+ 	read8(f);		/* insno */
+ 	read8(f);
+ 	m->xxs[i].len = read32l(f);
diff --git a/xmp.spec b/xmp.spec
index eab0049..3c8535a 100644
--- a/xmp.spec
+++ b/xmp.spec
@@ -8,7 +8,7 @@
 
 Name: xmp
 Version: 3.4.0
-Release: 10%{?dist}
+Release: 11%{?dist}
 Summary: A multi-format module player
 Group: Applications/Multimedia
 #Source: http://downloads.sourceforge.net/sourceforge/xmp/xmp-%{version}.tar.gz
@@ -31,6 +31,8 @@ Patch1: xmp-3.4.0-audacious-3.2.patch
 # fix untimely g_free calls and make probe_for_tuple thread-safe
 # (reported to xmp devel list)
 Patch2: xmp-3.4.0-audacious-probe_for_tuple.patch
+# backport fix for CVE-2013-1980
+Patch5: xmp-3.5.0-cve-2013-1980.patch
 
 %description
 The Extended Module Player is a modplayer for Unix-like systems that plays
@@ -79,6 +81,7 @@ This package contains the xmp plugin for XMMS.
 %patch0 -p1 -b .aud-api-3.1
 %patch1 -p1 -b .aud-api-3.2
 %patch2 -p1 -b .aud-probe_for_tuple
+%patch5 -p1 -b .cve-2013-1980
 pushd docs
 for file in ChangeLog CREDITS ; do
 	iconv -f iso8859-1 -t utf8 -o $file.utf $file && touch -r $file $file.utf && mv $file.utf $file
@@ -115,6 +118,9 @@ rm -rf %{buildroot}
 %{xmms_input_plugin_dir}/*
 
 %changelog
+* Sun Apr 28 2013 Dominik Mierzejewski <rpm at greysector.net> - 3.4.0-11
+- backport fix for CVE-2013-1890 (rhbz #954658)
+
 * Fri Jun 15 2012 Michael Schwendt <mschwendt at fedoraproject.org> - 3.4.0-10
 - Fix untimely g_free(filename) calls in Audacious 3 plugin and
   make module probing thread-safe.

More information about the scm-commits mailing list