--- a/ChangeLog Sun Aug 08 20:00:22 2010 +0000
+++ b/ChangeLog Mon Aug 09 08:06:30 2010 +0000
@@ -1,3 +1,7 @@
+2010-08-09 Milan Jurik <[email protected]>
+
+ * SFElibmikmod.spec: CVE-2010-2546, added missing patches
+
2010-08-08 Milan Jurik <[email protected]>
* SFEunbound.spec: update to 1.4.6
--- a/SFElibmikmod.spec Sun Aug 08 20:00:22 2010 +0000
+++ b/SFElibmikmod.spec Mon Aug 09 08:06:30 2010 +0000
@@ -14,6 +14,7 @@
Source: http://mikmod.raphnet.net/files/libmikmod-%{src_version}.tar.bz2
Patch1: libmikmod-01-cve-2009-3995.diff
Patch2: libmikmod-02-cve-2009-3996.diff
+Patch3: libmikmod-03-cve-2010-2546.diff
URL: http://mikmod.raphnet.net/
License: LGPL
SUNW_BaseDir: %{_basedir}
@@ -36,6 +37,7 @@
%setup -q -n libmikmod-%src_version
%patch1 -p1
%patch2 -p1
+%patch3 -p1
%build
CPUS=`/usr/sbin/psrinfo | grep on-line | wc -l | tr -d ' '`
@@ -83,6 +85,8 @@
%{_datadir}/aclocal/*
%changelog
+* Mon Aug 09 2010 - Milan Jurik
+- CVE-2010-2546 patches based on Debian
* Mon Jul 19 2010 - Milan Jurik
- CVE-2009-3995 and CVE-2009-3996 patches added based on Debian
* Sun May 09 2010 - Milan Jurik
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/libmikmod-01-cve-2009-3995.diff Mon Aug 09 08:06:30 2010 +0000
@@ -0,0 +1,13 @@
+--- libmikmod-3.2.0-beta2/loaders/load_it.c Fri Feb 6 20:29:03 2004
++++ libmikmod-3.2.0-beta2-patch/loaders/load_it.c Mon Jul 19 14:48:34 2010
+@@ -862,6 +862,10 @@
+ #endif
+
+ IT_ProcessEnvelope(vol);
++ /* fix for CVE-2009-3995 */
++ if (ih.volpts>= ENVPOINTS)
++ ih.volpts = ENVPOINTS-1;
++
+ for(u=0;u<ih.volpts;u++)
+ d->volenv[u].val=(ih.volnode[u]<<2);
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/libmikmod-02-cve-2009-3996.diff Mon Aug 09 08:06:30 2010 +0000
@@ -0,0 +1,13 @@
+--- libmikmod-3.2.0-beta2/loaders/load_ult.c Wed Jan 21 02:36:35 2004
++++ libmikmod-3.2.0-beta2-patch/loaders/load_ult.c Mon Jul 19 14:51:36 2010
+@@ -225,6 +225,10 @@
+ for(t=0;t<of.numpat;t++)
+ of.patterns[(t*of.numchn)+u]=tracks++;
+
++ /* fix for CVE-2009-3996 */
++ if (of.numchn>=UF_MAXCHAN)
++ of.numchn=UF_MAXCHAN - 1;
++
+ /* read pan position table for v1.5 and higher */
+ if(mh.id[14]>='3') {
+ for(t=0;t<of.numchn;t++) of.panning[t]=_mm_read_UBYTE(modreader)<<4;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/libmikmod-03-cve-2010-2546.diff Mon Aug 09 08:06:30 2010 +0000
@@ -0,0 +1,31 @@
+--- libmikmod-3.2.0-beta2/loaders/load_it.c.orig 2010-07-22 16:02:16.000000000 +0200
++++ libmikmod-3.2.0-beta2-patch/loaders/load_it.c 2010-07-22 16:07:48.000000000 +0200
+@@ -743,6 +743,8 @@ BOOL IT_Load(BOOL curious)
+ #define IT_LoadEnvelope(name,type) \
+ ih. name##flg =_mm_read_UBYTE(modreader); \
+ ih. name##pts =_mm_read_UBYTE(modreader); \
++ if (ih. name##pts > ITENVCNT) \
++ ih. name##pts = ITENVCNT; \
+ ih. name##beg =_mm_read_UBYTE(modreader); \
+ ih. name##end =_mm_read_UBYTE(modreader); \
+ ih. name##susbeg=_mm_read_UBYTE(modreader); \
+@@ -756,6 +758,8 @@ BOOL IT_Load(BOOL curious)
+ #define IT_LoadEnvelope(name,type) \
+ ih. name/**/flg =_mm_read_UBYTE(modreader); \
+ ih. name/**/pts =_mm_read_UBYTE(modreader); \
++ if (ih. name/**/pts > ITENVCNT) \
++ ih. name/**/pts = ITENVCNT; \
+ ih. name/**/beg =_mm_read_UBYTE(modreader); \
+ ih. name/**/end =_mm_read_UBYTE(modreader); \
+ ih. name/**/susbeg=_mm_read_UBYTE(modreader); \
+@@ -862,10 +866,6 @@ BOOL IT_Load(BOOL curious)
+ #endif
+
+ IT_ProcessEnvelope(vol);
+- /* fix for CVE-2009-3995 */
+- if (ih.volpts>= ENVPOINTS)
+- ih.volpts = ENVPOINTS-1;
+-
+ for(u=0;u<ih.volpts;u++)
+ d->volenv[u].val=(ih.volnode[u]<<2);
+