Bug 252321 - multimedia/libdvdcss: Fix potential buffer overflow
Summary: multimedia/libdvdcss: Fix potential buffer overflow
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Josh Paetzel
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-01 11:20 UTC by daniel.engberg.lists
Modified: 2021-01-20 08:51 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (jpaetzel)


Attachments
Patch for libdvdcss (2.38 KB, patch)
2021-01-01 11:20 UTC, daniel.engberg.lists
no flags Details | Diff
build log with error (17.01 KB, text/plain)
2021-01-20 07:36 UTC, VVD
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description daniel.engberg.lists 2021-01-01 11:20:52 UTC
Created attachment 221155 [details]
Patch for libdvdcss

Buffer of size PATH_MAX is being written to with data that can theoretically overflow (a string of maximum size PATH_MAX plus other constant-size strings)

Other minor fixes:
Switch from PORTVERSION to DISTVERSION
Use HTTPS for MASTER_SITES
Remove dependency of gmake

References:
https://code.videolan.org/videolan/libdvdcss/-/commit/f93ae872f22bc404aa998ef127242d2e10de1b3c
Porters Handbook: "Table 5.2. Package Naming Examples"

Compile tested on FreeBSD 13.0-CURRENT main-c1-g63f93c7e1 (amd64) (make, make check-plist, make test)
Run-time tested on FreeBSD 13.0-CURRENT #0: Wed Dec 30 11:54:07 CET 2020 (arm64) (hash unavailable)
Poudriere testport OK 12.2-RELEASE (amd64)
Poudriere testport OK 11.4-RELEASE (amd64)
Comment 1 daniel.engberg.lists 2021-01-01 11:27:21 UTC
make test is a typo, there are no unit tests for libdvdcss. Sorry about that :/
Comment 2 commit-hook freebsd_committer 2021-01-19 22:34:09 UTC
A commit references this bug:

Author: jpaetzel
Date: Tue Jan 19 22:33:15 UTC 2021
New revision: 562095
URL: https://svnweb.freebsd.org/changeset/ports/562095

Log:
  Fix potential buffer overflow.

  Along the way improve port Makefile

  PR:	252321
  Submitted by:	daniel.engberg.lists@pyret.net

Changes:
  head/multimedia/libdvdcss/Makefile
  head/multimedia/libdvdcss/files/
  head/multimedia/libdvdcss/files/patch-src_libdvdcss.c
Comment 3 Josh Paetzel freebsd_committer 2021-01-19 22:36:20 UTC
Committed, thanks!
Comment 4 VVD 2021-01-20 07:09:38 UTC
(In reply to daniel.engberg.lists from comment #0)
> Remove dependency of gmake
Build fail without USES=gmake:
===============================================================
===>  Building for libdvdcss-1.4.2_1
--- all ---
/usr/bin/make  all-am
--- src/.dirstamp ---
--- src/.deps/.dirstamp ---
--- stamp-doxygen ---
doxygen 
--- src/libdvdcss.lo ---
--- stamp-doxygen ---
error: Doxyfile not found and no input file specified!
Doxygen version 1.9.0
Copyright Dimitri van Heesch 1997-2019

You can use doxygen in a number of ways:

1) Use doxygen to generate a template configuration file:
    doxygen [-s] -g [configName]

2) Use doxygen to update an old configuration file:
    doxygen [-s] -u [configName]

3) Use doxygen to generate documentation using an existing configuration file:
    doxygen [configName]

4) Use doxygen to generate a template file controlling the layout of the
   generated documentation:
    doxygen -l [layoutFileName]

    In case layoutFileName is omitted layoutFileName.xml will be used as filename.
    If - is used for layoutFileName doxygen will write to standard output.

5) Use doxygen to generate a template style sheet file for RTF, HTML or Latex.
    RTF:        doxygen -w rtf styleSheetFile
    HTML:       doxygen -w html headerFile footerFile styleSheetFile [configFile]
    LaTeX:      doxygen -w latex headerFile footerFile styleSheetFile [configFile]

6) Use doxygen to generate a rtf extensions file
    RTF:   doxygen -e rtf extensionsFile

    If - is used for extensionsFile doxygen will write to standard output.

7) Use doxygen to compare the used configuration file with the template configuration file
    doxygen -x [configFile]

8) Use doxygen to show a list of built-in emojis.
    doxygen -f emoji outputFileName

    If - is used for outputFileName doxygen will write to standard output.

If -s is specified the comments of the configuration items in the config file will be omitted.
If configName is omitted 'Doxyfile' will be used as a default.
If - is used for configFile doxygen will write / read the configuration to /from standard output / input.

-v print version string
*** [stamp-doxygen] Error code 1

make[3]: stopped in /tmp/work/usr/ports/multimedia/libdvdcss/work/libdvdcss-1.4.2
--- src/libdvdcss.lo ---
depbase=`echo src/libdvdcss.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`; /bin/sh ./libtool  --tag=CC    --mode=compile cc -DHAVE_CONFIG_H  -I.  -I./src -I./src/dvdcss    -O2 -pipe -march=core2  -fstack-protector-strong -fno-strict-aliasing  -Wall -Wextra -fvisibility=hidden -MT src/libdvdcss.lo -MD -MP -MF $depbase.Tpo -c -o src/libdvdcss.lo src/libdvdcss.c && mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I./src -I./src/dvdcss -O2 -pipe -march=core2 -fstack-protector-strong -fno-strict-aliasing -Wall -Wextra -fvisibility=hidden -MT src/libdvdcss.lo -MD -MP -MF src/.deps/libdvdcss.Tpo -c src/libdvdcss.c  -fPIC -DPIC -o src/.libs/libdvdcss.o
libtool: compile:  cc -DHAVE_CONFIG_H -I. -I./src -I./src/dvdcss -O2 -pipe -march=core2 -fstack-protector-strong -fno-strict-aliasing -Wall -Wextra -fvisibility=hidden -MT src/libdvdcss.lo -MD -MP -MF src/.deps/libdvdcss.Tpo -c src/libdvdcss.c -o src/libdvdcss.o >/dev/null 2>&1
1 error

make[3]: stopped in /tmp/work/usr/ports/multimedia/libdvdcss/work/libdvdcss-1.4.2
===============================================================

Options        :
        DOCS           : off
        DOXYGEN        : off
Comment 5 VVD 2021-01-20 07:11:46 UTC
(In reply to VVD from comment #4)
12.2 amd64.
Comment 6 VVD 2021-01-20 07:36:14 UTC
Created attachment 221758 [details]
build log with error

Fails if doxygen is installed or DOXYGEN option is ON.

Fixes build:
DOXYGEN_CONFIGURE_ENABLE=       doc
DOXYGEN_USES=          gmake
Comment 7 daniel.engberg.lists 2021-01-20 08:38:48 UTC
Fix provided here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252848
Comment 8 commit-hook freebsd_committer 2021-01-20 08:51:54 UTC
A commit references this bug:

Author: fluffy
Date: Wed Jan 20 08:51:39 UTC 2021
New revision: 562121
URL: https://svnweb.freebsd.org/changeset/ports/562121

Log:
  MFH: r562095 r562120

  Fix potential buffer overflow.

  Along the way improve port Makefile

  PR:	252321
  Submitted by:	daniel.engberg.lists@pyret.net

  multimedia/libdvdcss: unbreak wit recent doxygen

  With hat:	ports-secteam
  PR:		252848
  Suggested by:	VVD in PR 252321

Changes:
_U  branches/2021Q1/
  branches/2021Q1/multimedia/libdvdcss/Makefile
  branches/2021Q1/multimedia/libdvdcss/files/