Hello community, here is the log from the commit of package libsndfile for openSUSE:Factory checked in at 2018-11-28 11:09:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsndfile (Old) and /work/SRC/openSUSE:Factory/.libsndfile.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libsndfile" Wed Nov 28 11:09:29 2018 rev:56 rq:651403 version:1.0.28 Changes: -------- --- /work/SRC/openSUSE:Factory/libsndfile/libsndfile-progs.changes 2017-04-17 10:24:07.592778096 +0200 +++ /work/SRC/openSUSE:Factory/.libsndfile.new.19453/libsndfile-progs.changes 2018-11-28 11:09:31.203222888 +0100 @@ -1,0 +2,18 @@ +Fri Jul 6 14:11:47 CEST 2018 - tiwai@suse.de + +- Fix buffer overflow in sndfile-deinterleave, which isn't really a + security issue (bsc#1100167, CVE-2018-13139, bsc#1116993, + CVE-2018-19432): + (Apply all the rest as well to sync with libsndfile.spec) + 0001-FLAC-Fix-a-buffer-read-overrun.patch + 0002-src-flac.c-Fix-a-buffer-read-overflow.patch + 0010-src-aiff.c-Fix-a-buffer-read-overflow.patch + 0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch + 0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch + 0031-sfe_copy_data_fp-check-value-of-max-variable.patch + libsndfile-CVE-2017-17456-alaw-range-check.patch + libsndfile-CVE-2017-17457-ulaw-range-check.patch + sndfile-deinterlace-channels-check.patch + sndfile-ocloexec.patch + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/libsndfile/libsndfile.changes 2018-07-13 10:16:53.430136861 +0200 +++ /work/SRC/openSUSE:Factory/.libsndfile.new.19453/libsndfile.changes 2018-11-28 11:09:31.375222654 +0100 @@ -4,2 +4,3 @@ -- Fix buffer overflow in sndfile-deinterlace, which isn't really a - security issue (bsc#1100167, CVE-2018-13139): +- Fix buffer overflow in sndfile-deinterleave, which isn't really a + security issue (bsc#1100167, CVE-2018-13139, bsc#1116993, + CVE-2018-19432): ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsndfile-progs.spec ++++++ --- /var/tmp/diff_new_pack.TGCTqk/_old 2018-11-28 11:09:32.111221653 +0100 +++ /var/tmp/diff_new_pack.TGCTqk/_new 2018-11-28 11:09:32.115221648 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -26,6 +26,20 @@ Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz Source1: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz.asc Source2: libsndfile.keyring +# PATCH-FIX-UPSTREAM +Patch1: 0001-FLAC-Fix-a-buffer-read-overrun.patch +Patch2: 0002-src-flac.c-Fix-a-buffer-read-overflow.patch +Patch10: 0010-src-aiff.c-Fix-a-buffer-read-overflow.patch +Patch20: 0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch +Patch30: 0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch +# not yet upstreamed, https://github.com/erikd/libsndfile/issues/317 +Patch31: 0031-sfe_copy_data_fp-check-value-of-max-variable.patch +# not yet upstreamed +Patch32: libsndfile-CVE-2017-17456-alaw-range-check.patch +Patch33: libsndfile-CVE-2017-17457-ulaw-range-check.patch +Patch34: sndfile-deinterlace-channels-check.patch +# PATCH-FIX-OPENSUSE +Patch100: sndfile-ocloexec.patch BuildRequires: alsa-devel BuildRequires: flac-devel BuildRequires: gcc-c++ @@ -41,6 +55,16 @@ %prep %setup -q -n libsndfile-%{version} +%patch1 -p1 +%patch2 -p1 +%patch10 -p1 +%patch20 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 +%patch100 -p1 %build %define warn_flags -W -Wall -Wstrict-prototypes -Wpointer-arith -Wno-unused-parameter ++++++ libsndfile.spec ++++++ --- /var/tmp/diff_new_pack.TGCTqk/_old 2018-11-28 11:09:32.131221625 +0100 +++ /var/tmp/diff_new_pack.TGCTqk/_new 2018-11-28 11:09:32.135221621 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ #