Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mpg123 for openSUSE:Factory checked in at 2024-11-03 07:17:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mpg123 (Old) and /work/SRC/openSUSE:Factory/.mpg123.new.2020 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "mpg123" Sun Nov 3 07:17:21 2024 rev:42 rq:1220286 version:1.32.9 Changes: -------- --- /work/SRC/openSUSE:Factory/mpg123/mpg123.changes 2024-10-28 15:17:43.528967967 +0100 +++ /work/SRC/openSUSE:Factory/.mpg123.new.2020/mpg123.changes 2024-11-03 07:17:37.795997850 +0100 @@ -1,0 +2,10 @@ +Sat Nov 2 13:09:30 UTC 2024 - Luigi Baldoni <aloisio@gmx.com> + +- Update to version 1.32.9 + libmpg123: + * Increase the library patchlevel, as was forgotten on previous + release. Now you can check for distversion >= 1.32.8 or + mpg123 libversion >= 48 patchlevel 3 to see if you're + vulnerable to CVE-2024-10573. + +------------------------------------------------------------------- Old: ---- mpg123-1.32.8.tar.bz2 mpg123-1.32.8.tar.bz2.sig New: ---- mpg123-1.32.9.tar.bz2 mpg123-1.32.9.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mpg123.spec ++++++ --- /var/tmp/diff_new_pack.2KovVU/_old 2024-11-03 07:17:38.312019414 +0100 +++ /var/tmp/diff_new_pack.2KovVU/_new 2024-11-03 07:17:38.316019582 +0100 @@ -18,7 +18,7 @@ %define sover 0 Name: mpg123 -Version: 1.32.8 +Version: 1.32.9 Release: 0 Summary: Console MPEG audio player and decoder library License: LGPL-2.1-only ++++++ mpg123-1.32.8.tar.bz2 -> mpg123-1.32.9.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.32.8/NEWS new/mpg123-1.32.9/NEWS --- old/mpg123-1.32.8/NEWS 2024-10-26 16:33:46.000000000 +0200 +++ new/mpg123-1.32.9/NEWS 2024-11-01 09:07:23.000000000 +0100 @@ -1,3 +1,13 @@ +1.32.9 +------ +- libmpg123: +-- enable 64 bit offset path for MSVCRT and avoid warnings about + MS's game about POSIX API with and without underscores (bug 373). +-- Increase the library patchlevel, as was forgotten on previous + release. Now you can check for distversion >= 1.32.8 or + mpg123 libversion >= 48 patchlevel 3 to see if you're vulnerable + to CVE-2024-10573. + 1.32.8 ------ - libmpg123: @@ -6,7 +16,7 @@ (github PR 15). -- Prevent premature application of header info into decoding structure, at worst having triggered out-of-bounds writes of decoded PCM data - (bug 322, again). + (bug 322, again). The bug got named CVE-2024-10573. - out123: Show --quiet in --longhelp. 1.32.7 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.32.8/TODO new/mpg123-1.32.9/TODO --- old/mpg123-1.32.8/TODO 2024-10-26 16:33:46.000000000 +0200 +++ new/mpg123-1.32.9/TODO 2024-11-01 09:08:46.000000000 +0100 @@ -1,3 +1,6 @@ +One current thing: Cleanup mpg123_noise() ... remove that accidentally public symbol +or make it official. The functionality is in syn123 and it was never documented. + Things that need to be done... ... as always, mostly outdated. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.32.8/configure new/mpg123-1.32.9/configure --- old/mpg123-1.32.8/configure 2024-10-26 16:34:23.000000000 +0200 +++ new/mpg123-1.32.9/configure 2024-11-01 09:14:05.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for mpg123 1.32.8. +# Generated by GNU Autoconf 2.71 for mpg123 1.32.9. # # Report bugs to <maintainer@mpg123.org>. # @@ -621,8 +621,8 @@ # Identity of this package. PACKAGE_NAME='mpg123' PACKAGE_TARNAME='mpg123' -PACKAGE_VERSION='1.32.8' -PACKAGE_STRING='mpg123 1.32.8' +PACKAGE_VERSION='1.32.9' +PACKAGE_STRING='mpg123 1.32.9' PACKAGE_BUGREPORT='maintainer@mpg123.org' PACKAGE_URL='' @@ -1727,7 +1727,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures mpg123 1.32.8 to adapt to many kinds of systems. +\`configure' configures mpg123 1.32.9 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1798,7 +1798,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of mpg123 1.32.8:";; + short | recursive ) echo "Configuration of mpg123 1.32.9:";; esac cat <<\_ACEOF @@ -2076,7 +2076,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -mpg123 configure 1.32.8 +mpg123 configure 1.32.9 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2621,7 +2621,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by mpg123 $as_me 1.32.8, which was +It was created by mpg123 $as_me 1.32.9, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3390,7 +3390,7 @@ -LIBMPG123_VERSION=48:2:48 +LIBMPG123_VERSION=48:3:48 LIBOUT123_VERSION=5:1:5 LIBSYN123_VERSION=2:3:2 @@ -3991,7 +3991,7 @@ # Define the identity of the package. PACKAGE='mpg123' - VERSION='1.32.8' + VERSION='1.32.9' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -22453,7 +22453,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by mpg123 $as_me 1.32.8, which was +This file was extended by mpg123 $as_me 1.32.9, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -22521,7 +22521,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -mpg123 config.status 1.32.8 +mpg123 config.status 1.32.9 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.32.8/mpg123.spec new/mpg123-1.32.9/mpg123.spec --- old/mpg123-1.32.8/mpg123.spec 2024-10-26 16:35:23.000000000 +0200 +++ new/mpg123-1.32.9/mpg123.spec 2024-11-01 09:14:42.000000000 +0100 @@ -3,7 +3,7 @@ # - devel packages for alsa, sdl, etc... to build the respective output modules. Summary: The fast console mpeg audio decoder/player. Name: mpg123 -Version: 1.32.8 +Version: 1.32.9 Release: 1 URL: http://www.mpg123.org/ License: GPL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.32.8/src/compat/compat.c new/mpg123-1.32.9/src/compat/compat.c --- old/mpg123-1.32.8/src/compat/compat.c 2024-10-26 16:33:46.000000000 +0200 +++ new/mpg123-1.32.9/src/compat/compat.c 2024-11-01 09:07:23.000000000 +0100 @@ -88,7 +88,7 @@ open_fallback: #endif -#if (defined(WIN32) && !defined (__CYGWIN__)) +#if defined(MPG123_COMPAT_MSVCRT_IO) /* MSDN says POSIX function is deprecated beginning in Visual C++ 2005 */ /* Try plain old _open(), if it fails, do nothing */ ret = _open(filename, flags|_O_BINARY, _S_IREAD | _S_IWRITE); @@ -138,12 +138,16 @@ FILE* INT123_compat_fdopen(int fd, const char *mode) { +#if defined(MPG123_COMPAT_MSVCRT_IO) + return _fdopen(fd, mode); +#else return fdopen(fd, mode); +#endif } int INT123_compat_close(int infd) { -#if (defined(WIN32) && !defined (__CYGWIN__)) /* MSDN says POSIX function is deprecated beginning in Visual C++ 2005 */ +#if defined(MPG123_COMPAT_MSVCRT_IO) return _close(infd); #else return close(infd); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.32.8/src/compat/compat.h new/mpg123-1.32.9/src/compat/compat.h --- old/mpg123-1.32.8/src/compat/compat.h 2024-10-26 16:33:46.000000000 +0200 +++ new/mpg123-1.32.9/src/compat/compat.h 2024-11-01 09:07:23.000000000 +0100 @@ -110,7 +110,42 @@ typedef unsigned char byte; +#if (defined(_UCRT) || defined(_MSC_VER) || (defined(__MINGW32__) || defined(__MINGW64__)) || (defined(__WATCOMC__) && defined(__NT__))) && !defined(__CYGWIN__) +#define MPG123_COMPAT_MSVCRT_IO +#endif + +#if defined(MPG123_COMPAT_MSVCRT_IO) +#if defined(_UCRT) +// needs to get checked separately from MSVC and MinGW becuase it is also used by native Clang on Windows +#ifndef MPG123_COMPAT_MSVCRT_IO_64 +#define MPG123_COMPAT_MSVCRT_IO_64 +#endif +#endif #if defined(_MSC_VER) +#if (_MSC_VER >= 1200) +// >= VC6 +#ifndef MPG123_COMPAT_MSVCRT_IO_64 +#define MPG123_COMPAT_MSVCRT_IO_64 +#endif +#endif +#endif +#if defined(__MINGW32__) || defined(__MINGW64__) +#if (defined(__MSVCRT__) || defined(_UCRT)) && !defined(__CRTDLL__) +#ifndef MPG123_COMPAT_MSVCRT_IO_64 +#define MPG123_COMPAT_MSVCRT_IO_64 +#endif +#endif +#endif +#if defined(__WATCOMC__) && defined(__NT__) +#if (__WATCOMC__ >= 1100) +#ifndef MPG123_COMPAT_MSVCRT_IO_64 +#define MPG123_COMPAT_MSVCRT_IO_64 +#endif +#endif +#endif +#endif + +#if defined(HAVE__SETMODE) || defined(HAVE_SETMODE) || defined(MPG123_COMPAT_MSVCRT_IO) // For _setmode(), at least. #include <io.h> #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.32.8/src/include/mpg123.h new/mpg123-1.32.9/src/include/mpg123.h --- old/mpg123-1.32.8/src/include/mpg123.h 2024-10-26 16:33:46.000000000 +0200 +++ new/mpg123-1.32.9/src/include/mpg123.h 2024-11-01 09:08:11.000000000 +0100 @@ -19,7 +19,7 @@ */ #define MPG123_API_VERSION 48 /** library patch level at client build time */ -#define MPG123_PATCHLEVEL 2 +#define MPG123_PATCHLEVEL 3 #ifndef MPG123_EXPORT /** Defines needed for MS Visual Studio(tm) DLL builds. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.32.8/src/libmpg123/lfs_wrap.c new/mpg123-1.32.9/src/libmpg123/lfs_wrap.c --- old/mpg123-1.32.8/src/libmpg123/lfs_wrap.c 2024-10-26 16:33:46.000000000 +0200 +++ new/mpg123-1.32.9/src/libmpg123/lfs_wrap.c 2024-11-01 09:08:01.000000000 +0100 @@ -137,7 +137,11 @@ if(ioh->my_fd >= 0) { mdebug("closing my fd %d", ioh->my_fd); +#if defined(MPG123_COMPAT_MSVCRT_IO) + _close(ioh->my_fd); +#else close(ioh->my_fd); +#endif ioh->my_fd = -1; } } @@ -699,6 +703,35 @@ return -1; } +// Defining a wrapper to the native read to be sure the prototype matches. +// There are platforms where it is read(int, void*, unsigned int). +// We know that we read small chunks where the difference does not matter. Could +// apply specific hackery, use a common compat_read() (INT123_unintr_read()?) with system +// specifics. +static mpg123_ssize_t fallback_read(int fd, void *buf, size_t count) +{ +#if defined(MPG123_COMPAT_MSVCRT_IO) + if(count > UINT_MAX) + { + errno = EOVERFLOW; + return -1; + } + return _read(fd, buf, (unsigned int)count); +#else + return read(fd, buf, count); +#endif +} + +static off_t fallback_lseek(int fd, off_t offset, int whence) +{ +#if defined(MPG123_COMPAT_MSVCRT_IO) + // Off_t is 32 bit and does fit into long. We know that. + return _lseek(fd, (long)offset, whence); +#else + return lseek(fd, offset, whence); +#endif +} + // This is assuming an internally opened file, which usually will be // using 64 bit offsets. It keeps reading on on trivial interruptions. // I guess any file descriptor that matches the libc should work fine. @@ -730,7 +763,7 @@ } #endif errno = 0; - ptrdiff_t part = read(fd, (char*)buf+got, bytes); + ptrdiff_t part = fallback_read(fd, (char*)buf+got, bytes); if(part > 0) // == 0 is end of file { SATURATE_SUB(bytes, part, 0) @@ -755,13 +788,15 @@ struct wrap_data* ioh = handle; #ifdef LFS_LARGEFILE_64 return lseek64(ioh->fd, offset, whence); +#elif defined(MPG123_COMPAT_MSVCRT_IO_64) + return _lseeki64(ioh->fd, offset, whence); #else if(offset < OFF_MIN || offset > OFF_MAX) { errno = EOVERFLOW; return -1; } - return lseek(ioh->fd, (off_t)offset, whence); + return fallback_lseek(ioh->fd, (off_t)offset, whence); #endif } @@ -861,16 +896,6 @@ // So, native off_t reader replacement. -// Defining a wrapper to the native read to be sure the prototype matches. -// There are platforms where it is read(int, void*, unsigned int). -// We know that we read small chunks where the difference does not matter. Could -// apply specific hackery, use a common compat_read() (INT123_unintr_read()?) with system -// specifics. -static mpg123_ssize_t fallback_read(int fd, void *buf, size_t count) -{ - return read(fd, buf, count); -} - // In forced 64 bit offset mode, the only definitions of these are // the _64 ones. #ifdef FORCED_OFF_64 @@ -902,7 +927,7 @@ ioh->iotype = IO_FD; ioh->fd = -1; /* On next mpg123_open_fd(), this gets a value. */ ioh->r_read = r_read != NULL ? r_read : fallback_read; - ioh->r_lseek = r_lseek != NULL ? r_lseek : lseek; + ioh->r_lseek = r_lseek != NULL ? r_lseek : fallback_lseek; } /* The real reader replacement will happen while opening. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.32.8/src/version.h new/mpg123-1.32.9/src/version.h --- old/mpg123-1.32.8/src/version.h 2024-10-26 16:33:59.000000000 +0200 +++ new/mpg123-1.32.9/src/version.h 2024-11-01 09:07:23.000000000 +0100 @@ -16,7 +16,7 @@ // only single spaces as separator to ease parsing by build scripts #define MPG123_MAJOR 1 #define MPG123_MINOR 32 -#define MPG123_PATCH 8 +#define MPG123_PATCH 9 // Don't get too wild with that to avoid confusing m4. No brackets. // Also, it should fit well into a sane file name for the tarball. #define MPG123_SUFFIX ""