commit libebml for openSUSE:Factory

4 Jan 2024

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package libebml for openSUSE:Factory checked in at 2024-01-04 15:54:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libebml (Old)
 and      /work/SRC/openSUSE:Factory/.libebml.new.28375 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libebml"

Thu Jan  4 15:54:37 2024 rev:53 rq:1135842 version:1.4.5

Changes:
--------

--- /work/SRC/openSUSE:Factory/libebml/libebml.changes	2022-10-10 18:47:11.999209973 +0200
+++ /work/SRC/openSUSE:Factory/.libebml.new.28375/libebml.changes	2024-01-04 15:54:39.066499269 +0100
@@ -1,0 +2,7 @@
+Thu Dec 28 12:53:21 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.4.5 (bsc#1218432):
+  * Fix invalid memory access (reading beyond allocated memory)
+    due to missing integer overflow check.
+
+-------------------------------------------------------------------

Old:
----
  libebml-1.4.4.tar.xz

New:
----
  libebml-1.4.5.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libebml.spec ++++++
--- /var/tmp/diff_new_pack.L23Brm/_old	2024-01-04 15:54:39.714522942 +0100
+++ /var/tmp/diff_new_pack.L23Brm/_new	2024-01-04 15:54:39.718523087 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package libebml
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
 
 %define soname 5
 Name:           libebml
-Version:        1.4.4
+Version:        1.4.5
 Release:        0
 Summary:        Library to parse EBML (Extensible Binary Markup Language) files
 License:        LGPL-2.1-or-later

++++++ libebml-1.4.4.tar.xz -> libebml-1.4.5.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.4/.github/workflows/abibreak.yaml new/libebml-1.4.5/.github/workflows/abibreak.yaml
--- old/libebml-1.4.4/.github/workflows/abibreak.yaml	1970-01-01 01:00:00.000000000 +0100
+++ new/libebml-1.4.5/.github/workflows/abibreak.yaml	2023-12-12 21:19:04.000000000 +0100
@@ -0,0 +1,48 @@
+name: "ABI Breakage"
+on:
+  push:
+    branches: [ v1.x ]
+  pull_request:
+
+jobs:
+  test_abidiff:
+    name: abidiff
+    runs-on: ubuntu-latest
+    steps:
+      - uses: lukka/get-cmake@latest
+
+      - name: Get pushed code
+        uses: actions/checkout@v3
+      
+      - name: Configure
+        run: cmake -S . -B _build -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX:STRING=${GITHUB_WORKSPACE}/_built
+
+      - name: Build
+        run: cmake --build _build --parallel
+
+      - name: Install
+        run: cmake --install _build --prefix ${GITHUB_WORKSPACE}/_built
+
+      - name: Get v1.x code
+        uses: actions/checkout@v3
+        with: 
+          path: libebml-1
+          ref: v1.x
+      
+      - name: Configure v1.x
+        run: cmake -S libebml-1 -B _build_1 -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX:STRING=${GITHUB_WORKSPACE}/_built_1
+
+      - name: Build v1.x
+        run: cmake --build _build_1 --parallel
+
+      - name: Install v1.x
+        run: cmake --install _build_1 --prefix ${GITHUB_WORKSPACE}/_built_1
+
+      - name: Get abidiff
+        run: |
+          sudo apt update
+          sudo apt install abigail-tools
+
+      - name: Check ABI differences
+        run: abidiff ${GITHUB_WORKSPACE}/_built/lib/libebml.so ${GITHUB_WORKSPACE}/_built_1/lib/libebml.so
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.4/.github/workflows/linux-gcc10.yaml new/libebml-1.4.5/.github/workflows/linux-gcc10.yaml
--- old/libebml-1.4.4/.github/workflows/linux-gcc10.yaml	2022-10-08 11:47:31.000000000 +0200
+++ new/libebml-1.4.5/.github/workflows/linux-gcc10.yaml	2023-12-12 21:19:04.000000000 +0100
@@ -1,7 +1,7 @@
 name: "Linux gcc10 Build"
 on:
   push:
-    branches: [ master ]
+    branches: [ v1.x ]
   pull_request:
     # branches: [ master ]
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.4/.github/workflows/linux.yaml new/libebml-1.4.5/.github/workflows/linux.yaml
--- old/libebml-1.4.4/.github/workflows/linux.yaml	2022-10-08 11:47:31.000000000 +0200
+++ new/libebml-1.4.5/.github/workflows/linux.yaml	2023-12-12 21:19:04.000000000 +0100
@@ -1,7 +1,7 @@
 name: "Linux Build"
 on:
   push:
-    branches: [ master ]
+    branches: [ v1.x ]
   pull_request:
     # branches: [ master ]
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.4/.github/workflows/macos.yaml new/libebml-1.4.5/.github/workflows/macos.yaml
--- old/libebml-1.4.4/.github/workflows/macos.yaml	2022-10-08 11:47:31.000000000 +0200
+++ new/libebml-1.4.5/.github/workflows/macos.yaml	2023-12-12 21:19:04.000000000 +0100
@@ -1,7 +1,7 @@
 name: "macOS Build"
 on:
   push:
-    branches: [ master ]
+    branches: [ v1.x ]
   pull_request:
     # branches: [ master ]
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.4/.github/workflows/windows.yaml new/libebml-1.4.5/.github/workflows/windows.yaml
--- old/libebml-1.4.4/.github/workflows/windows.yaml	2022-10-08 11:47:31.000000000 +0200
+++ new/libebml-1.4.5/.github/workflows/windows.yaml	2023-12-12 21:19:04.000000000 +0100
@@ -1,7 +1,7 @@
 name: "Windows Build"
 on:
   push:
-    branches: [ master ]
+    branches: [ v1.x ]
   pull_request:
     # branches: [ master ]
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.4/CMakeLists.txt new/libebml-1.4.5/CMakeLists.txt
--- old/libebml-1.4.4/CMakeLists.txt	2022-10-08 11:47:31.000000000 +0200
+++ new/libebml-1.4.5/CMakeLists.txt	2023-12-12 21:19:04.000000000 +0100
@@ -1,6 +1,6 @@
 cmake_minimum_required(VERSION 3.1.2)
 
-project(ebml VERSION 1.4.4)
+project(ebml VERSION 1.4.5)
 
 option(DISABLE_PKGCONFIG "Disable PkgConfig module generation" OFF)
 option(DISABLE_CMAKE_CONFIG "Disable CMake package config module generation" OFF)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.4/NEWS.md new/libebml-1.4.5/NEWS.md
--- old/libebml-1.4.4/NEWS.md	2022-10-08 11:47:31.000000000 +0200
+++ new/libebml-1.4.5/NEWS.md	2023-12-12 21:19:04.000000000 +0100
@@ -1,3 +1,8 @@
+# Version 1.4.5 2023-12-12
+
+* Fix invalid memory access (reading beyond allocated memory) due to
+  missing integer overflow check.
+
 # Version 1.4.4 2022-10-08
 
 * Fix ABI compatibility: unfortunately release 1.4.3 broke ABI
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.4/ebml/EbmlVersion.h new/libebml-1.4.5/ebml/EbmlVersion.h
--- old/libebml-1.4.4/ebml/EbmlVersion.h	2022-10-08 11:47:31.000000000 +0200
+++ new/libebml-1.4.5/ebml/EbmlVersion.h	2023-12-12 21:19:04.000000000 +0100
@@ -42,7 +42,7 @@
 
 namespace libebml {
 
-#define LIBEBML_VERSION 0x010404
+#define LIBEBML_VERSION 0x010405
 
 extern const EBML_DLL_API std::string EbmlCodeVersion;
 extern const EBML_DLL_API std::string EbmlCodeDate;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.4/src/EbmlVersion.cpp new/libebml-1.4.5/src/EbmlVersion.cpp
--- old/libebml-1.4.4/src/EbmlVersion.cpp	2022-10-08 11:47:31.000000000 +0200
+++ new/libebml-1.4.5/src/EbmlVersion.cpp	2023-12-12 21:19:04.000000000 +0100
@@ -38,7 +38,7 @@
 
 namespace libebml {
 
-const std::string EbmlCodeVersion = "1.4.4";
+const std::string EbmlCodeVersion = "1.4.5";
 
 // Up to version 1.3.3 this library exported a build date string. As
 // this made the build non-reproducible, replace it by a placeholder to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libebml-1.4.4/src/MemIOCallback.cpp new/libebml-1.4.5/src/MemIOCallback.cpp
--- old/libebml-1.4.4/src/MemIOCallback.cpp	2022-10-08 11:47:31.000000000 +0200
+++ new/libebml-1.4.5/src/MemIOCallback.cpp	2023-12-12 21:19:04.000000000 +0100
@@ -68,7 +68,8 @@
   if (Buffer == nullptr || Size < 1)
     return 0;
   //If the size is larger than than the amount left in the buffer
-  if (Size + dataBufferPos > dataBufferTotalSize) {
+  if (Size + dataBufferPos < Size || // overflow, reading too much
+      Size + dataBufferPos > dataBufferTotalSize) {
     //We will only return the remaining data
     memcpy(Buffer, dataBuffer + dataBufferPos, dataBufferTotalSize - dataBufferPos);
     uint64 oldDataPos = dataBufferPos;
@@ -95,6 +96,8 @@
 
 size_t MemIOCallback::write(const void *Buffer, size_t Size)
 {
+  if (dataBufferPos + Size < Size) // overflow, we can't hold that much
+    return 0;
   if (dataBufferMemorySize < dataBufferPos + Size) {
     //We need more memory!
     dataBuffer = static_cast<binary *>(realloc(static_cast<void *>(dataBuffer), dataBufferPos + Size));
@@ -109,6 +112,8 @@
 
 uint32 MemIOCallback::write(IOCallback & IOToRead, size_t Size)
 {
+  if (dataBufferPos + Size < Size) // overflow, we can't hold that much
+    return 0;
   if (dataBufferMemorySize < dataBufferPos + Size) {
     //We need more memory!
     dataBuffer = static_cast<binary *>(realloc(static_cast<void *>(dataBuffer), dataBufferPos + Size));

    

Source-Sync

tags

participants (1)