Hello community, here is the log from the commit of package vorbis-tools checked in at Fri Apr 25 16:47:32 CEST 2008. -------- --- vorbis-tools/vorbis-tools.changes 2007-10-31 12:12:14.000000000 +0100 +++ /mounts/work_src_done/STABLE/vorbis-tools/vorbis-tools.changes 2008-04-17 18:41:38.075280000 +0200 @@ -1,0 +2,6 @@ +Mon Apr 14 16:39:22 CEST 2008 - tiwai@suse.de + +- VUL-0: speex insufficient bounds checking (bnc#379098, + CVE-2008-1686) + +------------------------------------------------------------------- New: ---- vorbis-tools-1.1.1-bounds-check-fix.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vorbis-tools.spec ++++++ --- /var/tmp/diff_new_pack.P24898/_old 2008-04-25 16:47:22.000000000 +0200 +++ /var/tmp/diff_new_pack.P24898/_new 2008-04-25 16:47:22.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package vorbis-tools (Version 1.1.1) # -# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -10,11 +10,12 @@ # norootforbuild + Name: vorbis-tools BuildRequires: alsa-devel audiofile-devel curl-devel flac-devel libao-devel libvorbis-devel pkgconfig speex-devel Summary: Ogg Vorbis Tools Version: 1.1.1 -Release: 123 +Release: 172 Group: Productivity/Multimedia/Sound/Utilities License: GPL v2 or later Url: http://www.xiph.org/ @@ -24,6 +25,7 @@ Patch2: vorbis-tools-config.diff Patch3: vorbis-tools-%{version}-curl-7.16.diff Patch4: vorbis-tools-flac-1.1.3.diff +Patch5: vorbis-tools-1.1.1-bounds-check-fix.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -45,6 +47,7 @@ %patch2 %patch3 %patch4 +%patch5 %build %{?suse_update_config:%{suse_update_config -f}} @@ -69,55 +72,59 @@ %doc %{_mandir}/man?/* %{_bindir}/* %{_datadir}/locale/*/*/* + %changelog -* Wed Oct 31 2007 - tiwai@suse.de +* Mon Apr 14 2008 tiwai@suse.de +- VUL-0: speex insufficient bounds checking (bnc#379098, + CVE-2008-1686) +* Wed Oct 31 2007 tiwai@suse.de - add support of FLAC 1.1.3 or later (#337916) - use find_lang -* Fri Feb 02 2007 - mmarek@suse.cz +* Fri Feb 02 2007 mmarek@suse.cz - fix build with curl-7.16 - fixed some more compiler warnings -* Mon Oct 16 2006 - schwab@suse.de +* Mon Oct 16 2006 schwab@suse.de - Make sure config.rpath is present. -* Wed Aug 23 2006 - tiwai@suse.de +* Wed Aug 23 2006 tiwai@suse.de - build missing vcut command (#201242) -* Sat Apr 08 2006 - schwab@suse.de +* Sat Apr 08 2006 schwab@suse.de - Include "config.h" before using HAVE_* macros. -* Wed Jan 25 2006 - mls@suse.de +* Wed Jan 25 2006 mls@suse.de - converted neededforbuild to BuildRequires -* Tue Oct 18 2005 - tiwai@suse.de +* Tue Oct 18 2005 tiwai@suse.de - updated to version 1.1.1. - added flac-* and speex-* to neededforbuild. -* Thu Jul 07 2005 - tiwai@suse.de +* Thu Jul 07 2005 tiwai@suse.de - removed -fsigned-char option (#93888). -* Thu Apr 14 2005 - sbrabec@suse.cz +* Thu Apr 14 2005 sbrabec@suse.cz - Added audiofile-devel to neededforbuild. -* Fri Apr 08 2005 - tiwai@suse.de +* Fri Apr 08 2005 tiwai@suse.de - fixed the build with the new gettext-0.14.3. -* Mon Jan 12 2004 - adrian@suse.de +* Mon Jan 12 2004 adrian@suse.de - build as user -* Fri Jan 09 2004 - tiwai@suse.de +* Fri Jan 09 2004 tiwai@suse.de - updated to version 1.0.1. - enabled autoreconf again. -* Fri Jun 06 2003 - kukuk@suse.de +* Fri Jun 06 2003 kukuk@suse.de - Remove wrong doc dir -* Mon Jul 22 2002 - tiwai@suse.de +* Mon Jul 22 2002 tiwai@suse.de - updated to 1.0. -* Fri Jan 04 2002 - tiwai@suse.de +* Fri Jan 04 2002 tiwai@suse.de - updated to RC3. sync with cvs 2002.01.04. now encoding with low variable rates is supported. - added curl and curl-devel to neededforbuild. -* Tue Dec 04 2001 - tiwai@suse.de +* Tue Dec 04 2001 tiwai@suse.de - sync with cvs 2001.12.04. -* Wed Oct 24 2001 - tiwai@suse.de +* Wed Oct 24 2001 tiwai@suse.de - sync with cvs 20011024. - removed explicit Requires to libraries. -* Mon Aug 13 2001 - tiwai@suse.de +* Mon Aug 13 2001 tiwai@suse.de - updated to 1.0rc2 from cvs 20010813. -* Fri Jul 13 2001 - grimmer@suse.de +* Fri Jul 13 2001 grimmer@suse.de - Fixed file list (using wildcards instead of shared directory names) -* Mon Feb 26 2001 - tiwai@suse.de +* Mon Feb 26 2001 tiwai@suse.de - Updated to 1.0beta4. -* Wed Jan 31 2001 - tiwai@suse.de +* Wed Jan 31 2001 tiwai@suse.de - Initial version: 1.0beta3. ++++++ vorbis-tools-1.1.1-bounds-check-fix.diff ++++++ --- ogg123/speex_format.c-dist 2008-04-14 15:57:14.000000000 +0200 +++ ogg123/speex_format.c 2008-04-14 15:58:54.000000000 +0200 @@ -471,7 +471,7 @@ void *process_header(ogg_packet *op, int cb->printf_error(callback_arg, ERROR, _("Cannot read header")); return NULL; } - if ((*header)->mode >= SPEEX_NB_MODES) { + if ((*header)->mode >= SPEEX_NB_MODES || (*header)->mode < 0) { cb->printf_error(callback_arg, ERROR, _("Mode number %d does not (any longer) exist in this version"), (*header)->mode); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org