Hello community, here is the log from the commit of package flac for openSUSE:Factory checked in at 2014-11-28 08:47:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/flac (Old) and /work/SRC/openSUSE:Factory/.flac.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "flac" Changes: -------- --- /work/SRC/openSUSE:Factory/flac/flac.changes 2013-07-01 15:53:57.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.flac.new/flac.changes 2014-11-28 08:47:08.000000000 +0100 @@ -1,0 +2,11 @@ +Wed Nov 26 09:56:05 CET 2014 - tiwai@suse.de + +- A couple of security fixes: + * flac-fix-CVE-2014-8962.patch: + arbitrary code execution by a stack overflow (CVE-2014-8692, + bnc#906831) + * flac-fix-CVE-2014-9028.patch: + Heap overflow via specially crafted .flac files (CVE-2014-9028, + bnc#907016) + +------------------------------------------------------------------- New: ---- flac-fix-CVE-2014-8962.patch flac-fix-CVE-2014-9028.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ flac.spec ++++++ --- /var/tmp/diff_new_pack.hbweWs/_old 2014-11-28 08:47:09.000000000 +0100 +++ /var/tmp/diff_new_pack.hbweWs/_new 2014-11-28 08:47:09.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package flac # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,6 +32,8 @@ Patch2: 0001-Allow-use-of-openSSL.patch Patch3: flac-fix-pkgconfig.patch Patch5: 0001-getopt_long-not-broken-here.patch +Patch6: flac-fix-CVE-2014-8962.patch +Patch7: flac-fix-CVE-2014-9028.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf >= 2.60 BuildRequires: automake >= 1.11 @@ -88,6 +90,8 @@ %patch2 -p1 %patch3 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build touch config.rpath ++++++ flac-fix-CVE-2014-8962.patch ++++++
From 5b3033a2b355068c11fe637e14ac742d273f076e Mon Sep 17 00:00:00 2001 From: Erik de Castro Lopo
Date: Tue, 18 Nov 2014 07:20:25 -0800 Subject: [PATCH] src/libFLAC/stream_decoder.c : Fix buffer read overflow.
This is CVE-2014-8962.
Reported-by: Michele Spagnuolo,
Google Security Team
From fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 Mon Sep 17 00:00:00 2001 From: Erik de Castro Lopo
Date: Wed, 19 Nov 2014 19:35:59 -0800 Subject: [PATCH] src/libFACL/stream_decoder.c : Fail safely to avoid a heap overflow.
A file provided by the reporters caused the stream decoder to write to
un-allocated heap space resulting in a segfault. The solution is to
error out (by returning false from read_residual_partitioned_rice_())
instead of trying to continue to decode.
Fixes: CVE-2014-9028
Reported-by: Michele Spagnuolo,
Google Security Team