commit vorbis-tools.3604 for openSUSE:13.1:Update

Hello community, here is the log from the commit of package vorbis-tools.3604 for openSUSE:13.1:Update checked in at 2015-03-18 15:26:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/vorbis-tools.3604 (Old) and /work/SRC/openSUSE:13.1:Update/.vorbis-tools.3604.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "vorbis-tools.3604" Changes: -------- New Changes file: --- /dev/null 2015-03-12 01:14:30.992027505 +0100 +++ /work/SRC/openSUSE:13.1:Update/.vorbis-tools.3604.new/vorbis-tools.changes 2015-03-18 15:26:16.000000000 +0100 @@ -0,0 +1,183 @@ +------------------------------------------------------------------- +Fri Mar 6 15:24:00 CET 2015 - tiwai@suse.de + +- Fix division by zero and integer overflow by crafted WAV files + (CVE-2014-9638, CVE-2014-9639, bnc#914439, bnc#914441): + vorbis-tools-oggenc-CVE-2014-9639.patch + +------------------------------------------------------------------- +Tue Jan 27 18:04:18 CET 2015 - tiwai@suse.de + +- Fix segfault by a crafted raw file input (CVE-2014-9640, + bsc#914938): + vorbis-tools-r19117-CVE-2014-9640.patch + +------------------------------------------------------------------- +Tue Jul 22 15:32:43 CEST 2014 - tiwai@suse.de + +- vcut-fix-segfault.diff: Fix segfault of vcut (bnc#888360) + +------------------------------------------------------------------- +Fri Apr 5 09:54:32 UTC 2013 - idonmez@suse.com + +- Add Source URL, see https://en.opensuse.org/SourceUrls + +------------------------------------------------------------------- +Sat Mar 2 11:44:16 UTC 2013 - seife+obs@b1-systems.com + +- fix build with automake-1.13.1 + +------------------------------------------------------------------- +Sun Nov 20 06:29:49 UTC 2011 - coolo@suse.com + +- add libtool as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Sun Mar 6 22:59:51 UTC 2011 - asterios.dramis@gmail.com + +- Spec file updates: + * Fixed rpmlint warning "macro-in-comment". + +------------------------------------------------------------------- +Sun Mar 6 13:56:27 UTC 2011 - asterios.dramis@gmail.com + +- Update to version 1.4.0: + * Lots of changes (see CHANGES file). +- Spec file updates: + * Changes based on rpmdevtools templates and spec-cleaner run. + * Changed License: to GPLv2. + * Added description for the patches based on openSUSE Patches Guidelines. + * Updates in Buildrequires: and %description sections. + * Added a vorbis-tools-lang package (based on rpmlint warning + "package-with-huge-translation"). + * Updates in %build, %install and %files sections. +- Removed the following patches (fixed upstream): + * vorbis-tools-1.1.1-bounds-check-fix.diff + * vorbis-tools-1.1.1-curl-7.16.diff + * vorbis-tools-config.diff + * vorbis-tools-flac-1.1.3.diff +- Rebased the patch vorbis-tools-1.1.1-warning-fixes.diff (most are fixed + upstream and only one change is needed to fix rpm post-build-check failure). + Also renamed it to warning-fixes.diff. +- Rebased the patch for cflags. + +------------------------------------------------------------------- +Mon Apr 14 16:39:22 CEST 2008 - tiwai@suse.de + +- VUL-0: speex insufficient bounds checking (bnc#379098, + CVE-2008-1686) + +------------------------------------------------------------------- +Wed Oct 31 14:28:59 CET 2007 - tiwai@suse.de + +- add support of FLAC 1.1.3 or later (#337916) +- use find_lang + +------------------------------------------------------------------- +Fri Feb 2 11:12:59 CET 2007 - mmarek@suse.cz + +- fix build with curl-7.16 +- fixed some more compiler warnings + +------------------------------------------------------------------- +Mon Oct 16 00:28:47 CEST 2006 - schwab@suse.de + +- Make sure config.rpath is present. + +------------------------------------------------------------------- +Wed Aug 23 18:18:11 CEST 2006 - tiwai@suse.de + +- build missing vcut command (#201242) + +------------------------------------------------------------------- +Sat Apr 8 17:01:17 CEST 2006 - schwab@suse.de + +- Include "config.h" before using HAVE_* macros. + +------------------------------------------------------------------- +Wed Jan 25 21:42:43 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Tue Oct 18 15:39:18 CEST 2005 - tiwai@suse.de + +- updated to version 1.1.1. +- added flac-* and speex-* to neededforbuild. + +------------------------------------------------------------------- +Thu Jul 7 17:53:45 CEST 2005 - tiwai@suse.de + +- removed -fsigned-char option (#93888). + +------------------------------------------------------------------- +Thu Apr 14 17:17:06 CEST 2005 - sbrabec@suse.cz + +- Added audiofile-devel to neededforbuild. + +------------------------------------------------------------------- +Fri Apr 8 18:53:38 CEST 2005 - tiwai@suse.de + +- fixed the build with the new gettext-0.14.3. + +------------------------------------------------------------------- +Mon Jan 12 10:25:04 CET 2004 - adrian@suse.de + +- build as user + +------------------------------------------------------------------- +Fri Jan 9 17:17:32 CET 2004 - tiwai@suse.de + +- updated to version 1.0.1. +- enabled autoreconf again. + +------------------------------------------------------------------- +Fri Jun 6 08:41:43 CEST 2003 - kukuk@suse.de + +- Remove wrong doc dir + +------------------------------------------------------------------- +Mon Jul 22 10:52:00 CEST 2002 - tiwai@suse.de + +- updated to 1.0. + +------------------------------------------------------------------- +Fri Jan 4 12:01:21 CET 2002 - tiwai@suse.de + +- updated to RC3. + sync with cvs 2002.01.04. + now encoding with low variable rates is supported. +- added curl and curl-devel to neededforbuild. + +------------------------------------------------------------------- +Tue Dec 4 11:26:25 CET 2001 - tiwai@suse.de + +- sync with cvs 2001.12.04. + +------------------------------------------------------------------- +Wed Oct 24 18:00:49 CEST 2001 - tiwai@suse.de + +- sync with cvs 20011024. +- removed explicit Requires to libraries. + +------------------------------------------------------------------- +Mon Aug 13 16:57:40 CEST 2001 - tiwai@suse.de + +- updated to 1.0rc2 from cvs 20010813. + +------------------------------------------------------------------- +Fri Jul 13 11:24:53 CEST 2001 - grimmer@suse.de + +- Fixed file list (using wildcards instead of shared directory + names) + +------------------------------------------------------------------- +Mon Feb 26 17:44:29 CET 2001 - tiwai@suse.de + +- Updated to 1.0beta4. + +------------------------------------------------------------------- +Wed Jan 31 12:40:06 CET 2001 - tiwai@suse.de + +- Initial version: 1.0beta3. + New: ---- vcut-fix-segfault.diff vorbis-tools-1.4.0.tar.gz vorbis-tools-cflags.diff vorbis-tools-oggenc-CVE-2014-9639.patch vorbis-tools-r19117-CVE-2014-9640.patch vorbis-tools.changes vorbis-tools.spec warning-fixes.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vorbis-tools.spec ++++++ # # spec file for package vorbis-tools # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: vorbis-tools Version: 1.4.0 Release: 0 Summary: Ogg Vorbis Tools License: GPL-2.0 Group: Productivity/Multimedia/Sound/Utilities Url: http://www.xiph.org/ Source0: http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.gz # PATCH-FIX-OPENSUSE warning-fixes.diff -- Fix rpm post-build-check failure for serious compiler warnings Patch0: warning-fixes.diff # PATCH-FIX-OPENSUSE vorbis-tools-cflags.diff bnc#93888 -- Remove -fsigned-char option Patch1: vorbis-tools-cflags.diff # PATCH-FIX-OPENSUSE vcut-fix-segfault.diff bnc#888360 -- Fix segfault of vcut Patch2: vcut-fix-segfault.diff # PATCH-FIX-UPSTREAM vorbis-tools-r19117-CVE-2014-9640.patch bsc#914938 CVE-201409640 Patch3: vorbis-tools-r19117-CVE-2014-9640.patch # PATCH-FIX-SUSE vorbis-tools-oggenc-CVE-2014-9639.patch bnc#914439 bnc#914441 CVE-2014-9638 CVE-2014-9639 Patch4: vorbis-tools-oggenc-CVE-2014-9639.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: flac-devel BuildRequires: gettext-tools BuildRequires: libao-devel BuildRequires: libcurl-devel %if 0%{?suse_version} >= 1140 BuildRequires: libkate-devel %endif BuildRequires: libtool BuildRequires: libvorbis-devel BuildRequires: pkg-config BuildRequires: speex-devel Recommends: %{name}-lang = %{version} %description This package contains some tools for Ogg Vorbis: oggenc (an encoder) and ogg123 (a playback tool). It also has vorbiscomment (to add comments to Vorbis files), ogginfo (to give all useful information about an Ogg file, including streams in it), oggdec (a simple command line decoder), and vcut (which allows you to cut up Vorbis files). Authors: -------- Michael Smith Kenneth Arnold Stan Seibert Segher Boessenkool Michael Gold Xiphophorus Company %lang_package %prep %setup -q %patch0 %patch1 %patch2 -p1 %patch3 -p1 %patch4 -p1 # automake 1.13 deprecated AM_CONFIG_HEADER sed -i 's/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' configure.ac %build # Because of patch vorbis-tools-cflags.diff regenerate build system %{?suse_update_config:%{suse_update_config -f}} cp /usr/share/gettext/config.rpath . autoreconf --force --install # test ! -f po/Makevars.template || mv po/Makevars.template po/Makevars %configure --disable-rpath make %{?_smp_mflags} %install %make_install # Remove unneeded files (they will be included in /usr/share/doc/packages/vorbis-tools/) rm -rf %{buildroot}%{_datadir}/doc/%{name}-%{version}/ %find_lang %{name} %clean rm -rf %{buildroot} %files %defattr(-,root,root,-) %doc AUTHORS CHANGES COPYING README %doc ogg123/ogg123rc-example %{_bindir}/ogg123 %{_bindir}/oggdec %{_bindir}/oggenc %{_bindir}/ogginfo %{_bindir}/vcut %{_bindir}/vorbiscomment %doc %{_mandir}/man1/ogg123.1%{ext_man} %doc %{_mandir}/man1/oggdec.1%{ext_man} %doc %{_mandir}/man1/oggenc.1%{ext_man} %doc %{_mandir}/man1/ogginfo.1%{ext_man} %doc %{_mandir}/man1/vcut.1%{ext_man} %doc %{_mandir}/man1/vorbiscomment.1%{ext_man} %files lang -f %{name}.lang %defattr(-,root,root,-) %changelog ++++++ vcut-fix-segfault.diff ++++++ --- vcut/vcut.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/vcut/vcut.c +++ b/vcut/vcut.c @@ -178,7 +178,7 @@ static int submit_headers_to_stream(vcut for(i=0;i<4;i++) { ogg_packet p; - if(i < 4) /* a header packet */ + if(i < 3) /* a header packet */ { p.bytes = vs->headers[i].length; p.packet = vs->headers[i].packet; ++++++ vorbis-tools-cflags.diff ++++++ --- configure.ac 2010-03-26 09:07:07.000000000 +0200 +++ configure.ac.new 2011-03-06 14:57:31.446178384 +0200 @@ -66,9 +66,9 @@ else case $host in *-*-linux*) - DEBUG="-g -Wall -fsigned-char" - CFLAGS="-O2 -Wall -ffast-math -fsigned-char" - PROFILE="-Wall -W -pg -g -O2 -ffast-math -fsigned-char" + DEBUG="-g -Wall" + CFLAGS="-O2 -Wall -ffast-math" + PROFILE="-Wall -W -pg -g -O2 -ffast-math" ;; sparc-sun-*) DEBUG="-g -Wall -fsigned-char -mv8" ++++++ vorbis-tools-oggenc-CVE-2014-9639.patch ++++++ Fix CVE-2014-9638 (bnc#914439) CVE-2014-9639 (bnc#914441) --- oggenc/audio.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) --- a/oggenc/audio.c +++ b/oggenc/audio.c @@ -13,6 +13,7 @@ #include #endif +#include #include #include #include @@ -251,6 +252,7 @@ int aiff_open(FILE *in, oe_enc_opt *opt, aiff_fmt format; aifffile *aiff = malloc(sizeof(aifffile)); int i; + long channels; if(buf[11]=='C') aifc=1; @@ -277,11 +279,17 @@ int aiff_open(FILE *in, oe_enc_opt *opt, return 0; } - format.channels = READ_U16_BE(buffer); + format.channels = channels = READ_U16_BE(buffer); format.totalframes = READ_U32_BE(buffer+2); format.samplesize = READ_U16_BE(buffer+6); format.rate = (int)read_IEEE80(buffer+8); + if(channels <= 0L || SHRT_MAX < channels) + { + fprintf(stderr, _("Warning: Unsupported count of channels in AIFF header\n")); + return 0; + } + aiff->bigendian = 1; if(aifc) @@ -412,6 +420,7 @@ int wav_open(FILE *in, oe_enc_opt *opt, wav_fmt format; wavfile *wav = malloc(sizeof(wavfile)); int i; + long channels; /* Ok. At this point, we know we have a WAV file. Now we have to detect * whether we support the subtype, and we have to find the actual data @@ -449,12 +458,18 @@ int wav_open(FILE *in, oe_enc_opt *opt, } format.format = READ_U16_LE(buf); - format.channels = READ_U16_LE(buf+2); + format.channels = channels = READ_U16_LE(buf+2); format.samplerate = READ_U32_LE(buf+4); format.bytespersec = READ_U32_LE(buf+8); format.align = READ_U16_LE(buf+12); format.samplesize = READ_U16_LE(buf+14); + if(channels <= 0L || SHRT_MAX < channels) + { + fprintf(stderr, _("Warning: Unsupported count of channels in WAV header\n")); + return 0; + } + if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */ { if(len<40) ++++++ vorbis-tools-r19117-CVE-2014-9640.patch ++++++ --- oggenc/oggenc.c | 4 ++-- oggenc/skeleton.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) --- a/oggenc/oggenc.c +++ b/oggenc/oggenc.c @@ -97,6 +97,8 @@ int main(int argc, char **argv) .3,-1, 0,0,0.f, 0, 0, 0, 0, 0}; + input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", + N_("RAW file reader")}; int i; @@ -239,8 +241,6 @@ int main(int argc, char **argv) if(opt.rawmode) { - input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", - N_("RAW file reader")}; enc_opts.rate=opt.raw_samplerate; enc_opts.channels=opt.raw_channels; --- a/oggenc/skeleton.h +++ b/oggenc/skeleton.h @@ -41,7 +41,7 @@ typedef struct { ogg_int64_t granule_rate_d; /* granule rate denominator */ ogg_int64_t start_granule; /* start granule value */ ogg_uint32_t preroll; /* preroll */ - unsigned char granule_shift; // a 8-bit field /* 1 byte value holding the granule shift */ + unsigned char granule_shift; /* 1 byte value holding the granule shift */ char *message_header_fields; /* holds all the message header fields */ /* current total size of the message header fields, for realloc purpose, initially zero */ ogg_uint32_t current_header_size; ++++++ warning-fixes.diff ++++++ --- oggenc/resample.c 2010-01-22 08:28:06.000000000 +0200 +++ oggenc/resample.c.new 2011-03-06 15:24:42.925869442 +0200 @@ -174,7 +174,7 @@ assert(beta > 2.0); break; default: - assert("arglist" == "valid"); + assert(!"arglist not valid"); return -1; } op1 = va_arg(argp, res_parameter); -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org