OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libid3tag?expand=0&rev=3

2008-05-16 12:37:30 +00:00 · 2008-05-16 12:37:30 +00:00 · 236cab80dd
commit 236cab80dd
parent 856aeba128
3 changed files with 55 additions and 27 deletions
--- a/libid3tag-0.15.1b-fix_overflow.patch
+++ b/libid3tag-0.15.1b-fix_overflow.patch
@ -0,0 +1,19 @@
+*** field.c	2003-04-19 09:14:33.000000000 +0900
+--- field-patched.c	2008-01-13 16:08:22.000000000 +0900
+***************
+*** 291,297 ****
+
+        end = *ptr + length;
+
+!       while (end - *ptr > 0) {
+  	ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
+  	if (ucs4 == 0)
+  	  goto fail;
+--- 291,297 ----
+
+        end = *ptr + length;
+
+!       while (end - *ptr > 0 && **ptr != '\0') {
+  	ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
+  	if (ucs4 == 0)
+  	  goto fail;
--- a/libid3tag.changes
+++ b/libid3tag.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu May  8 16:21:29 CEST 2008 - tiwai@suse.de
+
+- VUL-0: libid3tag overflow (CVE-2008-2109, bnc#387731)
+- don't install static and *.la files
+- clean up spec file
+
 -------------------------------------------------------------------
 Thu Mar 29 08:26:34 CEST 2007 - meissner@suse.de

--- a/libid3tag.spec
+++ b/libid3tag.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libid3tag (Version 0.15.1b)
 #
-# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
 # package are under the same license as the package itself.
 #
@ -10,20 +10,22 @@

 # norootforbuild

+
 Name:           libid3tag
 BuildRequires:  gperf zlib-devel
 Summary:        ID3 Tag Manipulation Library
 Version:        0.15.1b
-Release:        63
+Release:        130
 Group:          System/Libraries
-License:        GNU General Public License (GPL)
-URL:            http://www.underbit.com/products/mad/
+License:        GPL v2 or later
+Url:            http://www.underbit.com/products/mad/
 Source:         %{name}-%{version}.tar.bz2
 Patch:          libid3tag-noweak.dif
 Patch1:         libid3tag-gperf.dif
 Patch2:         libid3tag-0.15.1b-mb.diff
 Patch3:         libid3tag-automake-fix.dif
 Patch4:         libid3tag-optflags.patch
+Patch5:         libid3tag-0.15.1b-fix_overflow.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -37,6 +39,7 @@ Authors:
    Underbit Technologies, Inc. <support@underbit.com>

 %package devel
+License:        GPL v2 or later
 Summary:        Development package for libid3tag library
 Group:          Development/Libraries/C and C++
 Requires:       libid3tag = %version zlib-devel
@ -58,61 +61,60 @@ Authors:
 %patch2
 %patch3
 %patch4
+%patch5

 %build
-%{?suse_update_config:%{suse_update_config -f}}
 autoreconf -fi
-CFLAGS="$RPM_OPT_FLAGS -fstack-protector" \
-./configure --prefix=%{_prefix} --mandir=%{_mandir} \
-  --libdir=%{_libdir}
-make
-echo -e "prefix=%_prefix\nexec_prefix=%_prefix\nlibdir=%_libdir\nincludedir=%_includedir\nName: id3tag\nDescription: ID3 tag library\nRequires:\nVersion: %version\nLibs: -L%_libdir -lid3tag -lz\nCflags: -I%_includedir\n" > id3tag.pc
+%configure --disable-static
+make %{?jobs:-j %jobs}
+echo -e "prefix=%_prefix\nexec_prefix=%_prefix\nlibdir=%_libdir\nincludedir=%_includedir\nName: id3tag\nDescription: ID3 tag library\nRequires:\nVersion: %version\nLibs: -L%_libdir -lid3tag\nLibs.private: -lz\nCflags: -I%_includedir\n" > id3tag.pc

 %install
-[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
-make DESTDIR=$RPM_BUILD_ROOT install
+%makeinstall
 install -m 644 -D id3tag.pc %{buildroot}%{_libdir}/pkgconfig/id3tag.pc
+rm -f $RPM_BUILD_ROOT%{_libdir}/libid3tag*.*a

-%post
-%run_ldconfig
+%post -p /sbin/ldconfig

-%postun
-%run_ldconfig
+%postun -p /sbin/ldconfig

 %clean
 [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT

 %files
 %defattr(-,root,root)
-%doc CHANGES COPYING COPYRIGHT CREDITS README TODO VERSION
 %{_libdir}/lib*.so.*

 %files devel
 %defattr(-,root,root)
+%doc CHANGES COPYING COPYRIGHT CREDITS README TODO VERSION
 %{_includedir}/*
-%{_libdir}/*.*a
 %{_libdir}/*.so
 %{_libdir}/pkgconfig/id3tag.pc

 %changelog
-* Thu Mar 29 2007 - meissner@suse.de
+* Thu May 08 2008 tiwai@suse.de
+- VUL-0: libid3tag overflow (CVE-2008-2109, bnc#387731)
+- don't install static and *.la files
+- clean up spec file
+* Thu Mar 29 2007 meissner@suse.de
 - zlib-devel to buildrequires
-* Tue Oct 31 2006 - meissner@suse.de
+* Tue Oct 31 2006 meissner@suse.de
 - fixed configure.ac to accept more than 1 -O/-f option, added
  requires
-* Wed Jan 25 2006 - mls@suse.de
+* Wed Jan 25 2006 mls@suse.de
 - converted neededforbuild to BuildRequires
-* Wed Jan 11 2006 - tiwai@suse.de
+* Wed Jan 11 2006 tiwai@suse.de
 - compile with -fstack-protector.
-* Mon Jul 05 2004 - hvogel@suse.de
+* Tue Jul 06 2004 hvogel@suse.de
 - add pgkconfig file
-* Thu Feb 26 2004 - tiwai@suse.de
+* Thu Feb 26 2004 tiwai@suse.de
 - updated to version 0.15.1b.
 - fixed memory allocation check.
 - fixed for autoreconf.
-* Tue Jan 13 2004 - tiwai@suse.de
+* Tue Jan 13 2004 tiwai@suse.de
 - build as non-root.
-* Mon Aug 11 2003 - tiwai@suse.de
+* Mon Aug 11 2003 tiwai@suse.de
 - fixed the handling of v2 tag.
-* Thu Jul 03 2003 - tiwai@suse.de
+* Thu Jul 03 2003 tiwai@suse.de
 - split from mad: version 0.15.0b.