From 236cab80dd45b036270ee878a59c9752abb582844c32e22eb638c11c4fdc4b3c Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Fri, 16 May 2008 12:37:30 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libid3tag?expand=0&rev=3 --- libid3tag-0.15.1b-fix_overflow.patch | 19 ++++++++++ libid3tag.changes | 7 ++++ libid3tag.spec | 56 ++++++++++++++-------------- 3 files changed, 55 insertions(+), 27 deletions(-) create mode 100644 libid3tag-0.15.1b-fix_overflow.patch diff --git a/libid3tag-0.15.1b-fix_overflow.patch b/libid3tag-0.15.1b-fix_overflow.patch new file mode 100644 index 0000000..4a89d4e --- /dev/null +++ b/libid3tag-0.15.1b-fix_overflow.patch @@ -0,0 +1,19 @@ +*** field.c 2003-04-19 09:14:33.000000000 +0900 +--- field-patched.c 2008-01-13 16:08:22.000000000 +0900 +*************** +*** 291,297 **** + + end = *ptr + length; + +! while (end - *ptr > 0) { + ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0); + if (ucs4 == 0) + goto fail; +--- 291,297 ---- + + end = *ptr + length; + +! while (end - *ptr > 0 && **ptr != '\0') { + ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0); + if (ucs4 == 0) + goto fail; diff --git a/libid3tag.changes b/libid3tag.changes index d1b783b..7b80e87 100644 --- a/libid3tag.changes +++ b/libid3tag.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu May 8 16:21:29 CEST 2008 - tiwai@suse.de + +- VUL-0: libid3tag overflow (CVE-2008-2109, bnc#387731) +- don't install static and *.la files +- clean up spec file + ------------------------------------------------------------------- Thu Mar 29 08:26:34 CEST 2007 - meissner@suse.de diff --git a/libid3tag.spec b/libid3tag.spec index 1e73b0e..5e077ea 100644 --- a/libid3tag.spec +++ b/libid3tag.spec @@ -1,7 +1,7 @@ # # spec file for package libid3tag (Version 0.15.1b) # -# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -10,20 +10,22 @@ # norootforbuild + Name: libid3tag BuildRequires: gperf zlib-devel Summary: ID3 Tag Manipulation Library Version: 0.15.1b -Release: 63 +Release: 130 Group: System/Libraries -License: GNU General Public License (GPL) -URL: http://www.underbit.com/products/mad/ +License: GPL v2 or later +Url: http://www.underbit.com/products/mad/ Source: %{name}-%{version}.tar.bz2 Patch: libid3tag-noweak.dif Patch1: libid3tag-gperf.dif Patch2: libid3tag-0.15.1b-mb.diff Patch3: libid3tag-automake-fix.dif Patch4: libid3tag-optflags.patch +Patch5: libid3tag-0.15.1b-fix_overflow.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -37,6 +39,7 @@ Authors: Underbit Technologies, Inc. %package devel +License: GPL v2 or later Summary: Development package for libid3tag library Group: Development/Libraries/C and C++ Requires: libid3tag = %version zlib-devel @@ -58,61 +61,60 @@ Authors: %patch2 %patch3 %patch4 +%patch5 %build -%{?suse_update_config:%{suse_update_config -f}} autoreconf -fi -CFLAGS="$RPM_OPT_FLAGS -fstack-protector" \ -./configure --prefix=%{_prefix} --mandir=%{_mandir} \ - --libdir=%{_libdir} -make -echo -e "prefix=%_prefix\nexec_prefix=%_prefix\nlibdir=%_libdir\nincludedir=%_includedir\nName: id3tag\nDescription: ID3 tag library\nRequires:\nVersion: %version\nLibs: -L%_libdir -lid3tag -lz\nCflags: -I%_includedir\n" > id3tag.pc +%configure --disable-static +make %{?jobs:-j %jobs} +echo -e "prefix=%_prefix\nexec_prefix=%_prefix\nlibdir=%_libdir\nincludedir=%_includedir\nName: id3tag\nDescription: ID3 tag library\nRequires:\nVersion: %version\nLibs: -L%_libdir -lid3tag\nLibs.private: -lz\nCflags: -I%_includedir\n" > id3tag.pc %install -[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT -make DESTDIR=$RPM_BUILD_ROOT install +%makeinstall install -m 644 -D id3tag.pc %{buildroot}%{_libdir}/pkgconfig/id3tag.pc +rm -f $RPM_BUILD_ROOT%{_libdir}/libid3tag*.*a -%post -%run_ldconfig +%post -p /sbin/ldconfig -%postun -%run_ldconfig +%postun -p /sbin/ldconfig %clean [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) -%doc CHANGES COPYING COPYRIGHT CREDITS README TODO VERSION %{_libdir}/lib*.so.* %files devel %defattr(-,root,root) +%doc CHANGES COPYING COPYRIGHT CREDITS README TODO VERSION %{_includedir}/* -%{_libdir}/*.*a %{_libdir}/*.so %{_libdir}/pkgconfig/id3tag.pc %changelog -* Thu Mar 29 2007 - meissner@suse.de +* Thu May 08 2008 tiwai@suse.de +- VUL-0: libid3tag overflow (CVE-2008-2109, bnc#387731) +- don't install static and *.la files +- clean up spec file +* Thu Mar 29 2007 meissner@suse.de - zlib-devel to buildrequires -* Tue Oct 31 2006 - meissner@suse.de +* Tue Oct 31 2006 meissner@suse.de - fixed configure.ac to accept more than 1 -O/-f option, added requires -* Wed Jan 25 2006 - mls@suse.de +* Wed Jan 25 2006 mls@suse.de - converted neededforbuild to BuildRequires -* Wed Jan 11 2006 - tiwai@suse.de +* Wed Jan 11 2006 tiwai@suse.de - compile with -fstack-protector. -* Mon Jul 05 2004 - hvogel@suse.de +* Tue Jul 06 2004 hvogel@suse.de - add pgkconfig file -* Thu Feb 26 2004 - tiwai@suse.de +* Thu Feb 26 2004 tiwai@suse.de - updated to version 0.15.1b. - fixed memory allocation check. - fixed for autoreconf. -* Tue Jan 13 2004 - tiwai@suse.de +* Tue Jan 13 2004 tiwai@suse.de - build as non-root. -* Mon Aug 11 2003 - tiwai@suse.de +* Mon Aug 11 2003 tiwai@suse.de - fixed the handling of v2 tag. -* Thu Jul 03 2003 - tiwai@suse.de +* Thu Jul 03 2003 tiwai@suse.de - split from mad: version 0.15.0b.