From 1405f02287fc316db23cd0dcf104024aa736395e027b73be46ea5e6d6f7c358f Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Fri, 23 Nov 2018 13:41:18 +0000 Subject: [PATCH] Accepting request 651383 from home:tiwai:branches:multimedia:libs - Fix buffer overflow in sndfile-deinterleave, which isn't really a security issue (bsc#1100167, CVE-2018-13139, bsc#1116993, CVE-2018-19432): sndfile-deinterlace-channels-check.patch - Fix buffer overflow in sndfile-deinterleave, which isn't really a security issue (bsc#1100167, CVE-2018-13139, bsc#1116993, CVE-2018-19432): OBS-URL: https://build.opensuse.org/request/show/651383 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libsndfile?expand=0&rev=70 --- libsndfile-progs.changes | 8 ++++++++ libsndfile-progs.spec | 26 +++++++++++++++++++++++++- libsndfile.changes | 5 +++-- libsndfile.spec | 2 +- 4 files changed, 37 insertions(+), 4 deletions(-) diff --git a/libsndfile-progs.changes b/libsndfile-progs.changes index 9138427..8a0fc76 100644 --- a/libsndfile-progs.changes +++ b/libsndfile-progs.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Jul 6 14:11:47 CEST 2018 - tiwai@suse.de + +- Fix buffer overflow in sndfile-deinterleave, which isn't really a + security issue (bsc#1100167, CVE-2018-13139, bsc#1116993, + CVE-2018-19432): + sndfile-deinterlace-channels-check.patch + ------------------------------------------------------------------- Mon Apr 10 10:47:58 CEST 2017 - tiwai@suse.de diff --git a/libsndfile-progs.spec b/libsndfile-progs.spec index 08073ed..b515e52 100644 --- a/libsndfile-progs.spec +++ b/libsndfile-progs.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -26,6 +26,20 @@ Url: http://www.mega-nerd.com/libsndfile/ Source0: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz Source1: http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz.asc Source2: libsndfile.keyring +# PATCH-FIX-UPSTREAM +Patch1: 0001-FLAC-Fix-a-buffer-read-overrun.patch +Patch2: 0002-src-flac.c-Fix-a-buffer-read-overflow.patch +Patch10: 0010-src-aiff.c-Fix-a-buffer-read-overflow.patch +Patch20: 0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch +Patch30: 0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch +# not yet upstreamed, https://github.com/erikd/libsndfile/issues/317 +Patch31: 0031-sfe_copy_data_fp-check-value-of-max-variable.patch +# not yet upstreamed +Patch32: libsndfile-CVE-2017-17456-alaw-range-check.patch +Patch33: libsndfile-CVE-2017-17457-ulaw-range-check.patch +Patch34: sndfile-deinterlace-channels-check.patch +# PATCH-FIX-OPENSUSE +Patch100: sndfile-ocloexec.patch BuildRequires: alsa-devel BuildRequires: flac-devel BuildRequires: gcc-c++ @@ -41,6 +55,16 @@ This package includes the example programs for libsndfile. %prep %setup -q -n libsndfile-%{version} +%patch1 -p1 +%patch2 -p1 +%patch10 -p1 +%patch20 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 +%patch100 -p1 %build %define warn_flags -W -Wall -Wstrict-prototypes -Wpointer-arith -Wno-unused-parameter diff --git a/libsndfile.changes b/libsndfile.changes index f00de06..346ad4e 100644 --- a/libsndfile.changes +++ b/libsndfile.changes @@ -1,8 +1,9 @@ ------------------------------------------------------------------- Fri Jul 6 14:11:47 CEST 2018 - tiwai@suse.de -- Fix buffer overflow in sndfile-deinterlace, which isn't really a - security issue (bsc#1100167, CVE-2018-13139): +- Fix buffer overflow in sndfile-deinterleave, which isn't really a + security issue (bsc#1100167, CVE-2018-13139, bsc#1116993, + CVE-2018-19432): sndfile-deinterlace-channels-check.patch ------------------------------------------------------------------- diff --git a/libsndfile.spec b/libsndfile.spec index dcb3a45..4b05a03 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ #