diff --git a/0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch b/0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch deleted file mode 100644 index 2e596ff..0000000 --- a/0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch +++ /dev/null @@ -1,29 +0,0 @@ -From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Guido=20G=C3=BCnther?= -Date: Tue, 31 Oct 2017 18:32:46 +0100 -Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels - -Otherwise - - for(i=0;ichannels;i++){ - /* the encoder setup assumes that all the modes used by any - specific bitrate tweaking use the same floor */ - int submap=info->chmuxlist[i]; - -overreads later in mapping0_forward since chmuxlist is a fixed array of -256 elements max. ---- - lib/info.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/lib/info.c -+++ b/lib/info.c -@@ -583,7 +583,7 @@ int vorbis_analysis_headerout(vorbis_dsp - oggpack_buffer opb; - private_state *b=v->backend_state; - -- if(!b||vi->channels<=0){ -+ if(!b||vi->channels<=0||vi->channels>256){ - ret=OV_EFAULT; - goto err_out; - } diff --git a/0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch b/0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch deleted file mode 100644 index 010aecf..0000000 --- a/0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch +++ /dev/null @@ -1,49 +0,0 @@ -From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Guido=20G=C3=BCnther?= -Date: Wed, 15 Nov 2017 18:22:59 +0100 -Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb - if not initialized - -If the number of channels is not within the allowed range -we call oggback_writeclear altough it's not initialized yet. - -This fixes - - =23371== Invalid free() / delete / delete[] / realloc() - ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530) - ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2) - ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652) - ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) - ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) - ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) - ==23371== by 0x10D82A: open_output_file (sox.c:1556) - ==23371== by 0x10D82A: process (sox.c:1753) - ==23371== by 0x10D82A: main (sox.c:3012) - ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd - ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298) - ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785) - ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) - ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) - ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) - ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) - ==23371== by 0x10D82A: open_output_file (sox.c:1556) - ==23371== by 0x10D82A: process (sox.c:1753) - ==23371== by 0x10D82A: main (sox.c:3012) - -as seen when using the testcase from CVE-2017-11333 with -008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was -there before. ---- - lib/info.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/lib/info.c -+++ b/lib/info.c -@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp - private_state *b=v->backend_state; - - if(!b||vi->channels<=0||vi->channels>256){ -+ b = NULL; - ret=OV_EFAULT; - goto err_out; - } diff --git a/libvorbis-1.3.5.tar.xz b/libvorbis-1.3.5.tar.xz deleted file mode 100644 index fc57d7a..0000000 --- a/libvorbis-1.3.5.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1 -size 1193144 diff --git a/libvorbis-1.3.6.tar.xz b/libvorbis-1.3.6.tar.xz new file mode 100644 index 0000000..db6fe9f --- /dev/null +++ b/libvorbis-1.3.6.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:af00bb5a784e7c9e69f56823de4637c350643deedaf333d0fa86ecdba6fcb415 +size 1195388 diff --git a/libvorbis-doc.changes b/libvorbis-doc.changes new file mode 100644 index 0000000..77dba04 --- /dev/null +++ b/libvorbis-doc.changes @@ -0,0 +1,5 @@ +------------------------------------------------------------------- +Sat Mar 17 14:55:12 CET 2018 - tiwai@suse.de + +- Split from libvorbis.spec to reduce the build dependencies + diff --git a/libvorbis-doc.spec b/libvorbis-doc.spec new file mode 100644 index 0000000..83ad84a --- /dev/null +++ b/libvorbis-doc.spec @@ -0,0 +1,96 @@ +# +# spec file for package libvorbis-doc +# +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + +%if 0%{?suse_version} > 1320 +%define build_docs 1 +%else +%define build_docs 0 +%endif + +Name: libvorbis-doc +Version: 1.3.6 +Release: 0 +Summary: Documentation of Ogg/Vorbis library +License: BSD-3-Clause +Group: Documentation/Other +Url: http://www.vorbis.com/ +Source: http://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz +Patch1: libvorbis-lib64.dif +Patch2: libvorbis-m4.dif +Patch12: vorbis-ocloexec.patch +BuildRequires: fdupes +BuildRequires: libogg-devel +BuildRequires: libtool +BuildRequires: pkgconfig +BuildRequires: xz +%if %build_docs +BuildRequires: doxygen +BuildRequires: texlive-babel-english +BuildRequires: texlive-latex +BuildRequires: texlive-tex4ht +BuildRequires: tex(a4wide.sty) +BuildRequires: tex(capt-of.sty) +BuildRequires: tex(csquotes.sty) +BuildRequires: tex(enumitem.sty) +BuildRequires: tex(fancyvrb.sty) +BuildRequires: tex(grffile.sty) +BuildRequires: tex(parskip.sty) +BuildRequires: tex(ulem.sty) +BuildRequires: tex(underscore.sty) +%endif +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildArch: noarch + +%description +This package contains documents for Ogg/Vorbis library, including the +API reference. + +%prep +%setup -q -n libvorbis-%{version} +%patch2 +# %%patch5 -p1 +if [ "%{_lib}" == "lib64" ]; then +%patch1 +fi +%patch12 + +%build +autoreconf -fiv +%configure \ +%if %build_docs + --enable-docs \ +%endif + --disable-examples \ + --disable-static +# parallel-build of docs may fail +make -C doc +# we don't build anything but docs + +%install +make -C doc DESTDIR=%{buildroot} install +mkdir -p %{buildroot}%{_docdir} +mv %{buildroot}%{_datadir}/doc/libvorbis-* %{buildroot}%{_docdir}/%{name} +# remove unneeded files +find %{buildroot}%{_docdir}/ -empty -delete +%fdupes -s %{buildroot}%{_docdir} + +%files +%defattr(-,root,root) +%doc %{_docdir}/%{name} + +%changelog diff --git a/libvorbis.changes b/libvorbis.changes index 7fa9126..941e52a 100644 --- a/libvorbis.changes +++ b/libvorbis.changes @@ -1,3 +1,39 @@ +------------------------------------------------------------------- +Sat Mar 17 14:54:44 CET 2018 - tiwai@suse.de + +- Split libvorbis-doc subpackage to a separate spec file for + reducing the dependencies + +------------------------------------------------------------------- +Fri Mar 16 22:12:35 CET 2018 - tiwai@suse.de + +- Update to version 1.3.6: + * Fix CVE-2018-5146 - out-of-bounds write on codebook decoding. + * Fix CVE-2017-14632 - free() on unitialized data + * Fix CVE-2017-14633 - out-of-bounds read + * Fix bitrate metadata parsing. + * Fix out-of-bounds read in codebook parsing. + * Fix residue vector size in Vorbis I spec. + * Appveyor support + * Travis CI support + * Add secondary CMake build system. + * Build system fixes +- Build documents with doxygen, and many tex stuff; + this requires to disable parallel builds partially +- Move COPYING to license directory +- Drop obsoleted patches: + vorbis-fix-linking.patch + 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch + 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch + libvorbis-CVE-2018-5146.patch + +------------------------------------------------------------------- +Fri Mar 16 20:02:45 CET 2018 - tiwai@suse.de + +- Fix VUL-0: libvorbis: Out of bounds memory write while processing + Vorbis audio data (CVE-2018-5146, bsc#1085687): + libvorbis-CVE-2018-5146.patch + ------------------------------------------------------------------- Tue Dec 19 14:32:18 CET 2017 - tiwai@suse.de diff --git a/libvorbis.spec b/libvorbis.spec index 0e7b3e1..30ae83a 100644 --- a/libvorbis.spec +++ b/libvorbis.spec @@ -1,7 +1,7 @@ # # spec file for package libvorbis # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: libvorbis -Version: 1.3.5 +Version: 1.3.6 Release: 0 Summary: The Vorbis General Audio Compression Codec License: BSD-3-Clause @@ -27,14 +27,7 @@ Source: http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar Source1: baselibs.conf Patch1: libvorbis-lib64.dif Patch2: libvorbis-m4.dif -# URL http://www.geocities.jp/aoyoume/aotuv/ -# 'Patch5: libvorbis-%%{version}-aotuv-b5.7.diff' -# PATCH-FIX-UPSTREAM libvorbis-pkgconfig.patch https://trac.xiph.org/ticket/1759 reddwarf@opensuse.org -- Use Requires/Libs.private to avoid overlinking -Patch11: vorbis-fix-linking.patch Patch12: vorbis-ocloexec.patch -Patch21: 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch -Patch22: 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch -BuildRequires: fdupes BuildRequires: libogg-devel BuildRequires: libtool BuildRequires: pkgconfig @@ -115,17 +108,6 @@ Obsoletes: libvorbis-devel-64bit This package contains all necessary include files and libraries needed to compile and develop applications that use libvorbis. -%package doc -Summary: Documentation of Ogg/Vorbis library -Group: Documentation/Other -%if 0%{?suse_version} >= 1120 -BuildArch: noarch -%endif - -%description doc -This package contains documents for Ogg/Vorbis library, including the -API reference. - %prep %setup -q %patch2 @@ -133,10 +115,7 @@ API reference. if [ "%{_lib}" == "lib64" ]; then %patch1 fi -%patch11 -p1 %patch12 -%patch21 -p1 -%patch22 -p1 %build # Fix optimization level @@ -149,14 +128,11 @@ autoreconf -fiv make %{?_smp_mflags} %install -make DESTDIR=%{buildroot} install %{?_smp_mflags} -mkdir -p %{buildroot}%{_docdir}/%{name} -mv %{buildroot}%{_datadir}/doc/libvorbis-* %{buildroot}%{_docdir}/%{name} -install -c -m 0644 doc/Vorbis_I_spec.* %{buildroot}%{_docdir}/%{name} +make DESTDIR=%{buildroot} install +# docs are built in a separate spec file +rm -rf %{buildroot}%{_datadir}/doc/* # remove unneeded files find %{buildroot} -type f -name "*.la" -delete -print -find %{buildroot}%{_docdir}/ -empty -delete -%fdupes -s %{buildroot}%{_docdir} %check make %{?_smp_mflags} check @@ -187,14 +163,11 @@ make %{?_smp_mflags} check %files devel %defattr(-,root,root) -%doc COPYING AUTHORS README *.txt +%doc AUTHORS +%license COPYING %{_datadir}/aclocal/*.m4 %{_includedir}/vorbis %{_libdir}/lib*.so %{_libdir}/pkgconfig/*.pc -%files doc -%defattr(-,root,root) -%doc %{_docdir}/%{name} - %changelog diff --git a/vorbis-fix-linking.patch b/vorbis-fix-linking.patch deleted file mode 100644 index 07fe55d..0000000 --- a/vorbis-fix-linking.patch +++ /dev/null @@ -1,33 +0,0 @@ ---- - Makefile.am | 4 ++-- - configure.ac | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -Index: libvorbis-1.3.5/Makefile.am -=================================================================== ---- libvorbis-1.3.5.orig/Makefile.am -+++ libvorbis-1.3.5/Makefile.am -@@ -1,8 +1,8 @@ - ## Process this file with automake to produce Makefile.in - - #AUTOMAKE_OPTIONS = 1.7 foreign dist-zip dist-bzip2 --AUTOMAKE_OPTIONS = foreign 1.11 dist-zip dist-xz -- -+AUTOMAKE_OPTIONS = foreign 1.10 dist-zip -+ACLOCAL_AMFLAGS = -I m4 - SUBDIRS = m4 include vq lib test doc - - if BUILD_EXAMPLES -Index: libvorbis-1.3.5/configure.ac -=================================================================== ---- libvorbis-1.3.5.orig/configure.ac -+++ libvorbis-1.3.5/configure.ac -@@ -8,7 +8,7 @@ dnl ------------------------------------ - AC_INIT([libvorbis],[1.3.5],[vorbis-dev@xiph.org]) - - AC_CONFIG_SRCDIR([lib/mdct.c]) -- -+AC_CONFIG_MACRO_DIR([m4]) - AC_CANONICAL_TARGET([]) - - AM_INIT_AUTOMAKE