Accepting request 588197 from multimedia:libs

OBS-URL: https://build.opensuse.org/request/show/588197 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvorbis?expand=0&rev=49
2018-03-22 10:55:59 +00:00 · 2018-03-22 10:55:59 +00:00 · 112b821b55
commit 112b821b55
parent 7730a5c54b 649d0c7e7a
9 changed files with 147 additions and 148 deletions
--- a/0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
+++ b/0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
@ -1,29 +0,0 @@
 From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
 Date: Tue, 31 Oct 2017 18:32:46 +0100
 Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
 Otherwise
 for(i=0;i<vi->channels;i++){
      /* the encoder setup assumes that all the modes used by any
         specific bitrate tweaking use the same floor */
      int submap=info->chmuxlist[i];
 overreads later in mapping0_forward since chmuxlist is a fixed array of
 256 elements max.
 ---
 lib/info.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 --- a/lib/info.c
 +++ b/lib/info.c
@@ -583,7 +583,7 @@ int vorbis_analysis_headerout(vorbis_dsp
   oggpack_buffer opb;
   private_state *b=v->backend_state;
 -  if(!b||vi->channels<=0){
 +  if(!b||vi->channels<=0||vi->channels>256){
     ret=OV_EFAULT;
     goto err_out;
   }
--- a/0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
+++ b/0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
@ -1,49 +0,0 @@
 From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
 Date: Wed, 15 Nov 2017 18:22:59 +0100
 Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
 if not initialized
 If the number of channels is not within the allowed range
 we call oggback_writeclear altough it's not initialized yet.
 This fixes
    =23371== Invalid free() / delete / delete[] / realloc()
    ==23371==    at 0x4C2CE1B: free (vg_replace_malloc.c:530)
    ==23371==    by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
    ==23371==    by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
    ==23371==    by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
    ==23371==    by 0x10D82A: process (sox.c:1753)
    ==23371==    by 0x10D82A: main (sox.c:3012)
    ==23371==  Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
    ==23371==    at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
    ==23371==    by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
    ==23371==    by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
    ==23371==    by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
    ==23371==    by 0x10D82A: process (sox.c:1753)
    ==23371==    by 0x10D82A: main (sox.c:3012)
 as seen when using the testcase from CVE-2017-11333 with
 008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
 there before.
 ---
 lib/info.c |    1 +
 1 file changed, 1 insertion(+)
 --- a/lib/info.c
 +++ b/lib/info.c
@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp
   private_state *b=v->backend_state;
   if(!b||vi->channels<=0||vi->channels>256){
 +    b = NULL;
     ret=OV_EFAULT;
     goto err_out;
   }
--- a/libvorbis-1.3.5.tar.xz
+++ b/libvorbis-1.3.5.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1
 size 1193144
--- a/libvorbis-1.3.6.tar.xz
+++ b/libvorbis-1.3.6.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:af00bb5a784e7c9e69f56823de4637c350643deedaf333d0fa86ecdba6fcb415
 size 1195388
--- a/libvorbis-doc.changes
+++ b/libvorbis-doc.changes
@ -0,0 +1,5 @@
 -------------------------------------------------------------------
 Sat Mar 17 14:55:12 CET 2018 - tiwai@suse.de
 - Split from libvorbis.spec to reduce the build dependencies
--- a/libvorbis-doc.spec
+++ b/libvorbis-doc.spec
@ -0,0 +1,96 @@
 #
 # spec file for package libvorbis-doc
 #
 # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
 # upon. The license for this file, and modifications and additions to the
 # file, is the same license as for the pristine package itself (unless the
 # license for the pristine package is not an Open Source License, in which
 # case the license is the MIT License). An "Open Source License" is a
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 %if 0%{?suse_version} > 1320
 %define build_docs 1
 %else
 %define build_docs 0
 %endif
 Name:           libvorbis-doc
 Version:        1.3.6
 Release:        0
 Summary:        Documentation of Ogg/Vorbis library
 License:        BSD-3-Clause
 Group:          Documentation/Other
 Url:            http://www.vorbis.com/
 Source:         http://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz
 Patch1:         libvorbis-lib64.dif
 Patch2:         libvorbis-m4.dif
 Patch12:        vorbis-ocloexec.patch
 BuildRequires:  fdupes
 BuildRequires:  libogg-devel
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 BuildRequires:  xz
 %if %build_docs
 BuildRequires:  doxygen
 BuildRequires:  texlive-babel-english
 BuildRequires:  texlive-latex
 BuildRequires:  texlive-tex4ht
 BuildRequires:  tex(a4wide.sty)
 BuildRequires:  tex(capt-of.sty)
 BuildRequires:  tex(csquotes.sty)
 BuildRequires:  tex(enumitem.sty)
 BuildRequires:  tex(fancyvrb.sty)
 BuildRequires:  tex(grffile.sty)
 BuildRequires:  tex(parskip.sty)
 BuildRequires:  tex(ulem.sty)
 BuildRequires:  tex(underscore.sty)
 %endif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 %description
 This package contains documents for Ogg/Vorbis library, including the
 API reference.
 %prep
 %setup -q -n libvorbis-%{version}
 %patch2
 # %%patch5 -p1
 if [ "%{_lib}" == "lib64" ]; then
 %patch1
 fi
 %patch12
 %build
 autoreconf -fiv
 %configure \
 %if %build_docs
 	--enable-docs \
 %endif
 	--disable-examples \
 	--disable-static
 # parallel-build of docs may fail
 make -C doc
 # we don't build anything but docs
 %install
 make -C doc DESTDIR=%{buildroot} install
 mkdir -p %{buildroot}%{_docdir}
 mv %{buildroot}%{_datadir}/doc/libvorbis-* %{buildroot}%{_docdir}/%{name}
 # remove unneeded files
 find %{buildroot}%{_docdir}/ -empty -delete
 %fdupes -s %{buildroot}%{_docdir}
 %files
 %defattr(-,root,root)
 %doc %{_docdir}/%{name}
 %changelog
--- a/libvorbis.changes
+++ b/libvorbis.changes
@ -1,3 +1,39 @@
 -------------------------------------------------------------------
 Sat Mar 17 14:54:44 CET 2018 - tiwai@suse.de
 - Split libvorbis-doc subpackage to a separate spec file for
  reducing the dependencies
 -------------------------------------------------------------------
 Fri Mar 16 22:12:35 CET 2018 - tiwai@suse.de
 - Update to version 1.3.6:
  * Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
  * Fix CVE-2017-14632 - free() on unitialized data
  * Fix CVE-2017-14633 - out-of-bounds read
  * Fix bitrate metadata parsing.
  * Fix out-of-bounds read in codebook parsing.
  * Fix residue vector size in Vorbis I spec.
  * Appveyor support
  * Travis CI support
  * Add secondary CMake build system.
  * Build system fixes
 - Build documents with doxygen, and many tex stuff;
  this requires to disable parallel builds partially
 - Move COPYING to license directory
 - Drop obsoleted patches:
  vorbis-fix-linking.patch
  0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
  0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
  libvorbis-CVE-2018-5146.patch
 -------------------------------------------------------------------
 Fri Mar 16 20:02:45 CET 2018 - tiwai@suse.de
 - Fix VUL-0: libvorbis: Out of bounds memory write while processing
  Vorbis audio data (CVE-2018-5146, bsc#1085687):
  libvorbis-CVE-2018-5146.patch
 -------------------------------------------------------------------
 Tue Dec 19 14:32:18 CET 2017 - tiwai@suse.de
--- a/libvorbis.spec
+++ b/libvorbis.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libvorbis
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
 Name:           libvorbis
-Version:        1.3.5
+Version:        1.3.6
 Release:        0
 Summary:        The Vorbis General Audio Compression Codec
 License:        BSD-3-Clause
@ -27,14 +27,7 @@ Source:         http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar
 Source1:        baselibs.conf
 Patch1:         libvorbis-lib64.dif
 Patch2:         libvorbis-m4.dif
 # URL http://www.geocities.jp/aoyoume/aotuv/
 # 'Patch5:         libvorbis-%%{version}-aotuv-b5.7.diff'
 # PATCH-FIX-UPSTREAM libvorbis-pkgconfig.patch https://trac.xiph.org/ticket/1759 reddwarf@opensuse.org -- Use Requires/Libs.private to avoid overlinking
 Patch11:        vorbis-fix-linking.patch
 Patch12:        vorbis-ocloexec.patch
 Patch21:        0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
 Patch22:        0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
 BuildRequires:  fdupes
 BuildRequires:  libogg-devel
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@ -115,17 +108,6 @@ Obsoletes:      libvorbis-devel-64bit
 This package contains all necessary include files and libraries needed
 to compile and develop applications that use libvorbis.
 %package doc
 Summary:        Documentation of Ogg/Vorbis library
 Group:          Documentation/Other
 %if 0%{?suse_version} >= 1120
 BuildArch:      noarch
 %endif
 %description doc
 This package contains documents for Ogg/Vorbis library, including the
 API reference.
 %prep
 %setup -q
 %patch2
@ -133,10 +115,7 @@ API reference.
 if [ "%{_lib}" == "lib64" ]; then
 %patch1
 fi
 %patch11 -p1
 %patch12
 %patch21 -p1
 %patch22 -p1
 %build
 # Fix optimization level
@ -149,14 +128,11 @@ autoreconf -fiv
 make %{?_smp_mflags}
 %install
-make DESTDIR=%{buildroot} install %{?_smp_mflags}
+make DESTDIR=%{buildroot} install
-mkdir -p %{buildroot}%{_docdir}/%{name}
+# docs are built in a separate spec file
-mv %{buildroot}%{_datadir}/doc/libvorbis-* %{buildroot}%{_docdir}/%{name}
+rm -rf %{buildroot}%{_datadir}/doc/*
 install -c -m 0644 doc/Vorbis_I_spec.* %{buildroot}%{_docdir}/%{name}
 # remove unneeded files
 find %{buildroot} -type f -name "*.la" -delete -print
 find %{buildroot}%{_docdir}/ -empty -delete
 %fdupes -s %{buildroot}%{_docdir}
 %check
 make %{?_smp_mflags} check
@ -187,14 +163,11 @@ make %{?_smp_mflags} check
 %files devel
 %defattr(-,root,root)
-%doc COPYING AUTHORS README *.txt
+%doc AUTHORS
 %license COPYING
 %{_datadir}/aclocal/*.m4
 %{_includedir}/vorbis
 %{_libdir}/lib*.so
 %{_libdir}/pkgconfig/*.pc
 %files doc
 %defattr(-,root,root)
 %doc %{_docdir}/%{name}
 %changelog
--- a/vorbis-fix-linking.patch
+++ b/vorbis-fix-linking.patch
@ -1,33 +0,0 @@
 ---
 Makefile.am  |    4 ++--
 configure.ac |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)
 Index: libvorbis-1.3.5/Makefile.am
 ===================================================================
 --- libvorbis-1.3.5.orig/Makefile.am
 +++ libvorbis-1.3.5/Makefile.am
@@ -1,8 +1,8 @@
 ## Process this file with automake to produce Makefile.in
 #AUTOMAKE_OPTIONS = 1.7 foreign dist-zip dist-bzip2
 -AUTOMAKE_OPTIONS = foreign 1.11 dist-zip dist-xz
 -
 +AUTOMAKE_OPTIONS = foreign 1.10 dist-zip
 +ACLOCAL_AMFLAGS = -I m4
 SUBDIRS = m4 include vq lib test doc
 if BUILD_EXAMPLES 
 Index: libvorbis-1.3.5/configure.ac
 ===================================================================
 --- libvorbis-1.3.5.orig/configure.ac
 +++ libvorbis-1.3.5/configure.ac
@@ -8,7 +8,7 @@ dnl ------------------------------------
 AC_INIT([libvorbis],[1.3.5],[vorbis-dev@xiph.org])
 AC_CONFIG_SRCDIR([lib/mdct.c])
 -
 +AC_CONFIG_MACRO_DIR([m4])
 AC_CANONICAL_TARGET([])
 AM_INIT_AUTOMAKE