From 48310b6f69714baffb2cfd2956e0f2eefa4a4204efa5dfd9158dc139ee81d43b Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.com>
Date: Fri, 10 Jul 2020 12:52:43 +0000
Subject: [PATCH] Accepting request 819974 from home:mnhauke

- Update to version 1.3.7
  * Fix CVE-2018-10392 and CVE-2018-10393 - out-of-bounds read
    encoding very low sample rates
  * Fix CVE-2017-14160 - out-of-bounds read encoding very low
    sample rates.
  * Fix handling invalid bytes per sample arguments.
  * Fix handling invalid channel count arguments.
  * Fix invalid free on seek failure.
  * Fix negative shift reading blocksize.
  * Fix accepting unreasonable float32 values.
  * Fix tag comparison depending on locale.
  * Fix unnecessarily linking libm.
  * Fix memory leak in test_sharedbook.
  * Distribute CMake build files with the source package.
  * Remove unnecessary configure --target switch.
  * Add OSS-Fuzz support.
  * Build system and integration updates.
- Drop not longer needed patches (fixed by upstream):
  * vorbis-CVE-2017-14160.patch
  * vorbis-CVE-2018-10392.patch
  * vorbis-CVE-2018-10393.patch
- Add source verification

OBS-URL: https://build.opensuse.org/request/show/819974
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libvorbis?expand=0&rev=64
---
 libvorbis-1.3.6.tar.xz      |  3 ---
 libvorbis-1.3.7.tar.xz      |  3 +++
 libvorbis-1.3.7.tar.xz.asc  | 16 ++++++++++++
 libvorbis-doc.spec          | 12 +++++----
 libvorbis.changes           | 26 +++++++++++++++++++
 libvorbis.keyring           | 51 +++++++++++++++++++++++++++++++++++++
 libvorbis.spec              | 20 ++++++---------
 vorbis-CVE-2017-14160.patch | 27 --------------------
 vorbis-CVE-2018-10392.patch | 20 ---------------
 vorbis-CVE-2018-10393.patch | 38 ---------------------------
 10 files changed, 111 insertions(+), 105 deletions(-)
 delete mode 100644 libvorbis-1.3.6.tar.xz
 create mode 100644 libvorbis-1.3.7.tar.xz
 create mode 100644 libvorbis-1.3.7.tar.xz.asc
 create mode 100644 libvorbis.keyring
 delete mode 100644 vorbis-CVE-2017-14160.patch
 delete mode 100644 vorbis-CVE-2018-10392.patch
 delete mode 100644 vorbis-CVE-2018-10393.patch

diff --git a/libvorbis-1.3.6.tar.xz b/libvorbis-1.3.6.tar.xz
deleted file mode 100644
index db6fe9f..0000000
--- a/libvorbis-1.3.6.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:af00bb5a784e7c9e69f56823de4637c350643deedaf333d0fa86ecdba6fcb415
-size 1195388
diff --git a/libvorbis-1.3.7.tar.xz b/libvorbis-1.3.7.tar.xz
new file mode 100644
index 0000000..1812c03
--- /dev/null
+++ b/libvorbis-1.3.7.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b33cc4934322bcbf6efcbacf49e3ca01aadbea4114ec9589d1b1e9d20f72954b
+size 1203792
diff --git a/libvorbis-1.3.7.tar.xz.asc b/libvorbis-1.3.7.tar.xz.asc
new file mode 100644
index 0000000..342689c
--- /dev/null
+++ b/libvorbis-1.3.7.tar.xz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEt7AK7h+WDuoP7Wb7klmo8tLUTIQFAl8AIpkACgkQklmo8tLU
+TIRcpBAArhcRWPNa+goaPGs0pvfgRHwxGTMNKbd8PDHhDL8yXQnYEzRktgCfwcXZ
++4yd1hoLMFOd1IyBASoCaxk05lbDhGKVHZo3jhxKztxweXvdgYl/dwmZTmN/EO1K
+e3RycUYrJ18S4ujdCBxbYTVf6+0rsGL+UYo8rtHtyrKSGuwHqUEq+gtwVPS7U836
+Pbgxpin+CwElGRrZLEfh3fUTYnIjZYmlaUcplQdkZuFgSxP1t40InjmwkP+gQfSk
+kPfxoqSDH7EgVzOOl8jFxVxyHVUKYbJ4LYnP1E6of1RxOQW7QBxaUY3/i/B6XDTD
+cME7BAdr1ogXiDnasDYZzsbK+ySvtlylK6kqdvhHHfHtC1sMj/WnUniwE+I5k7IC
+yLArvQyk9okdGCw20tH2Kp3nOVXicoqgIUVQ6LoYusSjccgFYPqAqe50i1iuohRA
+W9Nj5jDd0kyf0pngBJn8y/KXThtsbPw//CIVi7amb3kkHUb8O3CJlRfO18wsmvmK
+0iBtUUp3E0rL3I7aJnZLIZAppV+yO3hbUJCiPT0YyVdh7o+RCsTV1+XIQcaBrg0V
+ThmTUggXO5keuuvu39P3OQakLarAiQcGJqpGekzeJ/q5WTxxvegeqOC0rCgDW7tY
+9md0WZ9ATOqrrDfcwp2vCLpleiPUuvrfl8ceEts6WSibqN7Gcg4=
+=ZAOg
+-----END PGP SIGNATURE-----
diff --git a/libvorbis-doc.spec b/libvorbis-doc.spec
index 83ad84a..b4bae74 100644
--- a/libvorbis-doc.spec
+++ b/libvorbis-doc.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libvorbis-doc
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -23,13 +23,15 @@
 %endif
 
 Name:           libvorbis-doc
-Version:        1.3.6
+Version:        1.3.7
 Release:        0
 Summary:        Documentation of Ogg/Vorbis library
 License:        BSD-3-Clause
 Group:          Documentation/Other
-Url:            http://www.vorbis.com/
-Source:         http://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz
+URL:            https://www.vorbis.com/
+Source:         https://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz
+Source1:        https://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz.asc
+Source99:       libvorbis.keyring
 Patch1:         libvorbis-lib64.dif
 Patch2:         libvorbis-m4.dif
 Patch12:        vorbis-ocloexec.patch
diff --git a/libvorbis.changes b/libvorbis.changes
index 7082c0d..2f3d43f 100644
--- a/libvorbis.changes
+++ b/libvorbis.changes
@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Fri Jul 10 10:14:43 UTC 2020 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 1.3.7
+  * Fix CVE-2018-10392 and CVE-2018-10393 - out-of-bounds read
+    encoding very low sample rates
+  * Fix CVE-2017-14160 - out-of-bounds read encoding very low
+    sample rates.
+  * Fix handling invalid bytes per sample arguments.
+  * Fix handling invalid channel count arguments.
+  * Fix invalid free on seek failure.
+  * Fix negative shift reading blocksize.
+  * Fix accepting unreasonable float32 values.
+  * Fix tag comparison depending on locale.
+  * Fix unnecessarily linking libm.
+  * Fix memory leak in test_sharedbook.
+  * Distribute CMake build files with the source package.
+  * Remove unnecessary configure --target switch.
+  * Add OSS-Fuzz support.
+  * Build system and integration updates.
+- Drop not longer needed patches (fixed by upstream):
+  * vorbis-CVE-2017-14160.patch
+  * vorbis-CVE-2018-10392.patch
+  * vorbis-CVE-2018-10393.patch
+- Add source verification
+
 -------------------------------------------------------------------
 Tue Jun  5 11:37:54 CEST 2018 - tiwai@suse.de
 
diff --git a/libvorbis.keyring b/libvorbis.keyring
new file mode 100644
index 0000000..859ca3e
--- /dev/null
+++ b/libvorbis.keyring
@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFsCSDYBEADM27aZ5YfexsnbrsvQ8sdZtUM2afJptN2BEujqvzPN8vR8yIaO
+ScfhCPOHI1CYyevT0SVpeoNDW5JIJD5YbpT87PXbi2Ia/zRo8pIOdUqlL4HUtEoc
+dTt1ihlmM/3seqvlkEJnnlhVhE6Oz8yy20yjYcNDtgHhirYrV240XRiPflEt0jsd
+LHgYtsyEiktRTITX9Dr3V9Pr2W22qd2zFAkdc5G+wo0TiaDXRYC0siOzoV5VbR47
+lT7juRD5aO+TDxc4Azs9GJQtrUFpF1rtnQvn/+aXX7uj4mBu8jdoSSCZb9mm3mbE
+Sb2QUTzP0gBal6bcPoghpZcCRQ/rtlkMaYnGMe5qBe5x3iPhbPrPNF0kfbj+Jx79
+6LygakyLbnINIZyJ7tjTSyruXkWsVkI6YuMa6ld3ejc6bak1WWXS/B5WDq36gBlB
+W1QJi0qrMMXFr/AntXQYqudqnZeRJS11CxCy7onh8oR6+QQXs3Ec+fw8uLSEUL/j
+iu5nEl6OofmUVvQsPUKzjMFpOmpA6T+JD5RbpgSUP+hrZW/q3JwcON9inYsJvWBJ
+3DX9rLSs4pHlW5NzjXBiLGLDZOZszDYZVBkZ5xj+7vWNxBOu32ehUQFMbBkQsAuD
+NX45RfsaFxO7pWoV8/oXKrbhn3wwh5GzRi5aGvN8qUuWCvXHCGlgkbBKkwARAQAB
+tB9SYWxwaCBHaWxlcyA8Z2lsZXNAdGhhdW1hcy5uZXQ+iQI9BBMBCgAnBQJbAkg2
+AhsDBQkFo5qABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEJJZqPLS1EyEzvEP
+/1ELKFTm7CKGPMhInqwImHg47w2by42zuqhmWkfi+yO4NnRCAxpXk38aIbWG4ToN
+TVACJY7o2Nt7iTsNfuXNiP8L5xBoaeimFXCtoY+Bl3frW6eDwg1XHCzqsrblsYSi
+sNN7xiYpUngJdJ9//ij1T6rWIiQwQZxZeHSE08hduNDIvmup9E1xjLtV3KMUB97z
+TDcQrBoQOD+ztxGQrtQTpf1hqhmfe94QJlYYmqZHPl2f77qA05nGhuXZvqhD6uEg
+XhoRf0a1MHgQ3XMNEXILjb+Tq6ed/GbTUiYdVc9Dzqs+1H0Ozazc2Y3BWslZlE7c
+GtdkAWLqBGlFtnyLELEKluR9zi3KTkhwS1cVrA3IB23D+PfzKehfpPSCgRvyU86o
+qG5M6deVkPKzbf/lHBTFrG7mUHdgFP67i7ia77jNaN65Jx53vRfbbdjB8UllhbvQ
+DfFTywrrdcG0OxnIhlJO22ZvXTJrcMU5AWkgLqTDvnFoefYYK9C2ht8g45Gh+jYG
+6SGkgqE0Xl+PYKJfDfZQDAn4xIfRaZyqr8gVT2T/w/LkHLeG/jjDOeISJofRNFqg
+lGtHWUtIw+CGOw82UjlSUn9pKKyyimaUNmtRt9cC8voyI5VEWdP345yRC8PNucWs
+v2EeWK9bxB6XVP9TEITzTSANxlMNffVbTubCkU221FruuQINBFsCSDYBEACXU7rJ
+mnTi7MfJcltrbhctLpbFFeDZn+T7z3T6JnZw9GV/iRYeGrwhNptUg66ffhIC2nBg
+mcNQ67olB4vRdDCqA02+rMTySXFhBj4VX/7EECmw14D84cZR+BoIrLDxzfBUux9j
+7BlX2bBiQ79VSwng9uCipZj49fWNAm0RnZ/P8LDATUb3i4f/o0qD1Gm39VcRSQdI
+La/FpwTKB/B0ToUH5/i0TlWNiRziB/nlM00x5BUqRP8QrQVszsyKlYy5T0eR8MEV
+uw0LuQx2qroRh8CTZdWRRBTtcWCFb5cfqZWdUgu0sF/dMIcwBvcnma/aVgF62EdC
+CgrMmRqd/IFrmbPZXq7VRCGkEaxHjs41ahRHk51bKwcuGqHw0UQsbv+dcMURvl13
+rQulOkwe+1QILspQ/foqugMoWDqcPEBHG+ovfjzSoB5MIEkyJjfeyPXjlYTA+tbm
+lw5c6tLQMRlYA5hhc0BYNFYSrx/oAtUg05hz31v2d8UCSZS/wHAh3DzMJgwMj5N+
+IZ8iOQNYISQCBASQEhLQk+J0smGmxUx+uvGJvxdo6g5WnIsztcLMOpqUMiy3jfOw
+LojIClAUIYoHXLEN8D6oaKJ3EdpOANBb/0Ro7JPPC0wrQZE8+rlCu0EhH/Xt8aMC
+HeHkF+rxC0Nu/JACPFLELWAlrYKY79cHJAAPmwARAQABiQIlBBgBCgAPBQJbAkg2
+AhsMBQkFo5qAAAoJEJJZqPLS1EyEBtwP/3njDZm35BC1HMPn1ToJwNR1Qtd4Puup
+jNNHcHf1v9UQUvRg0dsOY5qmL+GBj3zgRAQ7LP3xbXu0e0/Cwucdv6hf8/6P641w
+LwCAGkfshiAxnSCEHLDEdad0wcXM5DDIdqJMR5lWWoo+ln91+AGXgPuWRPcJE56l
+INLaZX3cgYKriYdphCcMyMgtHzyKkDwSMGKundtxFx9Gdg57hGEZTYfd9XqWMZwD
+2jcfvk9ASJqy4y+k9oc+M/3m40F8Qua26Gfdp8e3d+R/Y1QzKtO8fhoUi0aT8f0X
+zBG7Y89actCAO4Hr6z1qEpGbQb3fbqmaaI7uxgUj5+ApUbdtw4581QKGDGp95GMC
+Ca1LZ47qhlvr5vkrUU+204qS/i2LurzUPqo7qBiCUCgAERx+kQzBRlziTIkWc6Wt
+W2bxugxYEx05yrNdwoxO8PkDF+v4Yv8abL7XBAZgbVvEgPiONducLWnj4h27fGhN
+Mj6Y2qK9bsxobAUJtjWw2r/LuS8CgOnRX6mYdVZw5+0BgFc1BKI1GtW0n4eR2gUj
+OU3LkzNoSFbl3HTnHYz4SwM62Na50HglKUfoXp0HiL0dxsQEj71WSVtBjNUxfUMk
+OfnAbwDUbpDIe68DSCVNLVw6dJZANqW/77vvN17AuX0O0Jt1/bmenv8CDmR0NP/B
+ziJMnjt238S8
+=MNJb
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/libvorbis.spec b/libvorbis.spec
index cb229cc..8861386 100644
--- a/libvorbis.spec
+++ b/libvorbis.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libvorbis
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,25 +12,24 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
 Name:           libvorbis
-Version:        1.3.6
+Version:        1.3.7
 Release:        0
 Summary:        The Vorbis General Audio Compression Codec
 License:        BSD-3-Clause
 Group:          System/Libraries
-Url:            http://www.vorbis.com/
-Source:         http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.xz
-Source1:        baselibs.conf
+URL:            http://www.vorbis.com/
+Source:         https://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.xz
+Source1:        https://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz.asc
+Source10:       baselibs.conf
+Source99:       libvorbis.keyring
 Patch1:         libvorbis-lib64.dif
 Patch2:         libvorbis-m4.dif
 Patch12:        vorbis-ocloexec.patch
-Patch101:       vorbis-CVE-2017-14160.patch
-Patch102:       vorbis-CVE-2018-10393.patch
-Patch103:       vorbis-CVE-2018-10392.patch
 BuildRequires:  libogg-devel
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@@ -119,9 +118,6 @@ if [ "%{_lib}" == "lib64" ]; then
 %patch1
 fi
 %patch12
-%patch101 -p1
-%patch102 -p1
-%patch103 -p1
 
 %build
 # Fix optimization level
diff --git a/vorbis-CVE-2017-14160.patch b/vorbis-CVE-2017-14160.patch
deleted file mode 100644
index 2ec3f2e..0000000
--- a/vorbis-CVE-2017-14160.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 018ca26dece618457dd13585cad52941193c4a25 Mon Sep 17 00:00:00 2001
-From: Thomas Daede <daede003@umn.edu>
-Date: Wed, 9 May 2018 14:56:59 -0700
-Subject: [PATCH] CVE-2017-14160: fix bounds check on very low sample rates.
-
----
- lib/psy.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/lib/psy.c b/lib/psy.c
-index 422c6f1e412d..13101230ea3a 100644
---- a/lib/psy.c
-+++ b/lib/psy.c
-@@ -602,8 +602,9 @@ static void bark_noise_hybridmp(int n,const long *b,
-   for (i = 0, x = 0.f;; i++, x += 1.f) {
- 
-     lo = b[i] >> 16;
--    if( lo>=0 ) break;
-     hi = b[i] & 0xffff;
-+    if( lo>=0 ) break;
-+    if( hi>=n ) break;
- 
-     tN = N[hi] + N[-lo];
-     tX = X[hi] - X[-lo];
--- 
-2.17.0
-
diff --git a/vorbis-CVE-2018-10392.patch b/vorbis-CVE-2018-10392.patch
deleted file mode 100644
index 7fe859b..0000000
--- a/vorbis-CVE-2018-10392.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-From 112d3bd0aaacad51305e1464d4b381dabad0e88b Mon Sep 17 00:00:00 2001
-From: Thomas Daede <daede003@umn.edu>
-Date: Thu, 17 May 2018 16:19:19 -0700
-Subject: [PATCH] Sanity check number of channels in setup.
-
-Fixes #2335.
----
- lib/vorbisenc.c |    1 +
- 1 file changed, 1 insertion(+)
-
---- a/lib/vorbisenc.c
-+++ b/lib/vorbisenc.c
-@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info
-   highlevel_encode_setup *hi=&ci->hi;
- 
-   if(ci==NULL)return(OV_EINVAL);
-+  if(vi->channels<1||vi->channels>255)return(OV_EINVAL);
-   if(!hi->impulse_block_p)i0=1;
- 
-   /* too low/high an ATH floater is nonsensical, but doesn't break anything */
diff --git a/vorbis-CVE-2018-10393.patch b/vorbis-CVE-2018-10393.patch
deleted file mode 100644
index cf075b2..0000000
--- a/vorbis-CVE-2018-10393.patch
+++ /dev/null
@@ -1,38 +0,0 @@
----
- lib/psy.c |    4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/lib/psy.c
-+++ b/lib/psy.c
-@@ -605,6 +605,7 @@ static void bark_noise_hybridmp(int n,co
-     hi = b[i] & 0xffff;
-     if( lo>=0 ) break;
-     if( hi>=n ) break;
-+    if( -lo >=n ) break;
- 
-     tN = N[hi] + N[-lo];
-     tX = X[hi] - X[-lo];
-@@ -627,6 +628,7 @@ static void bark_noise_hybridmp(int n,co
-     lo = b[i] >> 16;
-     hi = b[i] & 0xffff;
-     if(hi>=n)break;
-+    if(lo >=n)break;
- 
-     tN = N[hi] - N[lo];
-     tX = X[hi] - X[lo];
-@@ -656,6 +658,7 @@ static void bark_noise_hybridmp(int n,co
-     hi = i + fixed / 2;
-     lo = hi - fixed;
-     if(lo>=0)break;
-+    if( hi>=n || -lo >=n ) break;
- 
-     tN = N[hi] + N[-lo];
-     tX = X[hi] - X[-lo];
-@@ -676,6 +679,7 @@ static void bark_noise_hybridmp(int n,co
-     hi = i + fixed / 2;
-     lo = hi - fixed;
-     if(hi>=n)break;
-+    if( hi>=n || lo >=n ) break;
- 
-     tN = N[hi] - N[lo];
-     tX = X[hi] - X[lo];