libvorbis/libvorbis.changes
Takashi Iwai d1ae3d83a0 Accepting request 588024 from home:tiwai:branches:multimedia:libs
- Update to version 1.3.6:
  * Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
  * Fix CVE-2017-14632 - free() on unitialized data
  * Fix CVE-2017-14633 - out-of-bounds read
  * Fix bitrate metadata parsing.
  * Fix out-of-bounds read in codebook parsing.
  * Fix residue vector size in Vorbis I spec.
  * Appveyor support
  * Travis CI support
  * Add secondary CMake build system.
  * Build system fixes
- Build documents with doxygen, and many tex stuff;
  this requires to disable parallel builds partially
- Move COPYING to license directory
- Drop obsoleted patches:
  vorbis-fix-linking.patch
  0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
  0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
  libvorbis-CVE-2018-5146.patch

OBS-URL: https://build.opensuse.org/request/show/588024
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libvorbis?expand=0&rev=56
2018-03-16 22:13:48 +00:00

520 lines
18 KiB
Plaintext

-------------------------------------------------------------------
Fri Mar 16 22:12:35 CET 2018 - tiwai@suse.de
- Update to version 1.3.6:
* Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
* Fix CVE-2017-14632 - free() on unitialized data
* Fix CVE-2017-14633 - out-of-bounds read
* Fix bitrate metadata parsing.
* Fix out-of-bounds read in codebook parsing.
* Fix residue vector size in Vorbis I spec.
* Appveyor support
* Travis CI support
* Add secondary CMake build system.
* Build system fixes
- Build documents with doxygen, and many tex stuff;
this requires to disable parallel builds partially
- Move COPYING to license directory
- Drop obsoleted patches:
vorbis-fix-linking.patch
0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
libvorbis-CVE-2018-5146.patch
-------------------------------------------------------------------
Fri Mar 16 20:02:45 CET 2018 - tiwai@suse.de
- Fix VUL-0: libvorbis: Out of bounds memory write while processing
Vorbis audio data (CVE-2018-5146, bsc#1085687):
libvorbis-CVE-2018-5146.patch
-------------------------------------------------------------------
Tue Dec 19 14:32:18 CET 2017 - tiwai@suse.de
- Fix VUL-0: out-of-bounds array read vulnerability exists in
function mapping0_forward() (CVE-2017-14633, bsc#1059811):
0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch
- Fix VUL-0: Remote Code Execution upon freeing uninitialized
memory in function vorbis_analysis_headerout(CVE-2017-14632,
bsc#1059809):
0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch
-------------------------------------------------------------------
Tue Nov 29 12:14:08 UTC 2016 - aloisio@gmx.com
- Added 32bit libvorbis-devel in baselibs.conf
-------------------------------------------------------------------
Fri Mar 6 15:23:26 UTC 2015 - mpluskal@suse.com
- Cleanup spec file with spec-cleaner
- Update to 1.3.5
* Tolerate single-entry codebooks.
* Fix decoder crash with invalid input.
* Fix encoder crash with non-positive sample rates.
* Fix issues in vorbisfile's seek bisection code.
* Spec errata.
* Reject multiple headers of the same type.
* Various build fixes and code cleanup.
-------------------------------------------------------------------
Mon Aug 18 14:36:27 CEST 2014 - fcrozat@suse.com
- Fix obsoletes and provides in baselibs.conf.
-------------------------------------------------------------------
Sun Feb 23 19:43:16 UTC 2014 - andreas.stieger@gmx.de
- Xiph libvorbis 1.3.4
* reduced static data size in libvorbisenc
* associated minor changes required to libvorbis and libvorbisfile
* minor build fixes and build system updates
* no functional changes over the previous 1.3.3 release
- removed libvorbis-pkgconfig.patch, in upstream
- updated vorbis-fix-linking.patch for context changes
-------------------------------------------------------------------
Tue Apr 16 06:46:59 UTC 2013 - mmeister@suse.com
- Added url as source.
Please see http://en.opensuse.org/SourceUrls
-------------------------------------------------------------------
Sat Mar 2 12:59:01 UTC 2013 - seife+obs@b1-systems.com
- fix build with automake-1.13.1
-------------------------------------------------------------------
Wed Jun 20 15:42:24 UTC 2012 - ftake@geeko.jp
- updated to 1.3.3
* vorbis: additional proofing against invalid/malicious
streams in decode (see SVN for details).
* vorbis: fix a memory leak in vorbis_commentheader_out().
* updates, corrections and clarifications in the Vorbis I
specification document
* build warning fixes
-------------------------------------------------------------------
Tue Feb 21 14:32:38 CET 2012 - tiwai@suse.de
- VUL-0: CVE-2012-0444: libvorbis: heap-based buffer overflow
(bnc#747912)
-------------------------------------------------------------------
Sun Dec 25 11:09:50 UTC 2011 - idonmez@suse.com
- -O20 optimization level doesn't exist, use -O3
-------------------------------------------------------------------
Fri Nov 25 21:08:52 UTC 2011 - crrodriguez@opensuse.org
- open files with O_CLOEXEC, in order to avoid fd leaks
when calling applications fork() ..execve()...
This patch does not cover the executable tools since
it is not critical for them.
-------------------------------------------------------------------
Tue Nov 22 10:21:04 UTC 2011 - coolo@suse.com
- add libtool as buildrequire to avoid implicit dependency
-------------------------------------------------------------------
Mon Aug 29 19:00:55 UTC 2011 - crrodriguez@opensuse.org
- Fix build with no-add-needed
-------------------------------------------------------------------
Thu May 5 22:56:15 CEST 2011 - dmueller@suse.de
- fix provides/obsoletes in baselibs
-------------------------------------------------------------------
Thu Dec 9 22:14:53 UTC 2010 - davejplater@gmail.com
- Split libvorbisenc2 and libvorbisfile3 from libvorbis0
- Removed services.
-------------------------------------------------------------------
Wed Dec 8 15:52:05 UTC 2010 - coolo@novell.com
- fix the package split
-------------------------------------------------------------------
Wed Dec 8 04:23:34 UTC 2010 - reddwarf@opensuse.org
- updated to version 1.3.2
* vorbis: additional proofing against invalid/malicious
streams in floor, residue, and bos/eos packet trimming
code (see SVN for details).
* vorbis: Added programming documentation tree for the
low-level calls
* vorbisfile: Correct handling of serial numbers array
element [0] on non-seekable streams
* vorbisenc: Back out an [old] AoTuV HF weighting that was
first enabled in 1.3.0; there are a few samples where I
really don't like the effect it causes.
* vorbis: return correct timestamp for granule positions
with high bit set.
* vorbisfile: the [undocumented] half-rate decode api made no
attempt to keep the pcm offset tracking consistent in seeks.
Fix and add a testing mode to seeking_example.c to torture
test seeking in halfrate mode. Also remove requirement that
halfrate mode only work with seekable files.
* vorbisfile: Fix a chaining bug in raw_seeks where seeking
out of the current link would fail due to not
reinitializing the decode machinery.
* vorbisfile: improve seeking strategy. Reduces the
necessary number of seek callbacks in an open or seek
operation by well over 2/3.
- updated to version 1.3.1
* tweak + minor arithmetic fix in floor1 fit
* revert noise norm to conservative 1.2.3 behavior pending
more listening testing
- updated to versio 1.3.0
* Optimized surround support for 5.1 encoding at 44.1/48kHz
* Added encoder control call to disable channel coupling
* Correct an overflow bug in very low-bitrate encoding on 32 bit
machines that caused inflated bitrates
* Numerous API hardening, leak and build fixes
* Correct bug in 22kHz compand setup that could cause a crash
* Correct bug in 16kHz codebooks that could cause unstable pure
tones at high bitrates
- run spec-cleaner
- removed libvorbis-automake-fix.diff, libvorbis-doc-fixes.diff,
libvorbis-r16326-CVE-2009-3379.diff and
libvorbis-r16597-CVE-2009-3379.diff (upstream fixed)
- follow library packaging policy
- run make check
-------------------------------------------------------------------
Wed May 26 15:03:32 CEST 2010 - tiwai@suse.de
- VUL-0: libvorbis: memory corruption while parsing ogg files
(bnc#608192, CVE-2009-3379)
-------------------------------------------------------------------
Wed Dec 16 10:17:40 CET 2009 - jengelh@medozas.de
- add baselibs.conf as a source
- enable parallel building
- package documentation as noarch
-------------------------------------------------------------------
Wed Nov 11 10:56:23 CET 2009 - tiwai@suse.de
- updated to version 1.2.3:
* correct a vorbisfile bug that prevented proper playback of
Vorbis files where all audio in a logical stream is in a
single page
* Additional decode setup hardening against malicious streams
* Add 'OV_EXCLUDE_STATIC_CALLBACKS' define for developers who
wish to avoid avoid unused symbol warnings from the static
callbacks defined in vorbisfile.h
- updated to version 1.2.2:
* define VENDOR and ENCODER strings
* seek correctly in files bigger than 2 GB (Windows)
* fix regression from CVE-2008-1420; 1.0b1 files work again
* mark all tables as constant to reduce memory occupation
* additional decoder hardening against malicious streams
* substantially reduce amount of seeking performed by Vorbisfile
* Multichannel decode bugfix
* build system updates
* minor specification clarifications/fixes
- dropped aotuv patch temporarily
-------------------------------------------------------------------
Thu Jul 23 15:28:13 CEST 2009 - tiwai@suse.de
- updated to aoTuV patch version beta5.7:
* including security fixes
* improved encoding speed of low bitrate mode
* reduced distrotion by clipping at low sampling frequency
* fixed noise control part of impulse block
* tuning of each part was redone
* expanded noise control of the impulse block
* fixed pre-echo reduction code
* noise normalization reviewed
* detailed tuning done again
-------------------------------------------------------------------
Mon Jun 22 09:47:22 CEST 2009 - coolo@novell.com
- fix build with automake 1.11
-------------------------------------------------------------------
Wed Jan 7 12:34:56 CET 2009 - olh@suse.de
- obsolete old -XXbit packages (bnc#437293)
-------------------------------------------------------------------
Thu Nov 20 16:48:52 CET 2008 - pth@suse.de
- Fix the test in libvorbis-m4.dif and adapt libvorbis-lib64.dif.
-------------------------------------------------------------------
Wed May 14 16:41:31 CEST 2008 - tiwai@suse.de
- VUL-0: Multiple vulnerabilities in libogg and libvorbis
(bnc#372246)
* CVE-2008-1419 vorbis: zero-dim codebooks can cause crash,
infinite loop or heap overflow
* CVE-2008-1420 vorbis: integer overflow in partvals computation
* CVE-2008-1423 vorbis: integer oveflow caused by huge codebooks
-------------------------------------------------------------------
Mon Apr 28 12:56:34 CEST 2008 - tiwai@suse.de
- fixed dependency in *.pc files (bnc#384153)
- removed old run_ldconfig
-------------------------------------------------------------------
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
- added baselibs.conf file to build xxbit packages
for multilib support
-------------------------------------------------------------------
Thu Aug 2 12:22:21 CEST 2007 - tiwai@suse.de
- updated to version 1.2.0:
* new ov_fopen() convenience call that avoids the common
stdio conflicts with ov_open() and MSVC runtimes.
* libvorbisfile now handles multiplexed streams
* improve robustness to corrupt input streams
* fix a minor encoder bug
* updated RTP draft
* build system updates
* minor corrections to the specification
-------------------------------------------------------------------
Fri Jul 27 12:56:43 CEST 2007 - tiwai@suse.de
- fix the documentation link (#293784)
- split documentation to doc subpackage
- remove -fno-strict-aliasing gcc option
-------------------------------------------------------------------
Mon Jul 9 10:48:33 CEST 2007 - tiwai@suse.de
- fix array boundary conditional flaw in mapping (#287124,
CVE-2007-3106)
-------------------------------------------------------------------
Mon Apr 23 18:06:06 CEST 2007 - tiwai@suse.de
- use aoTuV beta5 patch:
* The action of noise normalization has been improved.
* The threshold of a stereo mode change was calculated
dynamically.
* Noise control of an impulse block was changed (quality 0-10
/ 32-48kHz). And pre-echo decreased slightly.
* Tuning of each part was redone according to above-mentioned
changed part and additional part.
-------------------------------------------------------------------
Mon Apr 16 15:07:19 CEST 2007 - tiwai@suse.de
- follow library packaging policy
* move docs to devel package
* remove static library
- remove obsolete m4 files
-------------------------------------------------------------------
Wed Jan 25 21:37:47 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Wed Jan 11 16:46:46 CET 2006 - tiwai@suse.de
- compile with -fstack-protector.
-------------------------------------------------------------------
Fri Dec 2 16:03:48 CET 2005 - tiwai@suse.de
- updated to version 1.1.2.
-------------------------------------------------------------------
Tue Oct 18 12:25:20 CEST 2005 - tiwai@suse.de
- updated to version 1.1.1.
-------------------------------------------------------------------
Sun Sep 4 06:45:34 CEST 2005 - aj@suse.de
- Build with -fno-strict-aliasing (#115135).
-------------------------------------------------------------------
Thu Jul 7 16:20:14 CEST 2005 - tiwai@suse.de
- remove -fsigned-char (#93878).
- fixed Requires of devel subpackage.
-------------------------------------------------------------------
Mon Jun 20 20:56:55 CEST 2005 - tiwai@suse.de
- updated to aoTuV beta4.
-------------------------------------------------------------------
Wed Jan 19 15:42:01 CET 2005 - tiwai@suse.de
- fixed compile warnings with gcc-4.0.
-------------------------------------------------------------------
Wed Nov 24 17:32:19 CET 2004 - tiwai@suse.de
- updated to libvorbis version 1.1.0.
- updated to aoTuV beta3.
-------------------------------------------------------------------
Thu Aug 5 13:03:24 CEST 2004 - tiwai@suse.de
- applied aoTuV patch to improve the encoding quality.
-------------------------------------------------------------------
Fri Apr 16 12:54:41 CEST 2004 - tiwai@suse.de
- fixed the type-punning.
- disabled the removal of $RPM_BUILD_ROOT in %install.
-------------------------------------------------------------------
Wed Jan 21 18:45:51 CET 2004 - tiwai@suse.de
- fixed quoting in m4 files.
-------------------------------------------------------------------
Fri Jan 9 17:47:41 CET 2004 - adrian@suse.de
- add %run_ldconfig to %postun
-------------------------------------------------------------------
Fri Jan 9 17:01:18 CET 2004 - tiwai@suse.de
- updated to version 1.0.1.
removed obsolete patches.
- added pkgconfig to neededforbuild.
-------------------------------------------------------------------
Sat Mar 1 18:04:02 CET 2003 - adrian@suse.de
- let libvorbis-devel require libogg-devel
-------------------------------------------------------------------
Fri Jan 17 17:24:33 CET 2003 - tiwai@suse.de
- fixed m4 macro (bug #21267).
-------------------------------------------------------------------
Thu Jan 9 18:17:59 CET 2003 - kukuk@suse.de
- Add *.la files to -devel filelist
-------------------------------------------------------------------
Wed Dec 4 18:14:02 CET 2002 - tiwai@suse.de
- fixed the undefined weak links.
- renamed m4.dif and lib64.dif with libvorbis- prefix to avoid
filename conflictions.
-------------------------------------------------------------------
Thu Sep 19 15:41:52 CEST 2002 - tiwai@suse.de
- don't add -I/usr/include to VORBIS_VFLAGS.
- fix test for prefix.
- move devel documents under %{_docdir}/libvorbis-devel.
-------------------------------------------------------------------
Mon Aug 12 13:40:58 CEST 2002 - tiwai@suse.de
- added Requires %{name} = %{version} to devel package.
-------------------------------------------------------------------
Tue Jul 23 16:49:20 CEST 2002 - tiwai@suse.de
- fixed m4 file for lib64.
- provides the backward compatible m4 file.
-------------------------------------------------------------------
Mon Jul 22 10:46:19 CEST 2002 - tiwai@suse.de
- updated to version 1.0.
- clean up the spec file.
- added %run_ldconfig.
-------------------------------------------------------------------
Wed Jun 12 13:20:32 CEST 2002 - meissner@suse.de
- rm acinclude.m4 so we don't have the problematic ogg.m4 (which contains
/lib hardcoded).
-------------------------------------------------------------------
Thu Apr 18 11:57:17 CEST 2002 - kukuk@suse.de
- Remove additional optimization, default is better
- Add --libdir to configure to build on x86_64
-------------------------------------------------------------------
Thu Feb 7 11:21:43 CET 2002 - tiwai@suse.de
- fixed build on s390x.
-------------------------------------------------------------------
Fri Jan 4 11:54:44 CET 2002 - tiwai@suse.de
- updated to RC3.
sync with cvs 2002.01.04.
-------------------------------------------------------------------
Tue Dec 4 11:24:07 CET 2001 - tiwai@suse.de
- sync with cvs 2001.12.04.
-------------------------------------------------------------------
Wed Oct 24 17:50:32 CEST 2001 - tiwai@suse.de
- sync with cvs 20011024.
+ fixed/updated documents
+ tuned up parameters
+ bugfixes on 64bit arch.
- removed Requires to libogg.
-------------------------------------------------------------------
Sat Oct 20 16:45:55 CEST 2001 - schwab@suse.de
- Fix use of qsort.
-------------------------------------------------------------------
Mon Aug 13 16:57:27 CEST 2001 - tiwai@suse.de
- updated to 1.0rc2 from cvs 20010813.
-------------------------------------------------------------------
Thu Jun 7 11:26:12 CEST 2001 - tiwai@suse.de
- fixed build with the recent libtool.
-------------------------------------------------------------------
Tue Apr 3 08:52:17 MEST 2001 - bk@suse.de
- make use of RPM_OPT_FLAGS
- include the include/vorbis dir into the file list(+rpm-macroized)
-------------------------------------------------------------------
Mon Mar 12 15:22:00 CET 2001 - tiwai@suse.de
- corrected copyright in spec file.
-------------------------------------------------------------------
Mon Feb 26 17:10:04 CET 2001 - tiwai@suse.de
- Updated to 1.0beta4.
-------------------------------------------------------------------
Wed Jan 31 12:29:54 CET 2001 - tiwai@suse.de
- Initial version: 1.0beta3.