From ffa27b179de9e0862aee7bc3af0f301907684280f5a6b74f8e0be64963ba1c59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Wed, 9 Aug 2017 09:12:37 +0000
Subject: [PATCH] Accepting request 515262 from
 home:sbrabec:branches:multimedia:libs

- Update to versio 1.11.1:
  * Fixed binary incompatible change in TagLib::String.
  * Fixed reading ID3v2 CTOC frames with a lot of entries.
  * Fixed seeking ByteVectorStream from the end.
- Prevent denial of service (bsc#1052699, CVE-2017-12678,
  taglib-CVE-2017-12678.patch).

OBS-URL: https://build.opensuse.org/request/show/515262
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/taglib?expand=0&rev=71
---
 taglib-1.11.1.tar.gz        |  3 +++
 taglib-1.11.tar.gz          |  3 ---
 taglib-CVE-2017-12678.patch | 35 +++++++++++++++++++++++++++++++++++
 taglib.changes              | 10 ++++++++++
 taglib.spec                 |  9 ++++++---
 5 files changed, 54 insertions(+), 6 deletions(-)
 create mode 100644 taglib-1.11.1.tar.gz
 delete mode 100644 taglib-1.11.tar.gz
 create mode 100644 taglib-CVE-2017-12678.patch

diff --git a/taglib-1.11.1.tar.gz b/taglib-1.11.1.tar.gz
new file mode 100644
index 0000000..85f118b
--- /dev/null
+++ b/taglib-1.11.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b6d1a5a610aae6ff39d93de5efd0fdc787aa9e9dc1e7026fa4c961b26563526b
+size 1261620
diff --git a/taglib-1.11.tar.gz b/taglib-1.11.tar.gz
deleted file mode 100644
index 0f6abc4..0000000
--- a/taglib-1.11.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ed4cabb3d970ff9a30b2620071c2b054c4347f44fc63546dbe06f97980ece288
-size 1263736
diff --git a/taglib-CVE-2017-12678.patch b/taglib-CVE-2017-12678.patch
new file mode 100644
index 0000000..f04ea55
--- /dev/null
+++ b/taglib-CVE-2017-12678.patch
@@ -0,0 +1,35 @@
+https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6
+
+From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001
+From: "Stephen F. Booth" <me@sbooth.org>
+Date: Sun, 23 Jul 2017 10:11:09 -0400
+Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame
+
+If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame
+which causes problems in rebuildAggregateFrames() when it is assumed
+that TDRC is a TextIdentificationFrame
+---
+ taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp
+index 759a9b7b..9347ab86 100644
+--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp
++++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp
+@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const
+      tag->frameList("TDAT").size() == 1)
+   {
+     TextIdentificationFrame *tdrc =
+-      static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
++      dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+     UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front());
+ 
+-    if(tdrc->fieldList().size() == 1 &&
++    if(tdrc &&
++       tdrc->fieldList().size() == 1 &&
+        tdrc->fieldList().front().size() == 4 &&
+        tdat->data().size() >= 5)
+     {
+-- 
+2.13.1
+
diff --git a/taglib.changes b/taglib.changes
index 87cb5ab..b9c3bf9 100644
--- a/taglib.changes
+++ b/taglib.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue Aug  8 22:36:41 CEST 2017 - sbrabec@suse.com
+
+- Update to versio 1.11.1:
+  * Fixed binary incompatible change in TagLib::String.
+  * Fixed reading ID3v2 CTOC frames with a lot of entries.
+  * Fixed seeking ByteVectorStream from the end.
+- Prevent denial of service (bsc#1052699, CVE-2017-12678,
+  taglib-CVE-2017-12678.patch).
+
 -------------------------------------------------------------------
 Mon May  2 18:24:57 UTC 2016 - aloisio@gmx.com
 
diff --git a/taglib.spec b/taglib.spec
index 2f31c33..f24dea5 100644
--- a/taglib.spec
+++ b/taglib.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package taglib
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,14 +17,16 @@
 
 
 Name:           taglib
-Version:        1.11
+Version:        1.11.1
 Release:        0
 Summary:        Audio Meta-Data Library
 License:        LGPL-2.1+ and MPL-1.1
 Group:          Productivity/Multimedia/Other
 Url:            http://taglib.github.io/
-Source0:        http://taglib.github.io/releases/taglib-%{version}.tar.gz
+Source0:        http://taglib.github.io/releases/%{name}-%{version}.tar.gz
 Source1:        %{name}.desktop
+# PATCH-FIX-SECURITY taglib-CVE-2017-12678.patch bsc1052699 CVE-2017-12678 sbrabec@suse.com -- Prevent denial of service.
+Patch:          taglib-CVE-2017-12678.patch
 Source100:      baselibs.conf
 BuildRequires:  cmake >= 2.8
 BuildRequires:  doxygen
@@ -97,6 +99,7 @@ This package contains development files for taglib.
 
 %prep
 %setup -q
+%patch -p1
 
 %build
 %cmake \