Accepting request 614499 from multimedia:libs

OBS-URL: https://build.opensuse.org/request/show/614499
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/taglib?expand=0&rev=50

taglib-CVE-2018-11439.patch

@@ -0,0 +1,41 @@
+From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001
+From: Scott Gayou <github.scott@gmail.com>
+Date: Mon, 4 Jun 2018 11:34:36 -0400
+Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)
+
+CVE-2018-11439 is caused by a failure to check the minimum length
+of a ogg flac header. This header is detailed in full at:
+https://xiph.org/flac/ogg_mapping.html. Added more strict checking
+for entire header.
+---
+ taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
+index 53d04508a..07ea9dccc 100644
+--- a/taglib/ogg/flac/oggflacfile.cpp
++++ b/taglib/ogg/flac/oggflacfile.cpp
+@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
+ 
+   if(!metadataHeader.startsWith("fLaC"))  {
+     // FLAC 1.1.2+
++    // See https://xiph.org/flac/ogg_mapping.html for the header specification.
++    if(metadataHeader.size() < 13)
++      return;
++
++    if(metadataHeader[0] != 0x7f)
++      return;
++
+     if(metadataHeader.mid(1, 4) != "FLAC")
+       return;
+ 
+-    if(metadataHeader[5] != 1)
+-      return; // not version 1
++    if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
++      return; // not version 1.0
++
++    if(metadataHeader.mid(9, 4) != "fLaC")
++      return;
+ 
+     metadataHeader = metadataHeader.mid(13);
+   }

taglib.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Jun  6 08:38:38 UTC 2018 - kbabioch@suse.com
+
+- Added taglib-CVE-2018-11439.patch: Fix an out-of-bounds read when loading
+  invalid ogg flac files (CVE-2018-11439, bsc#1096180). 
+- Applied spec-cleaner to specfile
+
 -------------------------------------------------------------------
 Tue Sep 26 09:27:25 UTC 2017 - tchvatal@suse.com
 

taglib.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package taglib
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,14 +20,15 @@ Name:           taglib
 Version:        1.11.1
 Release:        0
 Summary:        Audio Meta-Data Library
-License:        LGPL-2.1+ AND MPL-1.1
+License:        LGPL-2.1-or-later AND MPL-1.1
 Group:          Productivity/Multimedia/Other
-Url:            http://taglib.github.io/
+URL:            http://taglib.github.io/
 Source0:        http://taglib.github.io/releases/%{name}-%{version}.tar.gz
 Source1:        %{name}.desktop
 Source100:      baselibs.conf
 # PATCH-FIX-SECURITY taglib-CVE-2017-12678.patch bsc1052699 CVE-2017-12678 sbrabec@suse.com -- Prevent denial of service.
 Patch0:         taglib-CVE-2017-12678.patch
+Patch1:         taglib-CVE-2018-11439.patch
 BuildRequires:  cmake >= 2.8
 BuildRequires:  doxygen
 BuildRequires:  fdupes
@@ -52,7 +53,7 @@ command line.
 
 %package -n libtag1
 Summary:        Audio Meta-Data Library
-License:        LGPL-2.1+
+License:        LGPL-2.1-or-later
 Group:          System/Libraries
 Conflicts:      taglib <= 1.6.3
 
@@ -64,7 +65,7 @@ TrueAudio, WAV, AIFF, MP4 and ASF files.
 
 %package -n libtag_c0
 Summary:        Audio Meta-Data Library
-License:        LGPL-2.1+
+License:        LGPL-2.1-or-later
 Group:          System/Libraries
 Conflicts:      taglib <= 1.6.3
 
@@ -76,7 +77,7 @@ TrueAudio, WAV, AIFF, MP4 and ASF files.
 
 %package -n libtag-devel
 Summary:        Development files for taglib
-License:        LGPL-2.1+
+License:        LGPL-2.1-or-later
 Group:          Development/Libraries/C and C++
 Requires:       libstdc++-devel
 Requires:       libtag1 = %{version}-%{release}
@@ -92,6 +93,7 @@ This package contains development files for taglib.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 
 %build
 %cmake \