Hello community, here is the log from the commit of package libvorbis for openSUSE:11.4 checked in at Tue Feb 21 21:24:11 CET 2012.
-------- --- old-versions/11.4/all/libvorbis/libvorbis.changes 2010-12-10 15:14:37.000000000 +0100 +++ 11.4/libvorbis/libvorbis.changes 2012-02-21 14:36:00.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Feb 21 14:35:47 CET 2012 - [email protected] + +- VUL-0: CVE-2012-0444: libvorbis: heap-based buffer overflow + (bnc#747912) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/libvorbis Destination is old-versions/11.4/UPDATES/all/libvorbis calling whatdependson for 11.4-i586 New: ---- libvorbis-CVE-2012-0444.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvorbis.spec ++++++ --- /var/tmp/diff_new_pack.0njvgn/_old 2012-02-21 21:23:27.000000000 +0100 +++ /var/tmp/diff_new_pack.0njvgn/_new 2012-02-21 21:23:27.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package libvorbis (Version 1.3.2) +# spec file for package libvorbis # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,12 +19,12 @@ Name: libvorbis Version: 1.3.2 -Release: 2 +Release: 6.<RELEASE7> #to_be_filled_by_service -License: BSD3c(or similar) Summary: The Vorbis General Audio Compression Codec -Url: http://www.vorbis.com/ +License: BSD-3-Clause Group: System/Libraries +Url: http://www.vorbis.com/ # bug437293 (SLES10 -> SLES11 upgrade path) %ifarch ppc64 Obsoletes: libvorbis-64bit @@ -38,8 +38,10 @@ # 'Patch5: libvorbis-%%{version}-aotuv-b5.7.diff' # PATCH-FIX-UPSTREAM libvorbis-pkgconfig.patch https://trac.xiph.org/ticket/1759 [email protected] -- Use Requires/Libs.private to avoid overlinking Patch10: libvorbis-pkgconfig.patch +Patch20: libvorbis-CVE-2012-0444.diff +BuildRequires: fdupes BuildRequires: libogg-devel -BuildRequires: fdupes pkgconfig +BuildRequires: pkgconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -52,9 +54,9 @@ %package -n libvorbis0 + Summary: The Vorbis General Audio Compression Codec Group: System/Libraries -License: BSD3c(or similar) # bug437293 (SLES10 -> SLES11 upgrade path) %ifarch ppc64 Obsoletes: libvorbis-64bit @@ -75,9 +77,9 @@ %package -n libvorbisenc2 + Summary: The Vorbis General Audio Compression Codec Group: System/Libraries -License: BSD3c(or similar) %description -n libvorbisenc2 Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and @@ -89,9 +91,9 @@ %package -n libvorbisfile3 + Summary: The Vorbis General Audio Compression Codec Group: System/Libraries -License: BSD3c(or similar) %description -n libvorbisfile3 Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and @@ -102,7 +104,7 @@ libmatroska (matroska) can also be used. %package devel -License: BSD3c(or similar) + Summary: Include Files and Libraries mandatory for Ogg Vorbis Development Group: Development/Libraries/C and C++ Requires: libvorbis0 = %{version} @@ -121,7 +123,7 @@ to compile and develop applications that use libvorbis. %package doc -License: BSD3c(or similar) + Summary: Documentation of Ogg/Vorbis library Group: Documentation/Other %if 0%{?suse_version} >= 1120 @@ -140,6 +142,7 @@ if [ "%{_lib}" == "lib64" ]; then %patch1 fi +%patch20 -p1 %build %configure --disable-static ++++++ libvorbis-CVE-2012-0444.diff ++++++ --- lib/floor1.c | 1 + 1 file changed, 1 insertion(+) --- a/lib/floor1.c +++ b/lib/floor1.c @@ -167,6 +167,7 @@ static vorbis_info_floor *floor1_unpack for(j=0,k=0;j<info->partitions;j++){ count+=info->class_dim[info->partitionclass[j]]; + if(count>VIF_POSIT) goto err_out; for(;k<count;k++){ int t=info->postlist[k+2]=oggpack_read(opb,rangebits); if(t<0 || t>=(1<<rangebits)) continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
