Hello community, here is the log from the commit of package libvorbis for openSUSE:12.1:Update:Test checked in at 2012-02-21 21:42:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update:Test/libvorbis (Old) and /work/SRC/openSUSE:12.1:Update:Test/.libvorbis.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvorbis", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:12.1:Update:Test/libvorbis/libvorbis.changes 2012-02-21 21:42:34.000000000 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.libvorbis.new/libvorbis.changes 2012-02-21 21:42:34.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Feb 21 14:34:37 CET 2012 - [email protected] + +- VUL-0: CVE-2012-0444: libvorbis: heap-based buffer overflow + (bnc#747912) + +------------------------------------------------------------------- New: ---- libvorbis-CVE-2012-0444.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvorbis.spec ++++++ --- /var/tmp/diff_new_pack.oga0pi/_old 2012-02-21 21:42:34.000000000 +0100 +++ /var/tmp/diff_new_pack.oga0pi/_new 2012-02-21 21:42:34.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libvorbis # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,15 +16,14 @@ # - Name: libvorbis Version: 1.3.2 -Release: 10 +Release: 0 #to_be_filled_by_service -License: BSD3c(or similar) Summary: The Vorbis General Audio Compression Codec -Url: http://www.vorbis.com/ +License: BSD-3-Clause Group: System/Libraries +Url: http://www.vorbis.com/ # bug437293 (SLES10 -> SLES11 upgrade path) %ifarch ppc64 Obsoletes: libvorbis-64bit @@ -39,8 +38,10 @@ # PATCH-FIX-UPSTREAM libvorbis-pkgconfig.patch https://trac.xiph.org/ticket/1759 [email protected] -- Use Requires/Libs.private to avoid overlinking Patch10: libvorbis-pkgconfig.patch Patch11: vorbis-fix-linking.patch +Patch20: libvorbis-CVE-2012-0444.diff +BuildRequires: fdupes BuildRequires: libogg-devel -BuildRequires: fdupes pkgconfig +BuildRequires: pkgconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -55,7 +56,6 @@ Summary: The Vorbis General Audio Compression Codec Group: System/Libraries -License: BSD3c(or similar) # bug437293 (SLES10 -> SLES11 upgrade path) %ifarch ppc64 Obsoletes: libvorbis-64bit @@ -77,7 +77,6 @@ Summary: The Vorbis General Audio Compression Codec Group: System/Libraries -License: BSD3c(or similar) %description -n libvorbisenc2 Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and @@ -91,7 +90,6 @@ Summary: The Vorbis General Audio Compression Codec Group: System/Libraries -License: BSD3c(or similar) %description -n libvorbisfile3 Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and @@ -102,7 +100,6 @@ libmatroska (matroska) can also be used. %package devel -License: BSD3c(or similar) Summary: Include Files and Libraries mandatory for Ogg Vorbis Development Group: Development/Libraries/C and C++ Requires: libvorbis0 = %{version} @@ -121,7 +118,6 @@ to compile and develop applications that use libvorbis. %package doc -License: BSD3c(or similar) Summary: Documentation of Ogg/Vorbis library Group: Documentation/Other %if 0%{?suse_version} >= 1120 @@ -141,6 +137,7 @@ %patch1 fi %patch11 +%patch20 -p1 %build autoreconf -fiv ++++++ libvorbis-CVE-2012-0444.diff ++++++ --- lib/floor1.c | 1 + 1 file changed, 1 insertion(+) --- a/lib/floor1.c +++ b/lib/floor1.c @@ -167,6 +167,7 @@ static vorbis_info_floor *floor1_unpack for(j=0,k=0;j<info->partitions;j++){ count+=info->class_dim[info->partitionclass[j]]; + if(count>VIF_POSIT) goto err_out; for(;k<count;k++){ int t=info->postlist[k+2]=oggpack_read(opb,rangebits); if(t<0 || t>=(1<<rangebits)) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
