Hello community, here is the log from the commit of package python-eyeD3 for openSUSE:Factory checked in at 2014-05-02 14:02:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-eyeD3 (Old) and /work/SRC/openSUSE:Factory/.python-eyeD3.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-eyeD3" Changes: -------- --- /work/SRC/openSUSE:Factory/python-eyeD3/python-eyeD3.changes 2013-09-13 14:46:26.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python-eyeD3.new/python-eyeD3.changes 2014-05-02 14:02:49.000000000 +0200 @@ -1,0 +2,14 @@ +Mon Apr 28 12:05:49 UTC 2014 - [email protected] + +- update to 0.7.4: + * new `fixup` plugin for repairing tags in directories + * more steps towards Python3 compatibility + * APIs modified to be more reusable + * recognize more exotic MIME types for mp3 files + * fixed crash on non-ascii URLs + * supports python-magic >= 0.4.4 + * several new features and bugfixes +- added CVE-2014-1934-mktemp.patch: insecure use of temporary files + (CVE-2014-1934-mktemp.patch, bnc#863744) + +------------------------------------------------------------------- Old: ---- eyeD3-0.7.3.tgz New: ---- CVE-2014-1934-mktemp.patch eyeD3-0.7.4.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-eyeD3.spec ++++++ --- /var/tmp/diff_new_pack.P3tdnX/_old 2014-05-02 14:02:50.000000000 +0200 +++ /var/tmp/diff_new_pack.P3tdnX/_new 2014-05-02 14:02:50.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-eyeD3 # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,9 +20,11 @@ Summary: Python Module for ID3 Tag Manipulation License: GPL-2.0+ Group: Productivity/Multimedia/Sound/Utilities -Version: 0.7.3 +Version: 0.7.4 Release: 0 Source0: http://eyed3.nicfit.net/releases/eyeD3-%{version}.tgz +# CVE-2014-1934: insecure use of `mktemp` when rewriting tags +Patch0: CVE-2014-1934-mktemp.patch Url: http://eyed3.nicfit.net/ BuildRoot: %{_tmppath}/%{name}-%{version}-build Recommends: python-magic @@ -43,6 +45,7 @@ %prep %setup -n eyeD3-%{version} +%patch0 -p1 %build %__python setup.py build ++++++ CVE-2014-1934-mktemp.patch ++++++ Index: eyeD3-0.7.4/src/eyed3/id3/tag.py =================================================================== --- eyeD3-0.7.4.orig/src/eyed3/id3/tag.py 2014-04-28 14:14:05.635445665 +0200 +++ eyeD3-0.7.4/src/eyed3/id3/tag.py 2014-04-28 14:59:03.022541899 +0200 @@ -946,10 +946,10 @@ "padding" % (len(tag_data), len(padding))) if rewrite_required: # Open tmp file - tmp_name = tempfile.mktemp() - with open(tmp_name, "wb") as tmp_file: + tmp_fd, tmp_name = tempfile.mkstemp() + try: + tmp_file = os.fdopen(tmp_fd, 'w+b') tmp_file.write(tag_data + padding) - # Copy audio data in chunks with open(self.file_info.name, "rb") as tag_file: if curr_tag_size != 0: @@ -960,6 +960,8 @@ "byte %d (%x)" % (seek_point, seek_point)) tag_file.seek(seek_point) chunkCopy(tag_file, tmp_file) + finally: + tmp_file.close() # Move tmp to orig. shutil.copyfile(tmp_name, self.file_info.name) @@ -1118,9 +1120,12 @@ tag_file.seek(tag.file_info.tag_size) # Open tmp file - tmp_name = tempfile.mktemp() - with open(tmp_name, "wb") as tmp_file: + tmp_fd, tmp_name = tempfile.mkstemp() + try: + tmp_file = os.fdopen(tmp_fd, 'w+b') chunkCopy(tag_file, tmp_file) + finally: + tmp_file.close() # Move tmp to orig shutil.copyfile(tmp_name, filename) ++++++ eyeD3-0.7.3.tgz -> eyeD3-0.7.4.tgz ++++++ ++++ 3854 lines of diff (skipped) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
