Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsndfile for openSUSE:Factory checked in at 2026-01-17 21:42:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsndfile (Old) and /work/SRC/openSUSE:Factory/.libsndfile.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsndfile" Sat Jan 17 21:42:26 2026 rev:68 rq:1327786 version:1.2.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libsndfile/libsndfile-progs.changes 2024-11-27 22:05:12.537077339 +0100 +++ /work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile-progs.changes 2026-01-17 21:43:22.443455763 +0100 @@ -1,0 +2,16 @@ +Fri Jan 16 07:52:38 UTC 2026 - Bjørn Lie <[email protected]> + +- No longer build with experimental flag passed to cmake, follow + upstream default. + +------------------------------------------------------------------- +Thu Jan 15 11:11:22 UTC 2026 - Takashi Iwai <[email protected]> + +- Fix memory leak in the mpeg_l3_encoder_init() function + (CVE-2025-56226, bsc#1256702); + currently we don't enable MP3, hence unaffected, but just to be + sure for further enablement: + libsndfile-CVE-2025-56226.patch + sndfile-convert-CVE-2025-56226.patch + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/libsndfile/libsndfile.changes 2024-11-27 22:05:12.585079349 +0100 +++ /work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile.changes 2026-01-17 21:43:22.459456418 +0100 @@ -1,0 +2,16 @@ +Fri Jan 16 07:49:56 UTC 2026 - Bjørn Lie <[email protected]> + +- No longer build with experimental flag passed to cmake, follow + upstream default. + +------------------------------------------------------------------- +Thu Jan 15 11:11:22 UTC 2026 - Takashi Iwai <[email protected]> + +- Fix memory leak in the mpeg_l3_encoder_init() function + (CVE-2025-56226, bsc#1256702); + currently we don't enable MP3, hence unaffected, but just to be + sure for further enablement: + libsndfile-CVE-2025-56226.patch + sndfile-convert-CVE-2025-56226.patch + +------------------------------------------------------------------- New: ---- libsndfile-CVE-2025-56226.patch sndfile-convert-CVE-2025-56226.patch ----------(New B)---------- New:/work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile-progs.changes- sure for further enablement: /work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile-progs.changes: libsndfile-CVE-2025-56226.patch /work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile-progs.changes- sndfile-convert-CVE-2025-56226.patch -- /work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile.changes- sure for further enablement: /work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile.changes: libsndfile-CVE-2025-56226.patch /work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile.changes- sndfile-convert-CVE-2025-56226.patch New:/work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile-progs.changes- libsndfile-CVE-2025-56226.patch /work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile-progs.changes: sndfile-convert-CVE-2025-56226.patch /work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile-progs.changes- -- /work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile.changes- libsndfile-CVE-2025-56226.patch /work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile.changes: sndfile-convert-CVE-2025-56226.patch /work/SRC/openSUSE:Factory/.libsndfile.new.1928/libsndfile.changes- ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsndfile-progs.spec ++++++ --- /var/tmp/diff_new_pack.lPbdEZ/_old 2026-01-17 21:43:23.155484930 +0100 +++ /var/tmp/diff_new_pack.lPbdEZ/_new 2026-01-17 21:43:23.159485094 +0100 @@ -1,7 +1,7 @@ # # spec file for package libsndfile-progs # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,6 +28,8 @@ Source2: libsndfile.keyring Patch1: libsndfile-CVE-2022-33065.patch Patch2: libsndfile-CVE-2024-50612.patch +Patch3: libsndfile-CVE-2025-56226.patch +Patch4: sndfile-convert-CVE-2025-56226.patch # PATCH-FIX-OPENSUSE Patch100: sndfile-ocloexec.patch BuildRequires: alsa-devel @@ -49,7 +51,9 @@ %autosetup -p1 -n libsndfile-%{version} %build -%cmake -DENABLE_EXPERIMENTAL=ON -DBUILD_EXAMPLES=OFF -DCMAKE_INSTALL_DOCDIR=%{_defaultdocdir}/libsndfile +%cmake \ + -DBUILD_EXAMPLES=OFF \ + -DCMAKE_INSTALL_DOCDIR=%{_defaultdocdir}/libsndfile %cmake_build %install ++++++ libsndfile.spec ++++++ --- /var/tmp/diff_new_pack.lPbdEZ/_old 2026-01-17 21:43:23.199486733 +0100 +++ /var/tmp/diff_new_pack.lPbdEZ/_new 2026-01-17 21:43:23.199486733 +0100 @@ -1,7 +1,7 @@ # # spec file for package libsndfile # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,6 +30,8 @@ Source3: baselibs.conf Patch1: libsndfile-CVE-2022-33065.patch Patch2: libsndfile-CVE-2024-50612.patch +Patch3: libsndfile-CVE-2025-56226.patch +Patch4: sndfile-convert-CVE-2025-56226.patch # PATCH-FIX-OPENSUSE Patch100: sndfile-ocloexec.patch BuildRequires: cmake @@ -79,7 +81,9 @@ %autosetup -p1 %build -%cmake -DENABLE_EXPERIMENTAL=ON -DBUILD_EXAMPLES=OFF -DCMAKE_INSTALL_DOCDIR=%{_defaultdocdir}/libsndfile +%cmake \ + -DBUILD_EXAMPLES=OFF \ + -DCMAKE_INSTALL_DOCDIR=%{_defaultdocdir}/libsndfile %cmake_build %install @@ -90,8 +94,7 @@ rm -rf %{buildroot}%{_mandir}/man1 rm -rf %{buildroot}%{_datadir}/doc/libsndfile -%post -n %{lname} -p /sbin/ldconfig -%postun -n %{lname} -p /sbin/ldconfig +%ldconfig_scriptlets -n %{lname} %check # ctest fails?! ++++++ libsndfile-CVE-2025-56226.patch ++++++ >From d9a35ea0d5c64c19dd635ae578e0028df8f66d6a Mon Sep 17 00:00:00 2001 From: Sisyphus-wang <[email protected]> Date: Fri, 11 Jul 2025 15:14:48 +0800 Subject: [PATCH] Update mpeg_l3_encode.c fix memoryLeak bug --- src/mpeg_l3_encode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mpeg_l3_encode.c b/src/mpeg_l3_encode.c index 97324f792..04b1d501c 100644 --- a/src/mpeg_l3_encode.c +++ b/src/mpeg_l3_encode.c @@ -87,7 +87,8 @@ mpeg_l3_encoder_init (SF_PRIVATE *psf, int info_tag) if (! (pmpeg->lamef = lame_init ())) return SFE_MALLOC_FAILED ; - pmpeg->compression = -1.0 ; /* Unset */ + psf->codec_close = mpeg_l3_encoder_close ; /* Set psf->codec_close early*/ + pmpeg->compression = -1.0 ; /* Unset */ lame_set_in_samplerate (pmpeg->lamef, psf->sf.samplerate) ; lame_set_num_channels (pmpeg->lamef, psf->sf.channels) ; @@ -115,7 +116,6 @@ mpeg_l3_encoder_init (SF_PRIVATE *psf, int info_tag) } psf->sf.seekable = 0 ; - psf->codec_close = mpeg_l3_encoder_close ; psf->byterate = mpeg_l3_encoder_byterate ; psf->datalength = 0 ; ++++++ sndfile-convert-CVE-2025-56226.patch ++++++ >From 68f6c16fe1407eff4cdde158566694c3ed666c2f Mon Sep 17 00:00:00 2001 From: Sisyphus-wang <[email protected]> Date: Fri, 11 Jul 2025 15:26:24 +0800 Subject: [PATCH] Update sndfile-convert.c fix memoryLeak in sndfile-conver.c --- programs/sndfile-convert.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c index 95f59d3cc..a9f0cfacc 100644 --- a/programs/sndfile-convert.c +++ b/programs/sndfile-convert.c @@ -301,6 +301,7 @@ main (int argc, char * argv []) if ((sfinfo.format = sfe_file_type_of_ext (outfilename, sfinfo.format)) == 0) { printf ("Error : Not able to determine output file type for %s.\n", outfilename) ; + sf_close (infile) ; return 1 ; } ; @@ -344,6 +345,7 @@ main (int argc, char * argv []) /* Open the output file. */ if ((outfile = sf_open (outfilename, SFM_WRITE, &sfinfo)) == NULL) { printf ("Not able to open output file %s : %s\n", outfilename, sf_strerror (NULL)) ; + sf_close (infile) ; return 1 ; } ; @@ -360,6 +362,8 @@ main (int argc, char * argv []) || (infileminor == SF_FORMAT_MPEG_LAYER_III) || (outfileminor == SF_FORMAT_MPEG_LAYER_III)) { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) != 0) { printf ("Error : Not able to decode input file %s.\n", infilename) ; + sf_close (infile) ; + sf_close (outfile) ; return 1 ; } ; }
