Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package owntone for openSUSE:Factory checked in at 2026-02-17 17:58:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/owntone (Old) and /work/SRC/openSUSE:Factory/.owntone.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "owntone" Tue Feb 17 17:58:57 2026 rev:12 rq:1333544 version:29.0 Changes: -------- --- /work/SRC/openSUSE:Factory/owntone/owntone.changes 2025-10-18 14:39:06.581669259 +0200 +++ /work/SRC/openSUSE:Factory/.owntone.new.1977/owntone.changes 2026-02-17 17:59:00.775109387 +0100 @@ -1,0 +2,6 @@ +Sun Feb 8 10:53:22 UTC 2026 - Dave Plater <[email protected]> + +- Fix boo#1257023 (CVE-2025-63648) with patch from git: + 0001-dacp-Fix-segfault-from-invalid-queries.patch. + +------------------------------------------------------------------- New: ---- 0001-dacp-Fix-segfault-from-invalid-queries.patch ----------(New B)---------- New:- Fix boo#1257023 (CVE-2025-63648) with patch from git: 0001-dacp-Fix-segfault-from-invalid-queries.patch. ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ owntone.spec ++++++ --- /var/tmp/diff_new_pack.wL1mfh/_old 2026-02-17 17:59:01.571142366 +0100 +++ /var/tmp/diff_new_pack.wL1mfh/_new 2026-02-17 17:59:01.571142366 +0100 @@ -1,7 +1,7 @@ # # spec file for package owntone # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # Copyright (c) 2018 Scott Shambarger # # All modifications and additions to the file contributed by third parties @@ -35,6 +35,7 @@ Source0: %url/releases/download/%{version}/%{name}-%{version}.tar.xz Source1: owntone_logrotate Patch0: harden_owntone.service.patch +Patch1: 0001-dacp-Fix-segfault-from-invalid-queries.patch Provides: forked-daapd = %version Obsoletes: forked-daapd < 28 BuildRequires: antlr3-tool ++++++ 0001-dacp-Fix-segfault-from-invalid-queries.patch ++++++ >From 5f526c7a7e08c567a5c72421d74a79dafdd07621 Mon Sep 17 00:00:00 2001 From: ejurgensen <[email protected]> Date: Wed, 8 Oct 2025 19:49:01 +0200 Subject: [PATCH] [dacp] Fix segfault from invalid queries When parsing a DACP request (pattern: ^/ctrl-int/[[:digit:]]+/playqueue-edit$) with a command parameter being "move" and an edit-params parameter lacking a colon, strchr(param, ':') at httpd_dacp.c:2038 will return NULL, and safe_atoi32 is called with its first parameter str being 1. This will bypass the NULL check at src/misc.c:650 and causes a segmentation fault at the call to strtol at line 657. Closes #1933 --- src/httpd_dacp.c | 51 +++++++++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 22 deletions(-) Index: b/src/httpd_dacp.c =================================================================== --- a/src/httpd_dacp.c 2026-02-08 12:00:11.308638744 +0200 +++ b/src/httpd_dacp.c 2026-02-08 12:08:01.780004195 +0200 @@ -1894,6 +1894,7 @@ dacp_reply_playqueueedit_add(struct http const char *querymodifier; const char *sort; const char *param; + const char *ptr; char modifiedquery[32]; int mode; int plid; @@ -1955,7 +1956,8 @@ dacp_reply_playqueueedit_add(struct http else { // Modify the query: Take the id from the editquery and use it as a queuefilter playlist id - ret = safe_atoi32(strchr(editquery, ':') + 1, &plid); + ptr = strchr(editquery, ':'); + ret = ptr ? safe_atoi32(ptr + 1, &plid) : -1; if (ret < 0) { DPRINTF(E_LOG, L_DACP, "Invalid playlist id in request: %s\n", editquery); @@ -2029,38 +2031,44 @@ dacp_reply_playqueueedit_move(struct htt struct player_status status; int ret; const char *param; + const char *ptr; int src; int dst; param = httpd_query_value_find(hreq->query, "edit-params"); - if (param) - { - ret = safe_atoi32(strchr(param, ':') + 1, &src); - if (ret < 0) - { - DPRINTF(E_LOG, L_DACP, "Invalid edit-params move-from value in playqueue-edit request\n"); + if (!param) + goto out; - dacp_send_error(hreq, "cacr", "Invalid request"); - return -1; - } + ptr = strchr(param, ':'); + if (!ptr) + goto error; - ret = safe_atoi32(strchr(param, ',') + 1, &dst); - if (ret < 0) - { - DPRINTF(E_LOG, L_DACP, "Invalid edit-params move-to value in playqueue-edit request\n"); + ret = safe_atoi32(ptr + 1, &src); + if (ret < 0) + goto error; - dacp_send_error(hreq, "cacr", "Invalid request"); - return -1; - } + ptr = strchr(param, ','); + if (!ptr) + goto error; - player_get_status(&status); - db_queue_move_byposrelativetoitem(src, dst, status.item_id, status.shuffle); - } + ret = safe_atoi32(ptr + 1, &dst); + if (ret < 0) + goto error; + player_get_status(&status); + db_queue_move_byposrelativetoitem(src, dst, status.item_id, status.shuffle); + + out: /* 204 No Content is the canonical reply */ httpd_send_reply(hreq, HTTP_NOCONTENT, "No Content", HTTPD_SEND_NO_GZIP); return 0; + + error: + DPRINTF(E_LOG, L_DACP, "Invalid edit-params in playqueue-edit request: '%s'\n", param); + + dacp_send_error(hreq, "cacr", "Invalid request"); + return -1; } static int @@ -2538,8 +2546,7 @@ dacp_reply_setspeakers(struct httpd_requ } nspk = 1; - ptr = param; - while ((ptr = strchr(ptr + 1, ','))) + for (ptr = param; ptr; ptr = strchr(ptr + 1, ',')) nspk++; CHECK_NULL(L_DACP, ids = calloc((nspk + 1), sizeof(uint64_t)));
