Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: mat...@debian.org
Please unblock package libwebm [ Reason ] This is a bigfix release fixing several buffer overflows, finally tagged after 5 years of upstream marinade. [ Impact ] Several flaws with security vulnerability potential will not be addressed. However, no CVEs allocated to the date. [ Tests ] Automatic testsuite + mwnual checks by Kodi users (including myself) [ Risks ] This package is used primarily by kodi-inputstream-adaptive, so risk is low. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] unblock libwebm/1.0.0.28-1
diff -Nru libwebm-1.0.0.27+git20201124.485fb67/build/cxx_flags.cmake libwebm-1.0.0.28/build/cxx_flags.cmake --- libwebm-1.0.0.27+git20201124.485fb67/build/cxx_flags.cmake 2020-11-24 23:40:20.000000000 +0000 +++ libwebm-1.0.0.28/build/cxx_flags.cmake 2021-04-23 23:34:08.000000000 +0000 @@ -5,7 +5,6 @@ ## tree. An additional intellectual property rights grant can be found ## in the file PATENTS. All contributing project authors may ## be found in the AUTHORS file in the root of the source tree. -cmake_minimum_required(VERSION 3.2) include(CheckCXXCompilerFlag) diff -Nru libwebm-1.0.0.27+git20201124.485fb67/build/msvc_runtime.cmake libwebm-1.0.0.28/build/msvc_runtime.cmake --- libwebm-1.0.0.27+git20201124.485fb67/build/msvc_runtime.cmake 2020-11-24 23:40:20.000000000 +0000 +++ libwebm-1.0.0.28/build/msvc_runtime.cmake 2021-04-23 23:34:08.000000000 +0000 @@ -5,7 +5,6 @@ ## tree. An additional intellectual property rights grant can be found ## in the file PATENTS. All contributing project authors may ## be found in the AUTHORS file in the root of the source tree. -cmake_minimum_required(VERSION 2.8) if (MSVC) # CMake defaults to producing code linked to the DLL MSVC runtime. In libwebm diff -Nru libwebm-1.0.0.27+git20201124.485fb67/CMakeLists.txt libwebm-1.0.0.28/CMakeLists.txt --- libwebm-1.0.0.27+git20201124.485fb67/CMakeLists.txt 2020-11-24 23:40:20.000000000 +0000 +++ libwebm-1.0.0.28/CMakeLists.txt 2021-04-23 23:34:08.000000000 +0000 @@ -25,7 +25,8 @@ option(ENABLE_WERROR "Enable warnings as errors." OFF) option(ENABLE_WEBM_PARSER "Enables new parser API." OFF) -if(WIN32) +if(WIN32 OR CYGWIN OR MSYS) + # Allow use of rand_r() / fdopen() and other POSIX functions. require_cxx_flag_nomsvc("-std=gnu++11") else() require_cxx_flag_nomsvc("-std=c++11") diff -Nru libwebm-1.0.0.27+git20201124.485fb67/CONTRIBUTING.md libwebm-1.0.0.28/CONTRIBUTING.md --- libwebm-1.0.0.27+git20201124.485fb67/CONTRIBUTING.md 1970-01-01 00:00:00.000000000 +0000 +++ libwebm-1.0.0.28/CONTRIBUTING.md 2021-04-23 23:34:08.000000000 +0000 @@ -0,0 +1,29 @@ +# How to Contribute + +We'd love to accept your patches and contributions to this project. There are +just a few small guidelines you need to follow. + +## Contributor License Agreement + +Contributions to this project must be accompanied by a Contributor License +Agreement. You (or your employer) retain the copyright to your contribution; +this simply gives us permission to use and redistribute your contributions as +part of the project. Head over to <https://cla.developers.google.com/> to see +your current agreements on file or to sign a new one. + +You generally only need to submit a CLA once, so if you've already submitted one +(even if it was for a different project), you probably don't need to do it +again. + +## Code reviews + +All submissions, including submissions by project members, require review. We +use a [Gerrit](https://www.gerritcodereview.com) instance hosted at +https://chromium-review.googlesource.com for this purpose. See the +[WebM Project page](https://www.webmproject.org/code/contribute/submitting-patches/) +for additional details. + +## Community Guidelines + +This project follows +[Google's Open Source Community Guidelines](https://opensource.google.com/conduct/). diff -Nru libwebm-1.0.0.27+git20201124.485fb67/debian/changelog libwebm-1.0.0.28/debian/changelog --- libwebm-1.0.0.27+git20201124.485fb67/debian/changelog 2021-01-21 20:25:40.000000000 +0000 +++ libwebm-1.0.0.28/debian/changelog 2021-05-08 21:47:39.000000000 +0000 @@ -1,3 +1,11 @@ +libwebm (1.0.0.28-1) unstable; urgency=medium + + * New upstream version 1.0.0.28 + * Switch to git tags in d/watch + * Bump library version in patch + + -- Vasyl Gello <vasek.ge...@gmail.com> Sat, 08 May 2021 21:47:39 +0000 + libwebm (1.0.0.27+git20201124.485fb67-2) unstable; urgency=medium * Remove duplicated inclusion of -lpthread and -latomic diff -Nru libwebm-1.0.0.27+git20201124.485fb67/debian/patches/0003-Provide-SOVERSION.patch libwebm-1.0.0.28/debian/patches/0003-Provide-SOVERSION.patch --- libwebm-1.0.0.27+git20201124.485fb67/debian/patches/0003-Provide-SOVERSION.patch 2021-01-21 20:25:40.000000000 +0000 +++ libwebm-1.0.0.28/debian/patches/0003-Provide-SOVERSION.patch 2021-05-08 21:47:39.000000000 +0000 @@ -15,7 +15,7 @@ +else () + set_target_properties(webm PROPERTIES OUTPUT_NAME webm + SOVERSION "1" -+ VERSION "1.0.27") ++ VERSION "1.0.0.28") endif () add_executable(mkvparser_sample ${mkvparser_sample_sources}) diff -Nru libwebm-1.0.0.27+git20201124.485fb67/debian/watch libwebm-1.0.0.28/debian/watch --- libwebm-1.0.0.27+git20201124.485fb67/debian/watch 2021-01-21 20:25:40.000000000 +0000 +++ libwebm-1.0.0.28/debian/watch 2021-05-08 21:47:39.000000000 +0000 @@ -3,8 +3,8 @@ # Bare git branch opts="mode=git, \ pgpmode=none, \ - pretty=1.0.0.27+git%cd.%h, \ compression=xz, \ + uversionmangle=s/libwebm-//, \ dversionmangle=auto" \ https://chromium.googlesource.com/webm/libwebm \ -HEAD debian +refs/tags/libwebm-([\d\.]+) debian diff -Nru libwebm-1.0.0.27+git20201124.485fb67/mkvmuxer/mkvmuxerutil.cc libwebm-1.0.0.28/mkvmuxer/mkvmuxerutil.cc --- libwebm-1.0.0.27+git20201124.485fb67/mkvmuxer/mkvmuxerutil.cc 2020-11-24 23:40:20.000000000 +0000 +++ libwebm-1.0.0.28/mkvmuxer/mkvmuxerutil.cc 2021-04-23 23:34:08.000000000 +0000 @@ -606,8 +606,8 @@ void GetVersion(int32* major, int32* minor, int32* build, int32* revision) { *major = 0; - *minor = 2; - *build = 1; + *minor = 3; + *build = 0; *revision = 0; } diff -Nru libwebm-1.0.0.27+git20201124.485fb67/mkvmuxer_sample.cc libwebm-1.0.0.28/mkvmuxer_sample.cc --- libwebm-1.0.0.27+git20201124.485fb67/mkvmuxer_sample.cc 2020-11-24 23:40:20.000000000 +0000 +++ libwebm-1.0.0.28/mkvmuxer_sample.cc 2021-04-23 23:34:08.000000000 +0000 @@ -66,7 +66,7 @@ printf(" 1: Equirectangular\n"); printf(" 2: Cube map\n"); printf(" 3: Mesh\n"); - printf(" -projection_file <string> Override projection private data"); + printf(" -projection_file <string> Override projection private data\n"); printf(" with contents of this file\n"); printf(" -projection_pose_yaw <float> Projection pose yaw\n"); printf(" -projection_pose_pitch <float> Projection pose pitch\n"); diff -Nru libwebm-1.0.0.27+git20201124.485fb67/mkvparser/mkvparser.cc libwebm-1.0.0.28/mkvparser/mkvparser.cc --- libwebm-1.0.0.27+git20201124.485fb67/mkvparser/mkvparser.cc 2020-11-24 23:40:20.000000000 +0000 +++ libwebm-1.0.0.28/mkvparser/mkvparser.cc 2021-04-23 23:34:08.000000000 +0000 @@ -54,9 +54,9 @@ void GetVersion(int& major, int& minor, int& build, int& revision) { major = 1; - minor = 0; + minor = 1; build = 0; - revision = 30; + revision = 0; } long long ReadUInt(IMkvReader* pReader, long long pos, long& len) { @@ -1502,8 +1502,8 @@ // first count the seek head entries - int entry_count = 0; - int void_element_count = 0; + long long entry_count = 0; + long long void_element_count = 0; while (pos < stop) { long long id, size; @@ -1513,10 +1513,15 @@ if (status < 0) // error return status; - if (id == libwebm::kMkvSeek) + if (id == libwebm::kMkvSeek) { ++entry_count; - else if (id == libwebm::kMkvVoid) + if (entry_count > INT_MAX) + return E_PARSE_FAILED; + } else if (id == libwebm::kMkvVoid) { ++void_element_count; + if (void_element_count > INT_MAX) + return E_PARSE_FAILED; + } pos += size; // consume payload @@ -1582,13 +1587,13 @@ ptrdiff_t count_ = ptrdiff_t(pEntry - m_entries); assert(count_ >= 0); - assert(count_ <= entry_count); + assert(static_cast<long long>(count_) <= entry_count); m_entry_count = static_cast<int>(count_); count_ = ptrdiff_t(pVoidElement - m_void_elements); assert(count_ >= 0); - assert(count_ <= void_element_count); + assert(static_cast<long long>(count_) <= void_element_count); m_void_element_count = static_cast<int>(count_); @@ -2299,7 +2304,7 @@ long long pos = pos_; // First count number of track positions - + unsigned long long track_positions_count = 0; while (pos < stop) { long len; @@ -2323,12 +2328,17 @@ if (id == libwebm::kMkvCueTime) m_timecode = UnserializeUInt(pReader, pos, size); - else if (id == libwebm::kMkvCueTrackPositions) - ++m_track_positions_count; + else if (id == libwebm::kMkvCueTrackPositions) { + ++track_positions_count; + if (track_positions_count > UINT_MAX) + return E_PARSE_FAILED; + } pos += size; // consume payload } + m_track_positions_count = static_cast<size_t>(track_positions_count); + if (m_timecode < 0 || m_track_positions_count <= 0) { return false; } @@ -4194,8 +4204,8 @@ const long long stop = start + size; // Count ContentCompression and ContentEncryption elements. - int compression_count = 0; - int encryption_count = 0; + long long compression_count = 0; + long long encryption_count = 0; while (pos < stop) { long long id, size; @@ -4203,11 +4213,17 @@ if (status < 0) // error return status; - if (id == libwebm::kMkvContentCompression) + if (id == libwebm::kMkvContentCompression) { ++compression_count; + if (compression_count > INT_MAX) + return E_PARSE_FAILED; + } - if (id == libwebm::kMkvContentEncryption) + if (id == libwebm::kMkvContentEncryption) { ++encryption_count; + if (encryption_count > INT_MAX) + return E_PARSE_FAILED; + } pos += size; // consume payload if (pos > stop) @@ -4918,7 +4934,7 @@ const long long stop = start + size; // Count ContentEncoding elements. - int count = 0; + long long count = 0; while (pos < stop) { long long id, size; const long status = ParseElementHeader(pReader, pos, stop, id, size); @@ -4926,8 +4942,11 @@ return status; // pos now designates start of element - if (id == libwebm::kMkvContentEncoding) + if (id == libwebm::kMkvContentEncoding) { ++count; + if (count > INT_MAX) + return E_PARSE_FAILED; + } pos += size; // consume payload if (pos > stop) @@ -5653,7 +5672,7 @@ const long long stop = m_start + m_size; IMkvReader* const pReader = m_pSegment->m_pReader; - int count = 0; + long long count = 0; long long pos = m_start; while (pos < stop) { @@ -5667,8 +5686,11 @@ if (size == 0) // weird continue; - if (id == libwebm::kMkvTrackEntry) + if (id == libwebm::kMkvTrackEntry) { ++count; + if (count > INT_MAX) + return E_PARSE_FAILED; + } pos += size; // consume payload if (pos > stop)