Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: mat...@debian.org
Please unblock package libwebm
[ Reason ]
This is a bigfix release fixing several buffer overflows, finally
tagged after 5 years of upstream marinade.
[ Impact ]
Several flaws with security vulnerability potential will not be
addressed. However, no CVEs allocated to the date.
[ Tests ]
Automatic testsuite + mwnual checks by Kodi users (including myself)
[ Risks ]
This package is used primarily by kodi-inputstream-adaptive, so risk
is low.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
unblock libwebm/1.0.0.28-1
diff -Nru libwebm-1.0.0.27+git20201124.485fb67/build/cxx_flags.cmake
libwebm-1.0.0.28/build/cxx_flags.cmake
--- libwebm-1.0.0.27+git20201124.485fb67/build/cxx_flags.cmake 2020-11-24
23:40:20.000000000 +0000
+++ libwebm-1.0.0.28/build/cxx_flags.cmake 2021-04-23 23:34:08.000000000
+0000
@@ -5,7 +5,6 @@
## tree. An additional intellectual property rights grant can be found
## in the file PATENTS. All contributing project authors may
## be found in the AUTHORS file in the root of the source tree.
-cmake_minimum_required(VERSION 3.2)
include(CheckCXXCompilerFlag)
diff -Nru libwebm-1.0.0.27+git20201124.485fb67/build/msvc_runtime.cmake
libwebm-1.0.0.28/build/msvc_runtime.cmake
--- libwebm-1.0.0.27+git20201124.485fb67/build/msvc_runtime.cmake
2020-11-24 23:40:20.000000000 +0000
+++ libwebm-1.0.0.28/build/msvc_runtime.cmake 2021-04-23 23:34:08.000000000
+0000
@@ -5,7 +5,6 @@
## tree. An additional intellectual property rights grant can be found
## in the file PATENTS. All contributing project authors may
## be found in the AUTHORS file in the root of the source tree.
-cmake_minimum_required(VERSION 2.8)
if (MSVC)
# CMake defaults to producing code linked to the DLL MSVC runtime. In libwebm
diff -Nru libwebm-1.0.0.27+git20201124.485fb67/CMakeLists.txt
libwebm-1.0.0.28/CMakeLists.txt
--- libwebm-1.0.0.27+git20201124.485fb67/CMakeLists.txt 2020-11-24
23:40:20.000000000 +0000
+++ libwebm-1.0.0.28/CMakeLists.txt 2021-04-23 23:34:08.000000000 +0000
@@ -25,7 +25,8 @@
option(ENABLE_WERROR "Enable warnings as errors." OFF)
option(ENABLE_WEBM_PARSER "Enables new parser API." OFF)
-if(WIN32)
+if(WIN32 OR CYGWIN OR MSYS)
+ # Allow use of rand_r() / fdopen() and other POSIX functions.
require_cxx_flag_nomsvc("-std=gnu++11")
else()
require_cxx_flag_nomsvc("-std=c++11")
diff -Nru libwebm-1.0.0.27+git20201124.485fb67/CONTRIBUTING.md
libwebm-1.0.0.28/CONTRIBUTING.md
--- libwebm-1.0.0.27+git20201124.485fb67/CONTRIBUTING.md 1970-01-01
00:00:00.000000000 +0000
+++ libwebm-1.0.0.28/CONTRIBUTING.md 2021-04-23 23:34:08.000000000 +0000
@@ -0,0 +1,29 @@
+# How to Contribute
+
+We'd love to accept your patches and contributions to this project. There are
+just a few small guidelines you need to follow.
+
+## Contributor License Agreement
+
+Contributions to this project must be accompanied by a Contributor License
+Agreement. You (or your employer) retain the copyright to your contribution;
+this simply gives us permission to use and redistribute your contributions as
+part of the project. Head over to <https://cla.developers.google.com/> to see
+your current agreements on file or to sign a new one.
+
+You generally only need to submit a CLA once, so if you've already submitted
one
+(even if it was for a different project), you probably don't need to do it
+again.
+
+## Code reviews
+
+All submissions, including submissions by project members, require review. We
+use a [Gerrit](https://www.gerritcodereview.com) instance hosted at
+https://chromium-review.googlesource.com for this purpose. See the
+[WebM Project
page](https://www.webmproject.org/code/contribute/submitting-patches/)
+for additional details.
+
+## Community Guidelines
+
+This project follows
+[Google's Open Source Community
Guidelines](https://opensource.google.com/conduct/).
diff -Nru libwebm-1.0.0.27+git20201124.485fb67/debian/changelog
libwebm-1.0.0.28/debian/changelog
--- libwebm-1.0.0.27+git20201124.485fb67/debian/changelog 2021-01-21
20:25:40.000000000 +0000
+++ libwebm-1.0.0.28/debian/changelog 2021-05-08 21:47:39.000000000 +0000
@@ -1,3 +1,11 @@
+libwebm (1.0.0.28-1) unstable; urgency=medium
+
+ * New upstream version 1.0.0.28
+ * Switch to git tags in d/watch
+ * Bump library version in patch
+
+ -- Vasyl Gello <vasek.ge...@gmail.com> Sat, 08 May 2021 21:47:39 +0000
+
libwebm (1.0.0.27+git20201124.485fb67-2) unstable; urgency=medium
* Remove duplicated inclusion of -lpthread and -latomic
diff -Nru
libwebm-1.0.0.27+git20201124.485fb67/debian/patches/0003-Provide-SOVERSION.patch
libwebm-1.0.0.28/debian/patches/0003-Provide-SOVERSION.patch
---
libwebm-1.0.0.27+git20201124.485fb67/debian/patches/0003-Provide-SOVERSION.patch
2021-01-21 20:25:40.000000000 +0000
+++ libwebm-1.0.0.28/debian/patches/0003-Provide-SOVERSION.patch
2021-05-08 21:47:39.000000000 +0000
@@ -15,7 +15,7 @@
+else ()
+ set_target_properties(webm PROPERTIES OUTPUT_NAME webm
+ SOVERSION "1"
-+ VERSION "1.0.27")
++ VERSION "1.0.0.28")
endif ()
add_executable(mkvparser_sample ${mkvparser_sample_sources})
diff -Nru libwebm-1.0.0.27+git20201124.485fb67/debian/watch
libwebm-1.0.0.28/debian/watch
--- libwebm-1.0.0.27+git20201124.485fb67/debian/watch 2021-01-21
20:25:40.000000000 +0000
+++ libwebm-1.0.0.28/debian/watch 2021-05-08 21:47:39.000000000 +0000
@@ -3,8 +3,8 @@
# Bare git branch
opts="mode=git, \
pgpmode=none, \
- pretty=1.0.0.27+git%cd.%h, \
compression=xz, \
+ uversionmangle=s/libwebm-//, \
dversionmangle=auto" \
https://chromium.googlesource.com/webm/libwebm \
-HEAD debian
+refs/tags/libwebm-([\d\.]+) debian
diff -Nru libwebm-1.0.0.27+git20201124.485fb67/mkvmuxer/mkvmuxerutil.cc
libwebm-1.0.0.28/mkvmuxer/mkvmuxerutil.cc
--- libwebm-1.0.0.27+git20201124.485fb67/mkvmuxer/mkvmuxerutil.cc
2020-11-24 23:40:20.000000000 +0000
+++ libwebm-1.0.0.28/mkvmuxer/mkvmuxerutil.cc 2021-04-23 23:34:08.000000000
+0000
@@ -606,8 +606,8 @@
void GetVersion(int32* major, int32* minor, int32* build, int32* revision) {
*major = 0;
- *minor = 2;
- *build = 1;
+ *minor = 3;
+ *build = 0;
*revision = 0;
}
diff -Nru libwebm-1.0.0.27+git20201124.485fb67/mkvmuxer_sample.cc
libwebm-1.0.0.28/mkvmuxer_sample.cc
--- libwebm-1.0.0.27+git20201124.485fb67/mkvmuxer_sample.cc 2020-11-24
23:40:20.000000000 +0000
+++ libwebm-1.0.0.28/mkvmuxer_sample.cc 2021-04-23 23:34:08.000000000 +0000
@@ -66,7 +66,7 @@
printf(" 1: Equirectangular\n");
printf(" 2: Cube map\n");
printf(" 3: Mesh\n");
- printf(" -projection_file <string> Override projection private data");
+ printf(" -projection_file <string> Override projection private
data\n");
printf(" with contents of this file\n");
printf(" -projection_pose_yaw <float> Projection pose yaw\n");
printf(" -projection_pose_pitch <float> Projection pose pitch\n");
diff -Nru libwebm-1.0.0.27+git20201124.485fb67/mkvparser/mkvparser.cc
libwebm-1.0.0.28/mkvparser/mkvparser.cc
--- libwebm-1.0.0.27+git20201124.485fb67/mkvparser/mkvparser.cc 2020-11-24
23:40:20.000000000 +0000
+++ libwebm-1.0.0.28/mkvparser/mkvparser.cc 2021-04-23 23:34:08.000000000
+0000
@@ -54,9 +54,9 @@
void GetVersion(int& major, int& minor, int& build, int& revision) {
major = 1;
- minor = 0;
+ minor = 1;
build = 0;
- revision = 30;
+ revision = 0;
}
long long ReadUInt(IMkvReader* pReader, long long pos, long& len) {
@@ -1502,8 +1502,8 @@
// first count the seek head entries
- int entry_count = 0;
- int void_element_count = 0;
+ long long entry_count = 0;
+ long long void_element_count = 0;
while (pos < stop) {
long long id, size;
@@ -1513,10 +1513,15 @@
if (status < 0) // error
return status;
- if (id == libwebm::kMkvSeek)
+ if (id == libwebm::kMkvSeek) {
++entry_count;
- else if (id == libwebm::kMkvVoid)
+ if (entry_count > INT_MAX)
+ return E_PARSE_FAILED;
+ } else if (id == libwebm::kMkvVoid) {
++void_element_count;
+ if (void_element_count > INT_MAX)
+ return E_PARSE_FAILED;
+ }
pos += size; // consume payload
@@ -1582,13 +1587,13 @@
ptrdiff_t count_ = ptrdiff_t(pEntry - m_entries);
assert(count_ >= 0);
- assert(count_ <= entry_count);
+ assert(static_cast<long long>(count_) <= entry_count);
m_entry_count = static_cast<int>(count_);
count_ = ptrdiff_t(pVoidElement - m_void_elements);
assert(count_ >= 0);
- assert(count_ <= void_element_count);
+ assert(static_cast<long long>(count_) <= void_element_count);
m_void_element_count = static_cast<int>(count_);
@@ -2299,7 +2304,7 @@
long long pos = pos_;
// First count number of track positions
-
+ unsigned long long track_positions_count = 0;
while (pos < stop) {
long len;
@@ -2323,12 +2328,17 @@
if (id == libwebm::kMkvCueTime)
m_timecode = UnserializeUInt(pReader, pos, size);
- else if (id == libwebm::kMkvCueTrackPositions)
- ++m_track_positions_count;
+ else if (id == libwebm::kMkvCueTrackPositions) {
+ ++track_positions_count;
+ if (track_positions_count > UINT_MAX)
+ return E_PARSE_FAILED;
+ }
pos += size; // consume payload
}
+ m_track_positions_count = static_cast<size_t>(track_positions_count);
+
if (m_timecode < 0 || m_track_positions_count <= 0) {
return false;
}
@@ -4194,8 +4204,8 @@
const long long stop = start + size;
// Count ContentCompression and ContentEncryption elements.
- int compression_count = 0;
- int encryption_count = 0;
+ long long compression_count = 0;
+ long long encryption_count = 0;
while (pos < stop) {
long long id, size;
@@ -4203,11 +4213,17 @@
if (status < 0) // error
return status;
- if (id == libwebm::kMkvContentCompression)
+ if (id == libwebm::kMkvContentCompression) {
++compression_count;
+ if (compression_count > INT_MAX)
+ return E_PARSE_FAILED;
+ }
- if (id == libwebm::kMkvContentEncryption)
+ if (id == libwebm::kMkvContentEncryption) {
++encryption_count;
+ if (encryption_count > INT_MAX)
+ return E_PARSE_FAILED;
+ }
pos += size; // consume payload
if (pos > stop)
@@ -4918,7 +4934,7 @@
const long long stop = start + size;
// Count ContentEncoding elements.
- int count = 0;
+ long long count = 0;
while (pos < stop) {
long long id, size;
const long status = ParseElementHeader(pReader, pos, stop, id, size);
@@ -4926,8 +4942,11 @@
return status;
// pos now designates start of element
- if (id == libwebm::kMkvContentEncoding)
+ if (id == libwebm::kMkvContentEncoding) {
++count;
+ if (count > INT_MAX)
+ return E_PARSE_FAILED;
+ }
pos += size; // consume payload
if (pos > stop)
@@ -5653,7 +5672,7 @@
const long long stop = m_start + m_size;
IMkvReader* const pReader = m_pSegment->m_pReader;
- int count = 0;
+ long long count = 0;
long long pos = m_start;
while (pos < stop) {
@@ -5667,8 +5686,11 @@
if (size == 0) // weird
continue;
- if (id == libwebm::kMkvTrackEntry)
+ if (id == libwebm::kMkvTrackEntry) {
++count;
+ if (count > INT_MAX)
+ return E_PARSE_FAILED;
+ }
pos += size; // consume payload
if (pos > stop)
