commit: 3aeef28be917bba491ddb751f06aec58fdf672a9
Author: ChrisADR <christopher.diaz.riv <AT> gmail <DOT> com>
AuthorDate: Mon Jul 17 00:26:28 2017 +0000
Commit: Alexis Ballier <aballier <AT> gentoo <DOT> org>
CommitDate: Mon Jul 17 15:53:30 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3aeef28b
media-sound/vorbis-tools: New revision fixing security bug 559170
.../vorbis-tools-1.4.0-aiff-buffer-overflow.patch | 31 +++++++++++++++
.../vorbis-tools/vorbis-tools-1.4.0-r3.ebuild | 45 ++++++++++++++++++++++
2 files changed, 76 insertions(+)
diff --git
a/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-aiff-buffer-overflow.patch
b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-aiff-buffer-overflow.patch
new file mode 100644
index 00000000000..f8b66a90e7c
--- /dev/null
+++
b/media-sound/vorbis-tools/files/vorbis-tools-1.4.0-aiff-buffer-overflow.patch
@@ -0,0 +1,31 @@
+Patch taken from:
+https://trac.xiph.org/attachment/ticket/2212/0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch
+To fix bug report:
+http://www.openwall.com/lists/oss-security/2015/08/29/1
+ https://bugs.gentoo.org/show_bug.cgi?id=559170
+--- oggenc/audio.c
++++ oggenc/audio.c
+@@ -245,8 +245,8 @@
+ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
+ {
+ int aifc; /* AIFC or AIFF? */
+- unsigned int len;
+- unsigned char *buffer;
++ unsigned int len,readlen;
++ unsigned char buffer[22];
+ unsigned char buf2[8];
+ aiff_fmt format;
+ aifffile *aiff = malloc(sizeof(aifffile));
+@@ -269,9 +269,9 @@
+ return 0; /* Weird common chunk */
+ }
+
+- buffer = alloca(len);
+-
+- if(fread(buffer,1,len,in) < len)
++ readlen = len < sizeof(buffer) ? len : sizeof(buffer);
++ if(fread(buffer,1,readlen,in) < readlen ||
++ (len > readlen && !seek_forward(in, len-readlen)))
+ {
+ fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF
header\n"));
+ return 0;
diff --git a/media-sound/vorbis-tools/vorbis-tools-1.4.0-r3.ebuild
b/media-sound/vorbis-tools/vorbis-tools-1.4.0-r3.ebuild
new file mode 100644
index 00000000000..977e7e88ff3
--- /dev/null
+++ b/media-sound/vorbis-tools/vorbis-tools-1.4.0-r3.ebuild
@@ -0,0 +1,45 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+inherit autotools eutils
+
+DESCRIPTION="tools for using the Ogg Vorbis sound file format"
+HOMEPAGE="http://www.vorbis.com";
+SRC_URI="http://downloads.xiph.org/releases/vorbis/${P}.tar.gz";
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86
~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos ~x86-solaris"
+IUSE="flac kate nls +ogg123 speex"
+
+RDEPEND=">=media-libs/libvorbis-1.3.0
+ flac? ( media-libs/flac )
+ kate? ( media-libs/libkate )
+ ogg123? (
+ >=media-libs/libao-1.0.0
+ net-misc/curl
+ )
+ speex? ( media-libs/speex )"
+DEPEND="${RDEPEND}
+ nls? ( sys-devel/gettext )
+ virtual/pkgconfig"
+
+DOCS="AUTHORS CHANGES README"
+
+src_prepare() {
+ epatch "${FILESDIR}"/${P}-underlinking.patch
+ epatch "${FILESDIR}"/${P}-format-security.patch
+ epatch "${FILESDIR}"/${P}-aiff-buffer-overflow.patch
+ sed -i -e 's:AM_CONFIG_HEADER:AC_CONFIG_HEADERS:' configure.ac || die
#515220
+ eautoreconf
+}
+
+src_configure() {
+ econf \
+ $(use_enable nls) \
+ $(use_enable ogg123) \
+ $(use_with flac) \
+ $(use_with speex) \
+ $(use_with kate)
+}
