commit:     96280e607739038a6f0ed6778fb3f01b82a5f534
Author:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Tue Aug  8 17:26:24 2017 +0000
Commit:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Tue Aug  8 17:26:54 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96280e60

media-libs/taglib: Security revbump for CVE-2017-12678

Package-Manager: Portage-2.3.6, Repoman-2.3.1

 .../files/taglib-1.11.1-CVE-2017-12678.patch       | 30 ++++++++++++
 media-libs/taglib/taglib-1.11.1-r1.ebuild          | 55 ++++++++++++++++++++++
 2 files changed, 85 insertions(+)

diff --git a/media-libs/taglib/files/taglib-1.11.1-CVE-2017-12678.patch 
b/media-libs/taglib/files/taglib-1.11.1-CVE-2017-12678.patch
new file mode 100644
index 00000000000..4b567da1982
--- /dev/null
+++ b/media-libs/taglib/files/taglib-1.11.1-CVE-2017-12678.patch
@@ -0,0 +1,30 @@
+From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001
+From: "Stephen F. Booth" <m...@sbooth.org>
+Date: Sun, 23 Jul 2017 10:11:09 -0400
+Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame
+
+If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame
+which causes problems in rebuildAggregateFrames() when it is assumed
+that TDRC is a TextIdentificationFrame
+---
+ taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp 
b/taglib/mpeg/id3v2/id3v2framefactory.cpp
+index 759a9b7be..9347ab869 100644
+--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp
++++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp
+@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag 
*tag) const
+      tag->frameList("TDAT").size() == 1)
+   {
+     TextIdentificationFrame *tdrc =
+-      static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
++      dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+     UnknownFrame *tdat = static_cast<UnknownFrame 
*>(tag->frameList("TDAT").front());
+ 
+-    if(tdrc->fieldList().size() == 1 &&
++    if(tdrc &&
++       tdrc->fieldList().size() == 1 &&
+        tdrc->fieldList().front().size() == 4 &&
+        tdat->data().size() >= 5)
+     {

diff --git a/media-libs/taglib/taglib-1.11.1-r1.ebuild 
b/media-libs/taglib/taglib-1.11.1-r1.ebuild
new file mode 100644
index 00000000000..f8b48fe19f0
--- /dev/null
+++ b/media-libs/taglib/taglib-1.11.1-r1.ebuild
@@ -0,0 +1,55 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit cmake-multilib
+
+DESCRIPTION="A library for reading and editing audio meta data"
+HOMEPAGE="https://taglib.github.io/";
+SRC_URI="https://github.com/${PN}/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="LGPL-2.1 MPL-1.1"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc 
~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x86-solaris"
+SLOT="0"
+IUSE="boost debug examples test"
+
+RDEPEND=">=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
+       boost? ( dev-libs/boost:=[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+       >=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
+       test? ( >=dev-util/cppunit-1.13.2[${MULTILIB_USEDEP}] )
+"
+
+PATCHES=(
+       "${FILESDIR}"/${PN}-1.11-install-examples.patch
+       "${FILESDIR}"/${P}-CVE-2017-12678.patch
+)
+
+MULTILIB_CHOST_TOOLS=(
+       /usr/bin/taglib-config
+)
+
+src_prepare() {
+       cmake-utils_src_prepare
+
+       sed -e "s/BUILD_TESTS AND NOT BUILD_SHARED_LIBS/BUILD_TESTS/" \
+               -i CMakeLists.txt \
+               -i ConfigureChecks.cmake || die
+}
+
+multilib_src_configure() {
+       local mycmakeargs=(
+               -DBUILD_EXAMPLES=$(multilib_native_usex examples)
+               $(cmake-utils_use_find_package boost Boost)
+               -DBUILD_SHARED_LIBS=ON
+               -DBUILD_TESTS=$(usex test)
+       )
+
+       cmake-utils_src_configure
+}
+
+multilib_src_test() {
+       # ctest does not work
+       emake -C "${BUILD_DIR}" check
+}

Reply via email to