commit: e2ec2c790cf28858ec8dd4da007ca7ca12ffeca1 Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> AuthorDate: Tue Sep 18 21:23:22 2018 +0000 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> CommitDate: Tue Sep 18 21:24:08 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2ec2c79
media-libs/libsndfile: Fix CVE-2018-13139 Bug: https://bugs.gentoo.org/660452 Package-Manager: Portage-2.3.49, Repoman-2.3.10 .../files/libsndfile-1.0.28-CVE-2018-13139.patch | 31 ++++++++++ media-libs/libsndfile/libsndfile-1.0.28-r3.ebuild | 67 ++++++++++++++++++++++ 2 files changed, 98 insertions(+) diff --git a/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2018-13139.patch b/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2018-13139.patch new file mode 100644 index 00000000000..18e6ae76e62 --- /dev/null +++ b/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2018-13139.patch @@ -0,0 +1,31 @@ +From df18323c622b54221ee7ace74b177cdcccc152d7 Mon Sep 17 00:00:00 2001 +From: "Brett T. Warden" <[email protected]> +Date: Tue, 28 Aug 2018 12:01:17 -0700 +Subject: [PATCH] Check MAX_CHANNELS in sndfile-deinterleave + +Allocated buffer has space for only 16 channels. Verify that input file +meets this limit. + +Fixes #397 +--- + programs/sndfile-deinterleave.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c +index 53660310..225b4d54 100644 +--- a/programs/sndfile-deinterleave.c ++++ b/programs/sndfile-deinterleave.c +@@ -89,6 +89,13 @@ main (int argc, char **argv) + exit (1) ; + } ; + ++ if (sfinfo.channels > MAX_CHANNELS) ++ { printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n", ++ argv [1], sfinfo.channels, MAX_CHANNELS) ; ++ exit (1) ; ++ } ; ++ ++ + state.channels = sfinfo.channels ; + sfinfo.channels = 1 ; + \ No newline at end of file diff --git a/media-libs/libsndfile/libsndfile-1.0.28-r3.ebuild b/media-libs/libsndfile/libsndfile-1.0.28-r3.ebuild new file mode 100644 index 00000000000..a6eb6e3a48c --- /dev/null +++ b/media-libs/libsndfile/libsndfile-1.0.28-r3.ebuild @@ -0,0 +1,67 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} pypy{,3} ) + +inherit python-any-r1 multilib-minimal + +MY_P=${P/_pre/pre} + +DESCRIPTION="C library for reading and writing files containing sampled sound" +HOMEPAGE="http://www.mega-nerd.com/libsndfile"; +if [[ ${MY_P} == ${P} ]]; then + SRC_URI="http://www.mega-nerd.com/libsndfile/files/${P}.tar.gz"; +else + SRC_URI="http://www.mega-nerd.com/tmp/${MY_P}b.tar.gz"; +fi + +LICENSE="LGPL-2.1" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" +IUSE="alsa minimal sqlite static-libs test" + +RDEPEND=" + !minimal? ( + >=media-libs/flac-1.2.1-r5[${MULTILIB_USEDEP}] + >=media-libs/libogg-1.3.0[${MULTILIB_USEDEP}] + >=media-libs/libvorbis-1.3.3-r1[${MULTILIB_USEDEP}] + ) + alsa? ( media-libs/alsa-lib ) + sqlite? ( >=dev-db/sqlite-3.2 )" +DEPEND="${RDEPEND}" +BDEPEND=" + virtual/pkgconfig + test? ( ${PYTHON_DEPS} )" + +S=${WORKDIR}/${MY_P} + +PATCHES=( + "${FILESDIR}"/${P}-arm-varargs-failure.patch + "${FILESDIR}"/${P}-CVE-2017-12562.patch + "${FILESDIR}"/${P}-CVE-2018-13139.patch +) + +pkg_setup() { + use test && python-any-r1_pkg_setup +} + +multilib_src_configure() { + ECONF_SOURCE="${S}" econf \ + --disable-octave \ + --enable-gcc-pipe \ + --enable-gcc-opt \ + $(use_enable static-libs static) \ + $(use_enable !minimal external-libs) \ + $(multilib_native_enable full-suite) \ + $(multilib_native_use_enable alsa) \ + $(multilib_native_use_enable sqlite) +} + +multilib_src_install_all() { + einstalldocs + + # package provides .pc files + find "${D}" -name '*.la' -delete || die +}
