Hello community,

here is the log from the commit of package taglib for openSUSE:Factory checked 
in at 2017-08-12 20:12:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/taglib (Old)
 and      /work/SRC/openSUSE:Factory/.taglib.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "taglib"

Sat Aug 12 20:12:12 2017 rev:48 rq:515322 version:1.11.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/taglib/taglib.changes    2016-05-08 
10:40:10.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.taglib.new/taglib.changes       2017-08-12 
20:12:13.393963344 +0200
@@ -1,0 +2,10 @@
+Tue Aug  8 22:36:41 CEST 2017 - sbra...@suse.com
+
+- Update to versio 1.11.1:
+  * Fixed binary incompatible change in TagLib::String.
+  * Fixed reading ID3v2 CTOC frames with a lot of entries.
+  * Fixed seeking ByteVectorStream from the end.
+- Prevent denial of service (bsc#1052699, CVE-2017-12678,
+  taglib-CVE-2017-12678.patch).
+
+-------------------------------------------------------------------

Old:
----
  taglib-1.11.tar.gz

New:
----
  taglib-1.11.1.tar.gz
  taglib-CVE-2017-12678.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ taglib.spec ++++++
--- /var/tmp/diff_new_pack.dP3bET/_old  2017-08-12 20:12:14.129860234 +0200
+++ /var/tmp/diff_new_pack.dP3bET/_new  2017-08-12 20:12:14.137859114 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package taglib
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,14 +17,16 @@
 
 
 Name:           taglib
-Version:        1.11
+Version:        1.11.1
 Release:        0
 Summary:        Audio Meta-Data Library
 License:        LGPL-2.1+ and MPL-1.1
 Group:          Productivity/Multimedia/Other
 Url:            http://taglib.github.io/
-Source0:        http://taglib.github.io/releases/taglib-%{version}.tar.gz
+Source0:        http://taglib.github.io/releases/%{name}-%{version}.tar.gz
 Source1:        %{name}.desktop
+# PATCH-FIX-SECURITY taglib-CVE-2017-12678.patch bsc1052699 CVE-2017-12678 
sbra...@suse.com -- Prevent denial of service.
+Patch:          taglib-CVE-2017-12678.patch
 Source100:      baselibs.conf
 BuildRequires:  cmake >= 2.8
 BuildRequires:  doxygen
@@ -97,6 +99,7 @@
 
 %prep
 %setup -q
+%patch -p1
 
 %build
 %cmake \

++++++ taglib-1.11.tar.gz -> taglib-1.11.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/taglib-1.11/CMakeLists.txt 
new/taglib-1.11.1/CMakeLists.txt
--- old/taglib-1.11/CMakeLists.txt      2016-04-29 10:26:33.000000000 +0200
+++ new/taglib-1.11.1/CMakeLists.txt    2016-10-24 05:03:23.000000000 +0200
@@ -1,7 +1,7 @@
-project(taglib)
-
 cmake_minimum_required(VERSION 2.8.0 FATAL_ERROR)
 
+project(taglib)
+
 if(NOT ${CMAKE_VERSION} VERSION_LESS 2.8.12)
   cmake_policy(SET CMP0022 OLD)
 endif()
@@ -12,6 +12,7 @@
   message(FATAL_ERROR "This option is no longer available, use 
BUILD_SHARED_LIBS instead")
 endif()
 
+option(BUILD_SHARED_LIBS "Build shared libraries" OFF)
 if(NOT BUILD_SHARED_LIBS)
   add_definitions(-DTAGLIB_STATIC)
 endif()
@@ -89,9 +90,9 @@
 # 2. If any interfaces have been added, removed, or changed since the last 
update, increment current, and set revision to 0.
 # 3. If any interfaces have been added since the last public release, then 
increment age.
 # 4. If any interfaces have been removed since the last public release, then 
set age to 0.
-set(TAGLIB_SOVERSION_CURRENT  17)
+set(TAGLIB_SOVERSION_CURRENT  18)
 set(TAGLIB_SOVERSION_REVISION 0)
-set(TAGLIB_SOVERSION_AGE      16)
+set(TAGLIB_SOVERSION_AGE      17)
 
 math(EXPR TAGLIB_SOVERSION_MAJOR "${TAGLIB_SOVERSION_CURRENT} - 
${TAGLIB_SOVERSION_AGE}")
 math(EXPR TAGLIB_SOVERSION_MINOR "${TAGLIB_SOVERSION_AGE}")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/taglib-1.11/NEWS new/taglib-1.11.1/NEWS
--- old/taglib-1.11/NEWS        2016-04-29 10:26:33.000000000 +0200
+++ new/taglib-1.11.1/NEWS      2016-10-24 05:03:23.000000000 +0200
@@ -1,3 +1,10 @@
+TagLib 1.11.1 (Oct 24, 2016)
+============================
+
+ * Fixed binary incompatible change in TagLib::String.
+ * Fixed reading ID3v2 CTOC frames with a lot of entries.
+ * Fixed seeking ByteVectorStream from the end.
+
 TagLib 1.11 (Apr 29, 2016)
 ==========================
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/taglib-1.11/taglib/mpeg/id3v2/frames/chapterframe.cpp 
new/taglib-1.11.1/taglib/mpeg/id3v2/frames/chapterframe.cpp
--- old/taglib-1.11/taglib/mpeg/id3v2/frames/chapterframe.cpp   2016-04-29 
10:26:33.000000000 +0200
+++ new/taglib-1.11.1/taglib/mpeg/id3v2/frames/chapterframe.cpp 2016-10-24 
05:03:23.000000000 +0200
@@ -198,7 +198,7 @@
     s += ", start offset: " + String::number(d->startOffset);
 
   if(d->endOffset != 0xFFFFFFFF)
-    s += ", start offset: " + String::number(d->endOffset);
+    s += ", end offset: " + String::number(d->endOffset);
 
   if(!d->embeddedFrameList.isEmpty()) {
     StringList frameIDs;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/taglib-1.11/taglib/mpeg/id3v2/frames/tableofcontentsframe.cpp 
new/taglib-1.11.1/taglib/mpeg/id3v2/frames/tableofcontentsframe.cpp
--- old/taglib-1.11/taglib/mpeg/id3v2/frames/tableofcontentsframe.cpp   
2016-04-29 10:26:33.000000000 +0200
+++ new/taglib-1.11.1/taglib/mpeg/id3v2/frames/tableofcontentsframe.cpp 
2016-10-24 05:03:23.000000000 +0200
@@ -272,9 +272,9 @@
   int pos = 0;
   unsigned int embPos = 0;
   d->elementID = readStringField(data, String::Latin1, 
&pos).data(String::Latin1);
-  d->isTopLevel = (data.at(pos) & 2) > 0;
-  d->isOrdered = (data.at(pos++) & 1) > 0;
-  unsigned int entryCount = data.at(pos++);
+  d->isTopLevel = (data.at(pos) & 2) != 0;
+  d->isOrdered = (data.at(pos++) & 1) != 0;
+  unsigned int entryCount = static_cast<unsigned char>(data.at(pos++));
   for(unsigned int i = 0; i < entryCount; i++) {
     ByteVector childElementID = readStringField(data, String::Latin1, 
&pos).data(String::Latin1);
     d->childElements.append(childElementID);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/taglib-1.11/taglib/toolkit/taglib.h 
new/taglib-1.11.1/taglib/toolkit/taglib.h
--- old/taglib-1.11/taglib/toolkit/taglib.h     2016-04-29 10:26:33.000000000 
+0200
+++ new/taglib-1.11.1/taglib/toolkit/taglib.h   2016-10-24 05:03:23.000000000 
+0200
@@ -30,7 +30,7 @@
 
 #define TAGLIB_MAJOR_VERSION 1
 #define TAGLIB_MINOR_VERSION 11
-#define TAGLIB_PATCH_VERSION 0
+#define TAGLIB_PATCH_VERSION 1
 
 #if defined(__GNUC__) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 
1)) || defined(__clang__)
 #define TAGLIB_IGNORE_MISSING_DESTRUCTOR _Pragma("GCC diagnostic ignored 
\"-Wnon-virtual-dtor\"")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/taglib-1.11/taglib/toolkit/tbytevectorstream.cpp 
new/taglib-1.11.1/taglib/toolkit/tbytevectorstream.cpp
--- old/taglib-1.11/taglib/toolkit/tbytevectorstream.cpp        2016-04-29 
10:26:33.000000000 +0200
+++ new/taglib-1.11.1/taglib/toolkit/tbytevectorstream.cpp      2016-10-24 
05:03:23.000000000 +0200
@@ -137,7 +137,7 @@
     d->position += offset;
     break;
   case End:
-    d->position = length() - offset;
+    d->position = length() + offset; // offset is expected to be negative
     break;
   }
 }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/taglib-1.11/taglib/toolkit/tstring.cpp 
new/taglib-1.11.1/taglib/toolkit/tstring.cpp
--- old/taglib-1.11/taglib/toolkit/tstring.cpp  2016-04-29 10:26:33.000000000 
+0200
+++ new/taglib-1.11.1/taglib/toolkit/tstring.cpp        2016-10-24 
05:03:23.000000000 +0200
@@ -787,6 +787,12 @@
   if(d->count() > 1)
     String(d->data.c_str()).swap(*this);
 }
+
+////////////////////////////////////////////////////////////////////////////////
+// private members
+////////////////////////////////////////////////////////////////////////////////
+
+const String::Type String::WCharByteOrder = wcharByteOrder();
 }
 
 
////////////////////////////////////////////////////////////////////////////////
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/taglib-1.11/taglib/toolkit/tstring.h 
new/taglib-1.11.1/taglib/toolkit/tstring.h
--- old/taglib-1.11/taglib/toolkit/tstring.h    2016-04-29 10:26:33.000000000 
+0200
+++ new/taglib-1.11.1/taglib/toolkit/tstring.h  2016-10-24 05:03:23.000000000 
+0200
@@ -536,6 +536,13 @@
     void detach();
 
   private:
+    /*!
+     * \deprecated This variable is no longer used, but NEVER remove this. It
+     * may lead to a linkage error.
+     */
+     // BIC: remove
+    static const Type WCharByteOrder;
+
     class StringPrivate;
     StringPrivate *d;
   };
Binary files old/taglib-1.11/tests/data/id3v22-tda.mp3 and 
new/taglib-1.11.1/tests/data/id3v22-tda.mp3 differ
Binary files old/taglib-1.11/tests/data/toc_many_children.mp3 and 
new/taglib-1.11.1/tests/data/toc_many_children.mp3 differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/taglib-1.11/tests/test_bytevectorstream.cpp 
new/taglib-1.11.1/tests/test_bytevectorstream.cpp
--- old/taglib-1.11/tests/test_bytevectorstream.cpp     2016-04-29 
10:26:33.000000000 +0200
+++ new/taglib-1.11.1/tests/test_bytevectorstream.cpp   2016-10-24 
05:03:23.000000000 +0200
@@ -38,6 +38,7 @@
   CPPUNIT_TEST(testReadBlock);
   CPPUNIT_TEST(testRemoveBlock);
   CPPUNIT_TEST(testInsert);
+  CPPUNIT_TEST(testSeekEnd);
   CPPUNIT_TEST_SUITE_END();
 
 public:
@@ -112,6 +113,19 @@
     CPPUNIT_ASSERT_EQUAL(ByteVector("yyx123foa"), *stream.data());
   }
 
+  void testSeekEnd()
+  {
+    ByteVector v("abcdefghijklmnopqrstuvwxyz");
+    ByteVectorStream stream(v);
+    CPPUNIT_ASSERT_EQUAL(26L, stream.length());
+
+    stream.seek(-4, IOStream::End);
+    CPPUNIT_ASSERT_EQUAL(ByteVector("w"), stream.readBlock(1));
+
+    stream.seek(-25, IOStream::End);
+    CPPUNIT_ASSERT_EQUAL(ByteVector("b"), stream.readBlock(1));
+  }
+
 };
 
 CPPUNIT_TEST_SUITE_REGISTRATION(TestByteVectorStream);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/taglib-1.11/tests/test_id3v2.cpp 
new/taglib-1.11.1/tests/test_id3v2.cpp
--- old/taglib-1.11/tests/test_id3v2.cpp        2016-04-29 10:26:33.000000000 
+0200
+++ new/taglib-1.11.1/tests/test_id3v2.cpp      2016-10-24 05:03:23.000000000 
+0200
@@ -118,6 +118,7 @@
   CPPUNIT_TEST(testShrinkPadding);
   CPPUNIT_TEST(testEmptyFrame);
   CPPUNIT_TEST(testDuplicateTags);
+  CPPUNIT_TEST(testParseTOCFrameWithManyChildren);
   CPPUNIT_TEST_SUITE_END();
 
 public:
@@ -1217,6 +1218,12 @@
     }
   }
 
+  void testParseTOCFrameWithManyChildren()
+  {
+    MPEG::File f(TEST_FILE_PATH_C("toc_many_children.mp3"));
+    CPPUNIT_ASSERT(f.isValid());
+  }
+
 };
 
 CPPUNIT_TEST_SUITE_REGISTRATION(TestID3v2);

++++++ taglib-CVE-2017-12678.patch ++++++
https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6

>From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001
From: "Stephen F. Booth" <m...@sbooth.org>
Date: Sun, 23 Jul 2017 10:11:09 -0400
Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame

If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame
which causes problems in rebuildAggregateFrames() when it is assumed
that TDRC is a TextIdentificationFrame
---
 taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp 
b/taglib/mpeg/id3v2/id3v2framefactory.cpp
index 759a9b7b..9347ab86 100644
--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp
+++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp
@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag 
*tag) const
      tag->frameList("TDAT").size() == 1)
   {
     TextIdentificationFrame *tdrc =
-      static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+      dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
     UnknownFrame *tdat = static_cast<UnknownFrame 
*>(tag->frameList("TDAT").front());
 
-    if(tdrc->fieldList().size() == 1 &&
+    if(tdrc &&
+       tdrc->fieldList().size() == 1 &&
        tdrc->fieldList().front().size() == 4 &&
        tdat->data().size() >= 5)
     {
-- 
2.13.1


Reply via email to