Hello community, here is the log from the commit of package taglib for openSUSE:Factory checked in at 2017-08-12 20:12:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/taglib (Old) and /work/SRC/openSUSE:Factory/.taglib.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "taglib" Sat Aug 12 20:12:12 2017 rev:48 rq:515322 version:1.11.1 Changes: -------- --- /work/SRC/openSUSE:Factory/taglib/taglib.changes 2016-05-08 10:40:10.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.taglib.new/taglib.changes 2017-08-12 20:12:13.393963344 +0200 @@ -1,0 +2,10 @@ +Tue Aug 8 22:36:41 CEST 2017 - [email protected] + +- Update to versio 1.11.1: + * Fixed binary incompatible change in TagLib::String. + * Fixed reading ID3v2 CTOC frames with a lot of entries. + * Fixed seeking ByteVectorStream from the end. +- Prevent denial of service (bsc#1052699, CVE-2017-12678, + taglib-CVE-2017-12678.patch). + +------------------------------------------------------------------- Old: ---- taglib-1.11.tar.gz New: ---- taglib-1.11.1.tar.gz taglib-CVE-2017-12678.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ taglib.spec ++++++ --- /var/tmp/diff_new_pack.dP3bET/_old 2017-08-12 20:12:14.129860234 +0200 +++ /var/tmp/diff_new_pack.dP3bET/_new 2017-08-12 20:12:14.137859114 +0200 @@ -1,7 +1,7 @@ # # spec file for package taglib # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,14 +17,16 @@ Name: taglib -Version: 1.11 +Version: 1.11.1 Release: 0 Summary: Audio Meta-Data Library License: LGPL-2.1+ and MPL-1.1 Group: Productivity/Multimedia/Other Url: http://taglib.github.io/ -Source0: http://taglib.github.io/releases/taglib-%{version}.tar.gz +Source0: http://taglib.github.io/releases/%{name}-%{version}.tar.gz Source1: %{name}.desktop +# PATCH-FIX-SECURITY taglib-CVE-2017-12678.patch bsc1052699 CVE-2017-12678 [email protected] -- Prevent denial of service. +Patch: taglib-CVE-2017-12678.patch Source100: baselibs.conf BuildRequires: cmake >= 2.8 BuildRequires: doxygen @@ -97,6 +99,7 @@ %prep %setup -q +%patch -p1 %build %cmake \ ++++++ taglib-1.11.tar.gz -> taglib-1.11.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/taglib-1.11/CMakeLists.txt new/taglib-1.11.1/CMakeLists.txt --- old/taglib-1.11/CMakeLists.txt 2016-04-29 10:26:33.000000000 +0200 +++ new/taglib-1.11.1/CMakeLists.txt 2016-10-24 05:03:23.000000000 +0200 @@ -1,7 +1,7 @@ -project(taglib) - cmake_minimum_required(VERSION 2.8.0 FATAL_ERROR) +project(taglib) + if(NOT ${CMAKE_VERSION} VERSION_LESS 2.8.12) cmake_policy(SET CMP0022 OLD) endif() @@ -12,6 +12,7 @@ message(FATAL_ERROR "This option is no longer available, use BUILD_SHARED_LIBS instead") endif() +option(BUILD_SHARED_LIBS "Build shared libraries" OFF) if(NOT BUILD_SHARED_LIBS) add_definitions(-DTAGLIB_STATIC) endif() @@ -89,9 +90,9 @@ # 2. If any interfaces have been added, removed, or changed since the last update, increment current, and set revision to 0. # 3. If any interfaces have been added since the last public release, then increment age. # 4. If any interfaces have been removed since the last public release, then set age to 0. -set(TAGLIB_SOVERSION_CURRENT 17) +set(TAGLIB_SOVERSION_CURRENT 18) set(TAGLIB_SOVERSION_REVISION 0) -set(TAGLIB_SOVERSION_AGE 16) +set(TAGLIB_SOVERSION_AGE 17) math(EXPR TAGLIB_SOVERSION_MAJOR "${TAGLIB_SOVERSION_CURRENT} - ${TAGLIB_SOVERSION_AGE}") math(EXPR TAGLIB_SOVERSION_MINOR "${TAGLIB_SOVERSION_AGE}") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/taglib-1.11/NEWS new/taglib-1.11.1/NEWS --- old/taglib-1.11/NEWS 2016-04-29 10:26:33.000000000 +0200 +++ new/taglib-1.11.1/NEWS 2016-10-24 05:03:23.000000000 +0200 @@ -1,3 +1,10 @@ +TagLib 1.11.1 (Oct 24, 2016) +============================ + + * Fixed binary incompatible change in TagLib::String. + * Fixed reading ID3v2 CTOC frames with a lot of entries. + * Fixed seeking ByteVectorStream from the end. + TagLib 1.11 (Apr 29, 2016) ========================== diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/taglib-1.11/taglib/mpeg/id3v2/frames/chapterframe.cpp new/taglib-1.11.1/taglib/mpeg/id3v2/frames/chapterframe.cpp --- old/taglib-1.11/taglib/mpeg/id3v2/frames/chapterframe.cpp 2016-04-29 10:26:33.000000000 +0200 +++ new/taglib-1.11.1/taglib/mpeg/id3v2/frames/chapterframe.cpp 2016-10-24 05:03:23.000000000 +0200 @@ -198,7 +198,7 @@ s += ", start offset: " + String::number(d->startOffset); if(d->endOffset != 0xFFFFFFFF) - s += ", start offset: " + String::number(d->endOffset); + s += ", end offset: " + String::number(d->endOffset); if(!d->embeddedFrameList.isEmpty()) { StringList frameIDs; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/taglib-1.11/taglib/mpeg/id3v2/frames/tableofcontentsframe.cpp new/taglib-1.11.1/taglib/mpeg/id3v2/frames/tableofcontentsframe.cpp --- old/taglib-1.11/taglib/mpeg/id3v2/frames/tableofcontentsframe.cpp 2016-04-29 10:26:33.000000000 +0200 +++ new/taglib-1.11.1/taglib/mpeg/id3v2/frames/tableofcontentsframe.cpp 2016-10-24 05:03:23.000000000 +0200 @@ -272,9 +272,9 @@ int pos = 0; unsigned int embPos = 0; d->elementID = readStringField(data, String::Latin1, &pos).data(String::Latin1); - d->isTopLevel = (data.at(pos) & 2) > 0; - d->isOrdered = (data.at(pos++) & 1) > 0; - unsigned int entryCount = data.at(pos++); + d->isTopLevel = (data.at(pos) & 2) != 0; + d->isOrdered = (data.at(pos++) & 1) != 0; + unsigned int entryCount = static_cast<unsigned char>(data.at(pos++)); for(unsigned int i = 0; i < entryCount; i++) { ByteVector childElementID = readStringField(data, String::Latin1, &pos).data(String::Latin1); d->childElements.append(childElementID); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/taglib-1.11/taglib/toolkit/taglib.h new/taglib-1.11.1/taglib/toolkit/taglib.h --- old/taglib-1.11/taglib/toolkit/taglib.h 2016-04-29 10:26:33.000000000 +0200 +++ new/taglib-1.11.1/taglib/toolkit/taglib.h 2016-10-24 05:03:23.000000000 +0200 @@ -30,7 +30,7 @@ #define TAGLIB_MAJOR_VERSION 1 #define TAGLIB_MINOR_VERSION 11 -#define TAGLIB_PATCH_VERSION 0 +#define TAGLIB_PATCH_VERSION 1 #if defined(__GNUC__) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 1)) || defined(__clang__) #define TAGLIB_IGNORE_MISSING_DESTRUCTOR _Pragma("GCC diagnostic ignored \"-Wnon-virtual-dtor\"") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/taglib-1.11/taglib/toolkit/tbytevectorstream.cpp new/taglib-1.11.1/taglib/toolkit/tbytevectorstream.cpp --- old/taglib-1.11/taglib/toolkit/tbytevectorstream.cpp 2016-04-29 10:26:33.000000000 +0200 +++ new/taglib-1.11.1/taglib/toolkit/tbytevectorstream.cpp 2016-10-24 05:03:23.000000000 +0200 @@ -137,7 +137,7 @@ d->position += offset; break; case End: - d->position = length() - offset; + d->position = length() + offset; // offset is expected to be negative break; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/taglib-1.11/taglib/toolkit/tstring.cpp new/taglib-1.11.1/taglib/toolkit/tstring.cpp --- old/taglib-1.11/taglib/toolkit/tstring.cpp 2016-04-29 10:26:33.000000000 +0200 +++ new/taglib-1.11.1/taglib/toolkit/tstring.cpp 2016-10-24 05:03:23.000000000 +0200 @@ -787,6 +787,12 @@ if(d->count() > 1) String(d->data.c_str()).swap(*this); } + +//////////////////////////////////////////////////////////////////////////////// +// private members +//////////////////////////////////////////////////////////////////////////////// + +const String::Type String::WCharByteOrder = wcharByteOrder(); } //////////////////////////////////////////////////////////////////////////////// diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/taglib-1.11/taglib/toolkit/tstring.h new/taglib-1.11.1/taglib/toolkit/tstring.h --- old/taglib-1.11/taglib/toolkit/tstring.h 2016-04-29 10:26:33.000000000 +0200 +++ new/taglib-1.11.1/taglib/toolkit/tstring.h 2016-10-24 05:03:23.000000000 +0200 @@ -536,6 +536,13 @@ void detach(); private: + /*! + * \deprecated This variable is no longer used, but NEVER remove this. It + * may lead to a linkage error. + */ + // BIC: remove + static const Type WCharByteOrder; + class StringPrivate; StringPrivate *d; }; Binary files old/taglib-1.11/tests/data/id3v22-tda.mp3 and new/taglib-1.11.1/tests/data/id3v22-tda.mp3 differ Binary files old/taglib-1.11/tests/data/toc_many_children.mp3 and new/taglib-1.11.1/tests/data/toc_many_children.mp3 differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/taglib-1.11/tests/test_bytevectorstream.cpp new/taglib-1.11.1/tests/test_bytevectorstream.cpp --- old/taglib-1.11/tests/test_bytevectorstream.cpp 2016-04-29 10:26:33.000000000 +0200 +++ new/taglib-1.11.1/tests/test_bytevectorstream.cpp 2016-10-24 05:03:23.000000000 +0200 @@ -38,6 +38,7 @@ CPPUNIT_TEST(testReadBlock); CPPUNIT_TEST(testRemoveBlock); CPPUNIT_TEST(testInsert); + CPPUNIT_TEST(testSeekEnd); CPPUNIT_TEST_SUITE_END(); public: @@ -112,6 +113,19 @@ CPPUNIT_ASSERT_EQUAL(ByteVector("yyx123foa"), *stream.data()); } + void testSeekEnd() + { + ByteVector v("abcdefghijklmnopqrstuvwxyz"); + ByteVectorStream stream(v); + CPPUNIT_ASSERT_EQUAL(26L, stream.length()); + + stream.seek(-4, IOStream::End); + CPPUNIT_ASSERT_EQUAL(ByteVector("w"), stream.readBlock(1)); + + stream.seek(-25, IOStream::End); + CPPUNIT_ASSERT_EQUAL(ByteVector("b"), stream.readBlock(1)); + } + }; CPPUNIT_TEST_SUITE_REGISTRATION(TestByteVectorStream); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/taglib-1.11/tests/test_id3v2.cpp new/taglib-1.11.1/tests/test_id3v2.cpp --- old/taglib-1.11/tests/test_id3v2.cpp 2016-04-29 10:26:33.000000000 +0200 +++ new/taglib-1.11.1/tests/test_id3v2.cpp 2016-10-24 05:03:23.000000000 +0200 @@ -118,6 +118,7 @@ CPPUNIT_TEST(testShrinkPadding); CPPUNIT_TEST(testEmptyFrame); CPPUNIT_TEST(testDuplicateTags); + CPPUNIT_TEST(testParseTOCFrameWithManyChildren); CPPUNIT_TEST_SUITE_END(); public: @@ -1217,6 +1218,12 @@ } } + void testParseTOCFrameWithManyChildren() + { + MPEG::File f(TEST_FILE_PATH_C("toc_many_children.mp3")); + CPPUNIT_ASSERT(f.isValid()); + } + }; CPPUNIT_TEST_SUITE_REGISTRATION(TestID3v2); ++++++ taglib-CVE-2017-12678.patch ++++++ https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6 >From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001 From: "Stephen F. Booth" <[email protected]> Date: Sun, 23 Jul 2017 10:11:09 -0400 Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame which causes problems in rebuildAggregateFrames() when it is assumed that TDRC is a TextIdentificationFrame --- taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp index 759a9b7b..9347ab86 100644 --- a/taglib/mpeg/id3v2/id3v2framefactory.cpp +++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp @@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const tag->frameList("TDAT").size() == 1) { TextIdentificationFrame *tdrc = - static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front()); + dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front()); UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front()); - if(tdrc->fieldList().size() == 1 && + if(tdrc && + tdrc->fieldList().size() == 1 && tdrc->fieldList().front().size() == 4 && tdat->data().size() >= 5) { -- 2.13.1
