Hello community,

here is the log from the commit of package timidity for openSUSE:Factory 
checked in at 2018-02-20 17:57:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/timidity (Old)
 and      /work/SRC/openSUSE:Factory/.timidity.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "timidity"

Tue Feb 20 17:57:45 2018 rev:40 rq:578388 version:2.14.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/timidity/timidity.changes        2017-11-24 
10:54:43.995709286 +0100
+++ /work/SRC/openSUSE:Factory/.timidity.new/timidity.changes   2018-02-20 
17:59:47.680269935 +0100
@@ -1,0 +2,11 @@
+Tue Feb 20 14:33:10 CET 2018 - ti...@suse.de
+
+- Fix division-by-zero with malformed MIDI file (CVE-2017-11546,
+  bsc#1081694):
+  timidity-readmidi-zero-division-fix.patch
+- Fix out-of-bound accesses in the resamplers (CVE-2017-11547,
+  bsc#1081694):
+  timidity-resample-frac-overflow-fix.patch
+- Drop tcl/tk dependency; it's already broken with Tcl/Tk 8.6
+
+-------------------------------------------------------------------

New:
----
  timidity-readmidi-zero-division-fix.patch
  timidity-resample-frac-overflow-fix.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ timidity.spec ++++++
--- /var/tmp/diff_new_pack.VVXWc3/_old  2018-02-20 17:59:48.884226604 +0100
+++ /var/tmp/diff_new_pack.VVXWc3/_new  2018-02-20 17:59:48.888226460 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package timidity
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -40,7 +40,6 @@
 BuildRequires:  ncurses-devel
 BuildRequires:  slang-devel
 BuildRequires:  speex-devel
-BuildRequires:  tk-devel
 BuildRequires:  update-desktop-files
 BuildRequires:  xaw3d
 BuildRequires:  xorg-x11
@@ -61,6 +60,8 @@
 Patch2:         0002-Fix-alsaseq-polling-at-idle-time.patch
 Patch100:       timidity-no_date.patch
 Patch101:       timidity-add_fluid_cfgs.patch
+Patch200:       timidity-readmidi-zero-division-fix.patch
+Patch201:       timidity-resample-frac-overflow-fix.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -74,6 +75,8 @@
 %patch2 -p1
 %patch100
 %patch101
+%patch200 -p1
+%patch201 -p1
 for f in ./utils/bitset.c ./utils/bitset.h ./utils/nkflib.c; do
        iconv -f EUC-JISX0213 -t UTF-8 $f > $f.utf8 && mv $f.utf8 $f
 done
@@ -82,7 +85,7 @@
 echo >> autoconf/arts.m4
 autoreconf --force --install
 %configure \
-       
--enable-dynamic=ncurses,emacs,slang,vt100,xskin,gtk,tcltk,alsaseq,server \
+       --enable-dynamic=ncurses,emacs,slang,vt100,xskin,gtk,alsaseq,server \
        --enable-audio=alsa,oss,vorbis,jack,ao,flac,speex \
        --with-default-output=alsa \
        --enable-network \

++++++ timidity-readmidi-zero-division-fix.patch ++++++
From: Takashi Iwai <ti...@suse.de>
Subject: readmidi: Fix division by zero
References: CVE-2017-11546

An adhoc fix for division by zero in insert_note_steps().

Signed-off-by: Takashi Iwai <ti...@suse.de>

---
 timidity/readmidi.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/timidity/readmidi.c
+++ b/timidity/readmidi.c
@@ -4585,6 +4585,8 @@ static void insert_note_steps(void)
                        if (beat != 0)
                                meas++, beat = 0;
                        num = timesig[n].a, denom = timesig[n].b, n++;
+                       if (!denom)
+                               denom = 1;
                }
                a = (meas + 1) & 0xff;
                b = (((meas + 1) >> 8) & 0x0f) + ((beat + 1) << 4);
++++++ timidity-resample-frac-overflow-fix.patch ++++++
From: Takashi Iwai <ti...@suse.de>
Subject: resample: Fix out-of-bound access in resamplers
References: CVE-2017-11547

An adhoc fix for out-of-bound accesses in resamples.
The offset might overflow the given data range.

Signed-off-by: Takashi Iwai <ti...@suse.de>

--- a/timidity/resample.c
+++ b/timidity/resample.c
@@ -57,6 +57,8 @@ static resample_t resample_cspline(sample_t *src, splen_t 
ofs, resample_rec_t *r
 {
     int32 ofsi, ofsf, v0, v1, v2, v3, temp;
 
+    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+      return src[ofs >> FRACTION_BITS];
     ofsi = ofs >> FRACTION_BITS;
     v1 = src[ofsi];
     v2 = src[ofsi + 1];
@@ -96,6 +98,8 @@ static resample_t resample_lagrange(sample_t *src, splen_t 
ofs, resample_rec_t *
 {
     int32 ofsi, ofsf, v0, v1, v2, v3;
 
+    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+      return src[ofs >> FRACTION_BITS];
     ofsi = ofs >> FRACTION_BITS;
     v1 = (int32)src[ofsi];
     v2 = (int32)src[ofsi + 1];
@@ -154,6 +158,8 @@ static resample_t resample_gauss(sample_t *src, splen_t 
ofs, resample_rec_t *rec
     sample_t *sptr;
     int32 left, right, temp_n;
 
+    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+      return src[ofs >> FRACTION_BITS];
     left = (ofs>>FRACTION_BITS);
     right = (rec->data_length>>FRACTION_BITS) - left - 1;
     temp_n = (right<<1)-1;
@@ -261,6 +267,8 @@ static resample_t resample_newton(sample_t *src, splen_t 
ofs, resample_rec_t *re
     int32 left, right, temp_n;
     int ii, jj;
 
+    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+      return src[ofs >> FRACTION_BITS];
     left = (ofs>>FRACTION_BITS);
     right = (rec->data_length>>FRACTION_BITS)-(ofs>>FRACTION_BITS)-1;
     temp_n = (right<<1)-1;
@@ -330,6 +338,8 @@ static resample_t resample_linear(sample_t *src, splen_t 
ofs, resample_rec_t *re
 {
     int32 v1, v2, ofsi;
 
+    if (ofs + (1 << FRACTION_BITS) >= rec->data_length)
+      return src[ofs >> FRACTION_BITS];
     ofsi = ofs >> FRACTION_BITS;
     v1 = src[ofsi];
     v2 = src[ofsi + 1];


Reply via email to