Hello community, here is the log from the commit of package aubio for openSUSE:Factory checked in at 2018-03-26 13:08:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/aubio (Old) and /work/SRC/openSUSE:Factory/.aubio.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "aubio" Mon Mar 26 13:08:26 2018 rev:22 rq:590732 version:0.4.6 Changes: -------- --- /work/SRC/openSUSE:Factory/aubio/aubio.changes 2018-01-02 16:34:53.502396067 +0100 +++ /work/SRC/openSUSE:Factory/.aubio.new/aubio.changes 2018-03-26 13:08:36.161398177 +0200 @@ -1,0 +2,6 @@ +Fri Mar 23 16:41:03 CET 2018 - [email protected] + +- Fix divide-by-zero at wavread (CVE-2017-17054, bsc#1070399): + aubio-wavread-input-validation.patch + +------------------------------------------------------------------- New: ---- aubio-wavread-input-validation.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ aubio.spec ++++++ --- /var/tmp/diff_new_pack.hmRmdx/_old 2018-03-26 13:08:38.589310887 +0200 +++ /var/tmp/diff_new_pack.hmRmdx/_new 2018-03-26 13:08:38.593310744 +0200 @@ -19,7 +19,7 @@ Name: aubio %define libpkgname libaubio5 Summary: Library for real-time audio labelling -License: GPL-3.0+ +License: GPL-3.0-or-later Group: Development/Libraries/C and C++ BuildRequires: alsa-devel BuildRequires: doxygen @@ -41,6 +41,7 @@ Source: http://aubio.org/pub/%{name}-%{version}.tar.bz2 Source1: http://aubio.org/pub/%{name}-%{version}.tar.bz2.asc Source99: baselibs.conf +Patch1: aubio-wavread-input-validation.patch Url: http://aubio.org BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires %{libpkgname} = %{version}-%{release} @@ -82,6 +83,7 @@ %prep %setup -q +%patch1 -p1 sed -e "s,/lib,/%_lib," src/wscript_build > src/wscript_build.new diff -u src/wscript_build src/wscript_build.new || : mv src/wscript_build.new src/wscript_build ++++++ python-aubio.spec ++++++ --- /var/tmp/diff_new_pack.hmRmdx/_old 2018-03-26 13:08:38.669308012 +0200 +++ /var/tmp/diff_new_pack.hmRmdx/_new 2018-03-26 13:08:38.673307867 +0200 @@ -21,7 +21,7 @@ Version: 0.4.6 Release: 0 Summary: A collection of tools for music analysis -License: GPL-3.0+ +License: GPL-3.0-or-later Group: Development/Languages/Python Url: http://aubio.org/ Source: http://aubio.org/pub/aubio-%{version}.tar.bz2 ++++++ aubio-wavread-input-validation.patch ++++++ >From 25ecb7338cebc5b8c79092347839c78349ec33f1 Mon Sep 17 00:00:00 2001 From: Paul Brossier <[email protected]> Date: Tue, 6 Feb 2018 22:32:59 +0100 Subject: [PATCH] src/io/source_wavread.c: add some input validation (closes: #158) --- src/io/source_wavread.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) --- a/src/io/source_wavread.c +++ b/src/io/source_wavread.c @@ -189,6 +189,26 @@ aubio_source_wavread_t * new_aubio_sourc // BitsPerSample bytes_read += fread(buf, 1, 2, s->fid); bitspersample = read_little_endian(buf, 2); + + if ( channels == 0 ) { + AUBIO_ERR("source_wavread: Failed opening %s (number of channels can not be 0)\n", s->path); + goto beach; + } + + if ( sr == 0 ) { + AUBIO_ERR("source_wavread: Failed opening %s (samplerate can not be 0)\n", s->path); + goto beach; + } + + if ( byterate == 0 ) { + AUBIO_ERR("source_wavread: Failed opening %s (byterate can not be 0)\n", s->path); + goto beach; + } + + if ( bitspersample == 0 ) { + AUBIO_ERR("source_wavread: Failed opening %s (bitspersample can not be 0)\n", s->path); + goto beach; + } #if 0 if ( bitspersample != 16 ) { AUBIO_ERR("source_wavread: can not process %dbit file %s\n",
