Hello community, here is the log from the commit of package flac for openSUSE:Factory checked in at 2018-05-01 23:08:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/flac (Old) and /work/SRC/openSUSE:Factory/.flac.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "flac" Tue May 1 23:08:50 2018 rev:52 rq:601932 version:1.3.2 Changes: -------- --- /work/SRC/openSUSE:Factory/flac/flac.changes 2017-01-11 11:52:30.365945588 +0100 +++ /work/SRC/openSUSE:Factory/.flac.new/flac.changes 2018-05-01 23:08:52.164708156 +0200 @@ -1,0 +2,7 @@ +Fri Apr 27 15:17:11 CEST 2018 - [email protected] + +- Fix memory leak in read_metadata_vorbiscomment_() function + (CVE-2017-6888, bsc#1091045): + flac-CVE-2017-6888.patch + +------------------------------------------------------------------- New: ---- flac-CVE-2017-6888.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ flac.spec ++++++ --- /var/tmp/diff_new_pack.uoTUlu/_old 2018-05-01 23:08:52.984678362 +0200 +++ /var/tmp/diff_new_pack.uoTUlu/_new 2018-05-01 23:08:52.988678217 +0200 @@ -1,7 +1,7 @@ # # spec file for package flac # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ Version: 1.3.2 Release: 0 Summary: Free Lossless Audio Codec -License: BSD-3-Clause and GPL-2.0+ and GFDL-1.2 +License: BSD-3-Clause AND GPL-2.0-or-later AND GFDL-1.2-only Group: Productivity/Multimedia/Sound/Utilities Url: https://xiph.org/flac/ #Git-Web: https://git.xiph.org/?p=flac.git @@ -28,6 +28,7 @@ Source: http://downloads.xiph.org/releases/flac/%{name}-%{version}.tar.xz Source2: baselibs.conf Patch0: flac-cflags.patch +Patch1: flac-CVE-2017-6888.patch BuildRequires: autoconf >= 2.60 BuildRequires: automake >= 1.11 BuildRequires: doxygen @@ -85,6 +86,7 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 %build autoreconf -fvi ++++++ flac-CVE-2017-6888.patch ++++++ >From 4f47b63e9c971e6391590caf00a0f2a5ed612e67 Mon Sep 17 00:00:00 2001 From: Erik de Castro Lopo <[email protected]> Date: Sat, 8 Apr 2017 18:34:49 +1000 Subject: [PATCH] stream_decoder.c: Fix a memory leak Leak reported by Secunia Research. --- src/libFLAC/stream_decoder.c | 3 +++ 1 file changed, 3 insertions(+) --- a/src/libFLAC/stream_decoder.c +++ b/src/libFLAC/stream_decoder.c @@ -1759,6 +1759,9 @@ FLAC__bool read_metadata_vorbiscomment_( } memset (obj->comments[i].entry, 0, obj->comments[i].length) ; if (!FLAC__bitreader_read_byte_block_aligned_no_crc(decoder->private_->input, obj->comments[i].entry, obj->comments[i].length)) { + /* Current i-th entry is bad, so we delete it. */ + free (obj->comments[i].entry) ; + obj->comments[i].entry = NULL ; obj->num_comments = i; goto skip; }
