Hello community, here is the log from the commit of package libmirage for openSUSE:Factory checked in at 2019-12-21 12:32:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libmirage (Old) and /work/SRC/openSUSE:Factory/.libmirage.new.6675 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libmirage" Sat Dec 21 12:32:28 2019 rev:21 rq:758347 version:3.2.3 Changes: -------- --- /work/SRC/openSUSE:Factory/libmirage/libmirage.changes 2019-09-04 09:16:18.914930031 +0200 +++ /work/SRC/openSUSE:Factory/.libmirage.new.6675/libmirage.changes 2019-12-21 12:32:52.695405946 +0100 @@ -1,0 +2,14 @@ +Thu Dec 19 22:37:39 UTC 2019 - Jan Engelhardt <[email protected]> + +- Update to release 3.2.3 + * CSO filter: replaced a g_assert() with error return + * CSO filter: validate part size + * NRG parser: validate nrg_data_length + * ISO writer: ignore raw and subchannel modes for non-CD media + * TOC image writer: return error when trying to open non-CD + image for writing +- Drop 0001-libMirage-CSO-filter-validate-part-size.patch, + 0002-libMirage-CSO-filter-replaced-a-g_assert-with-error-.patch + (merged upstream) + +------------------------------------------------------------------- Old: ---- 0001-libMirage-CSO-filter-validate-part-size.patch 0002-libMirage-CSO-filter-replaced-a-g_assert-with-error-.patch libmirage-3.2.2.tar.bz2 New: ---- libmirage-3.2.3.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libmirage.spec ++++++ --- /var/tmp/diff_new_pack.mmyuZ4/_old 2019-12-21 12:32:53.175406174 +0100 +++ /var/tmp/diff_new_pack.mmyuZ4/_new 2019-12-21 12:32:53.179406176 +0100 @@ -1,7 +1,7 @@ # # spec file for package libmirage # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,14 +22,12 @@ Summary: A CD-ROM image access library License: GPL-2.0-or-later Group: Development/Libraries/C and C++ -Version: 3.2.2 +Version: 3.2.3 Release: 0 URL: http://cdemu.sf.net/about/libmirage/ #Git-Clone: git://git.code.sf.net/p/cdemu/code Source: https://downloads.sf.net/cdemu/%name-%version.tar.bz2 -Patch1: 0001-libMirage-CSO-filter-validate-part-size.patch -Patch2: 0002-libMirage-CSO-filter-replaced-a-g_assert-with-error-.patch Patch3: CVE-2019-15757.patch BuildRequires: cmake >= 2.8.5 BuildRequires: intltool >= 0.21 @@ -133,7 +131,7 @@ This package provides the GObject Introspection bindings for libmirage. %prep -%autosetup -p2 +%autosetup -p1 %build %cmake -DCMAKE_MODULE_LINKER_FLAGS="" ++++++ CVE-2019-15757.patch ++++++ --- /var/tmp/diff_new_pack.mmyuZ4/_old 2019-12-21 12:32:53.191406182 +0100 +++ /var/tmp/diff_new_pack.mmyuZ4/_new 2019-12-21 12:32:53.191406182 +0100 @@ -4,10 +4,10 @@ images/image-nrg/parser.c | 7 +++++++ 1 file changed, 7 insertions(+) -Index: libmirage-3.2.2/images/image-nrg/parser.c +Index: libmirage-3.2.3/images/image-nrg/parser.c =================================================================== ---- a/libmirage-3.2.2.orig/images/image-nrg/parser.c -+++ b/libmirage-3.2.2/images/image-nrg/parser.c +--- libmirage-3.2.3.orig/images/image-nrg/parser.c ++++ libmirage-3.2.3/images/image-nrg/parser.c @@ -987,6 +987,13 @@ static MirageDisc *mirage_parser_nrg_loa /* Set CD-ROM as default medium type, will be changed accordingly if there is a MTYP block provided */ @@ -20,5 +20,5 @@ + goto end; + } - /* Read descriptor data */ - self->priv->nrg_data = g_malloc(self->priv->nrg_data_length); + /* Validate data length */ + if (self->priv->nrg_data_length == 0) { ++++++ libmirage-3.2.2.tar.bz2 -> libmirage-3.2.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libmirage-3.2.2/CMakeLists.txt new/libmirage-3.2.3/CMakeLists.txt --- old/libmirage-3.2.2/CMakeLists.txt 2019-03-17 14:50:14.000000000 +0100 +++ new/libmirage-3.2.3/CMakeLists.txt 2019-08-27 17:24:39.000000000 +0200 @@ -6,7 +6,7 @@ # Release versioning: set (MIRAGE_VERSION_MAJOR 3) set (MIRAGE_VERSION_MINOR 2) -set (MIRAGE_VERSION_MICRO 1) +set (MIRAGE_VERSION_MICRO 3) set (MIRAGE_VERSION_LONG ${MIRAGE_VERSION_MAJOR}.${MIRAGE_VERSION_MINOR}.${MIRAGE_VERSION_MICRO}) set (MIRAGE_VERSION_SHORT ${MIRAGE_VERSION_MAJOR}.${MIRAGE_VERSION_MINOR}) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libmirage-3.2.2/README new/libmirage-3.2.3/README --- old/libmirage-3.2.2/README 2019-03-17 14:50:14.000000000 +0100 +++ new/libmirage-3.2.3/README 2019-08-27 17:24:39.000000000 +0200 @@ -1,5 +1,5 @@ libMirage -3.2.1 +3.2.3 ~~~~~ @@ -17,7 +17,7 @@ ~~~~~~~~~~~~~~~ This is libMirage library, a CD-ROM image access library, and part of the -userspace-cdemu suite, a free, GPL CD/DVD-ROM device emulator for linux. It is +cdemu suite, a free, GPL CD/DVD-ROM device emulator for linux. It is written in C and based on GLib. The aim of libMirage is to provide uniform access to the data stored in diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libmirage-3.2.2/cmake/GObjectIntrospection.cmake new/libmirage-3.2.3/cmake/GObjectIntrospection.cmake --- old/libmirage-3.2.2/cmake/GObjectIntrospection.cmake 2019-03-17 14:50:14.000000000 +0100 +++ new/libmirage-3.2.3/cmake/GObjectIntrospection.cmake 2019-08-27 17:24:39.000000000 +0200 @@ -181,7 +181,7 @@ ########################################################################### # Add the custom commands ########################################################################### - set(ENV{CFLAGS} ${GIR_REAL_CFLAGS}) + set(ENV{CFLAGS} "${GIR_REAL_CFLAGS}") add_custom_command( OUTPUT ${GIR_FILENAME} COMMAND ${GIR_SCANNER} ${GIR_SCANNER_ARGS} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libmirage-3.2.2/cmake/GtkDoc.cmake new/libmirage-3.2.3/cmake/GtkDoc.cmake --- old/libmirage-3.2.2/cmake/GtkDoc.cmake 2019-03-17 14:50:14.000000000 +0100 +++ new/libmirage-3.2.3/cmake/GtkDoc.cmake 2019-08-27 17:24:39.000000000 +0200 @@ -106,7 +106,7 @@ add_custom_command ( OUTPUT ${GTKDOC_DOCS_BUILDDIR}/html.stamp COMMAND mkdir -p html - COMMAND cd html && gtkdoc-mkhtml ${GTKDOC_MODULE} ../${GTKDOC_MAIN_SGML_FILE} + COMMAND cd html && gtkdoc-mkhtml ${GTKDOC_MODULE} ../${GTKDOC_MAIN_SGML_FILE} && cd .. COMMAND gtkdoc-fixxref --module=${GTKDOC_MODULE} --module-dir=html WORKING_DIRECTORY ${GTKDOC_DOCS_BUILDDIR} DEPENDS ${GTKDOC_DOCS_BUILDDIR}/sgml.stamp diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libmirage-3.2.2/debian/changelog new/libmirage-3.2.3/debian/changelog --- old/libmirage-3.2.2/debian/changelog 2019-03-17 14:50:14.000000000 +0100 +++ new/libmirage-3.2.3/debian/changelog 2019-08-27 17:24:39.000000000 +0200 @@ -1,3 +1,3 @@ -libmirage (3.2.0-1) debian; urgency=low +libmirage (3.2.3-1) debian; urgency=low * Initial Release. Closes: #705409 -- Henrik Stokseth <[email protected]> Sat, 05 Apr 2014 12:00:00 +0100 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libmirage-3.2.2/debian/control new/libmirage-3.2.3/debian/control --- old/libmirage-3.2.2/debian/control 2019-03-17 14:50:14.000000000 +0100 +++ new/libmirage-3.2.3/debian/control 2019-08-27 17:24:39.000000000 +0200 @@ -6,8 +6,8 @@ Build-Depends: pkg-config (>= 0.14), libglib2.0-dev (>= 2.28), libsndfile1-dev, libsamplerate0-dev, zlib1g-dev, libbz2-dev, liblzma-dev, gtk-doc-tools, gobject-introspection, libgirepository1.0-dev, debhelper (>= 9), intltool, - cmake (>= 2.8.5) -Standards-Version: 3.9.7 + cmake (>= 2.8.5), ninja-build +Standards-Version: 4.3.0 Package: libmirage11 @@ -30,8 +30,8 @@ Package: gir1.2-mirage-3.2 Section: introspection Architecture: any -Conflicts: gir1.2-mirage-3.0, gir1.2-mirage-3.1 -Replaces: gir1.2-mirage-3.0, gir1.2-mirage-3.1 +Conflicts: gir1.2-mirage-3.1 +Replaces: gir1.2-mirage-3.1 Depends: libmirage11 (= ${binary:Version}), ${gir:Depends}, ${misc:Depends} Description: CD-ROM image access library (typelib files) This package provides typelib files. @@ -39,7 +39,7 @@ Package: libmirage11-dbg Section: debug -Priority: extra +Priority: optional Architecture: any Depends: libmirage11 (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Description: CD-ROM image access library (debugging symbols) @@ -50,7 +50,8 @@ Section: libdevel Architecture: any Pre-Depends: ${misc:Pre-Depends} -Depends: libmirage11 (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} +Depends: libmirage11 (= ${binary:Version}), gir1.2-mirage-3.2 (= ${binary:Version}), + ${shlibs:Depends}, ${misc:Depends} Description: CD-ROM image access library (development files) This package contains files needed to develop with libMirage. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libmirage-3.2.2/debian/rules new/libmirage-3.2.3/debian/rules --- old/libmirage-3.2.2/debian/rules 2019-03-17 14:50:14.000000000 +0100 +++ new/libmirage-3.2.3/debian/rules 2019-08-27 17:24:39.000000000 +0200 @@ -6,7 +6,9 @@ override_dh_auto_configure: - dh_auto_configure -- "-DPOST_INSTALL_HOOKS:BOOL=OFF" + dh_auto_configure -- -G Ninja -DPOST_INSTALL_HOOKS:BOOL=OFF + +override_dh_auto_test: override_dh_strip: dh_strip --dbg-package="libmirage11-dbg" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libmirage-3.2.2/filters/filter-cso/filter-stream.c new/libmirage-3.2.3/filters/filter-cso/filter-stream.c --- old/libmirage-3.2.2/filters/filter-cso/filter-stream.c 2019-03-17 14:50:14.000000000 +0100 +++ new/libmirage-3.2.3/filters/filter-cso/filter-stream.c 2019-08-27 17:24:39.000000000 +0200 @@ -70,12 +70,17 @@ MIRAGE_DEBUG(self, MIRAGE_DEBUG_PARSER, "%s: reading part index\n", __debug__); + if (header->total_bytes % header->block_size) { + MIRAGE_DEBUG(self, MIRAGE_DEBUG_WARNING, "%s: original stream size (%" G_GUINT64_FORMAT ") is not a multiple of block size (%d)!\n", __debug__, header->total_bytes, header->block_size); + g_set_error(error, MIRAGE_ERROR, MIRAGE_ERROR_STREAM_ERROR, Q_("Invalid CSO file!")); + return FALSE; + } + self->priv->num_parts = header->total_bytes / header->block_size; self->priv->num_indices = self->priv->num_parts + 1; /* Contains EOF offset */ - g_assert(header->total_bytes % header->block_size == 0); MIRAGE_DEBUG(self, MIRAGE_DEBUG_PARSER, "%s: number of parts: %d\n", __debug__, self->priv->num_parts); - MIRAGE_DEBUG(self, MIRAGE_DEBUG_PARSER, "%s: original stream size: %" G_GINT64_MODIFIER "d\n", __debug__, header->total_bytes); + MIRAGE_DEBUG(self, MIRAGE_DEBUG_PARSER, "%s: original stream size: 0x%" G_GINT64_MODIFIER "X (%" G_GUINT64_FORMAT ")\n", __debug__, header->total_bytes, header->total_bytes); /* At least one part must be present */ if (!self->priv->num_parts) { @@ -120,6 +125,14 @@ CSO_Part *prev_part = &self->priv->parts[i-1]; prev_part->comp_size = cur_part->offset - prev_part->offset; + + /* Part size must be either smaller than header->block_size + (compressed block ) or equal to it (raw block) */ + if (prev_part->comp_size > header->block_size) { + MIRAGE_DEBUG(self, MIRAGE_DEBUG_WARNING, "%s: invalid part/index entry: part data length (%" G_GINT64_MODIFIER "d) exceeds declared block size (%d)!\n", __debug__, prev_part->comp_size, header->block_size); + g_set_error(error, MIRAGE_ERROR, MIRAGE_ERROR_STREAM_ERROR, Q_("Invalid CSO file!")); + return FALSE; + } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libmirage-3.2.2/images/image-iso/writer.c new/libmirage-3.2.3/images/image-iso/writer.c --- old/libmirage-3.2.2/images/image-iso/writer.c 2019-03-17 14:50:14.000000000 +0100 +++ new/libmirage-3.2.3/images/image-iso/writer.c 2019-08-27 17:24:39.000000000 +0200 @@ -35,6 +35,8 @@ gchar *image_file_basename; GList *image_file_streams; + + gboolean is_cd_rom; }; static const gchar *audio_filter_chain[] = { @@ -162,6 +164,18 @@ MIRAGE_DEBUG(self, MIRAGE_DEBUG_WRITER, "%s: write subchannel: %d\n", __debug__, mirage_writer_get_parameter_boolean(_self, PARAM_WRITE_SUBCHANNEL)); MIRAGE_DEBUG(self, MIRAGE_DEBUG_WRITER, "%s: swap raw audio data: %d\n", __debug__, mirage_writer_get_parameter_boolean(_self, PARAM_SWAP_RAW_AUDIO_DATA)); + /* Disable raw mode and subchannel for non-CD media */ + self->priv->is_cd_rom = mirage_disc_get_medium_type(disc) == MIRAGE_MEDIUM_CD; + if (!self->priv->is_cd_rom) { + if (mirage_writer_get_parameter_boolean(_self, PARAM_WRITE_RAW)) { + MIRAGE_DEBUG(self, MIRAGE_DEBUG_WARNING, "%s: raw write mode is not supported for non-CD media and will be ignored!\n", __debug__); + } + + if (mirage_writer_get_parameter_boolean(_self, PARAM_WRITE_SUBCHANNEL)) { + MIRAGE_DEBUG(self, MIRAGE_DEBUG_WARNING, "%s: subchannel write mode is not supported for non-CD media and will be ignored!\n", __debug__); + } + } + return TRUE; } @@ -169,6 +183,9 @@ { MirageWriterIso *self = MIRAGE_WRITER_ISO(_self); + MIRAGE_DEBUG(self, MIRAGE_DEBUG_WRITER, "%s: creating new fragment with role %d for track (%d, sector type %d)!\n", __debug__, + role, mirage_track_layout_get_track_number(track), mirage_track_get_sector_type(track)); + MirageFragment *fragment = g_object_new(MIRAGE_TYPE_FRAGMENT, NULL); gchar *filename; MirageStream *stream; @@ -184,8 +201,8 @@ const gchar *extension; const gchar **filter_chain = NULL; - if (write_subchannel || write_raw) { - /* Raw mode (also implied by subchannel) */ + if (self->priv->is_cd_rom && (write_subchannel || write_raw)) { + /* Raw mode (also implied by subchannel) - only for CD-ROM media */ extension = "bin"; mirage_fragment_main_data_set_size(fragment, 2352); @@ -234,7 +251,7 @@ } /* Subchannel; only internal PW96 interleaved is supported */ - if (write_subchannel) { + if (self->priv->is_cd_rom && write_subchannel) { mirage_fragment_subchannel_data_set_format(fragment, MIRAGE_SUBCHANNEL_DATA_FORMAT_PW96_INTERLEAVED | MIRAGE_SUBCHANNEL_DATA_FORMAT_INTERNAL); mirage_fragment_subchannel_data_set_size(fragment, 96); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libmirage-3.2.2/images/image-nrg/parser.c new/libmirage-3.2.3/images/image-nrg/parser.c --- old/libmirage-3.2.2/images/image-nrg/parser.c 2019-03-17 14:50:14.000000000 +0100 +++ new/libmirage-3.2.3/images/image-nrg/parser.c 2019-08-27 17:24:39.000000000 +0200 @@ -988,6 +988,14 @@ is a MTYP block provided */ mirage_disc_set_medium_type(self->priv->disc, MIRAGE_MEDIUM_CD); + /* Validate data length */ + if (self->priv->nrg_data_length == 0) { + MIRAGE_DEBUG(self, MIRAGE_DEBUG_WARNING, "%s: nrg_data_length must be greater than 0!\n", __debug__); + g_set_error(error, MIRAGE_ERROR, MIRAGE_ERROR_IMAGE_FILE_ERROR, Q_("nrg_data_length must be greater than 0!")); + succeeded = FALSE; + goto end; + } + /* Read descriptor data */ self->priv->nrg_data = g_malloc(self->priv->nrg_data_length); mirage_stream_seek(self->priv->nrg_stream, trailer_offset, G_SEEK_SET, NULL); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libmirage-3.2.2/images/image-toc/writer.c new/libmirage-3.2.3/images/image-toc/writer.c --- old/libmirage-3.2.2/images/image-toc/writer.c 2019-03-17 14:50:14.000000000 +0100 +++ new/libmirage-3.2.3/images/image-toc/writer.c 2019-08-27 17:24:39.000000000 +0200 @@ -439,6 +439,13 @@ { MirageWriterToc *self = MIRAGE_WRITER_TOC(_self); + /* This writer supports only CD-ROM medium */ + if (mirage_disc_get_medium_type(disc) != MIRAGE_MEDIUM_CD) { + MIRAGE_DEBUG(self, MIRAGE_DEBUG_WARNING, "%s: TOC image writer supports only CD-ROM medium format!\n", __debug__); + g_set_error(error, MIRAGE_ERROR, MIRAGE_ERROR_WRITER_ERROR, Q_("Unsupported medium format!")); + return FALSE; + } + /* Determine image file basename */ const gchar *filename = mirage_disc_get_filenames(disc)[0]; const gchar *suffix = mirage_helper_get_suffix(filename);
