commit libvorbis for openSUSE:Factory

Wed, 22 Feb 2012 02:48:35 -0800 

Hello community,

here is the log from the commit of package libvorbis for openSUSE:Factory 
checked in at 2012-02-22 11:48:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libvorbis (Old)
 and      /work/SRC/openSUSE:Factory/.libvorbis.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libvorbis", Maintainer is "ti...@suse.com"

Changes:
--------
--- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes      2011-12-27 
18:37:43.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2012-02-22 
11:48:29.000000000 +0100
@@ -1,0 +2,6 @@
+Tue Feb 21 14:32:38 CET 2012 - ti...@suse.de
+
+- VUL-0: CVE-2012-0444: libvorbis: heap-based buffer overflow
+  (bnc#747912)
+
+-------------------------------------------------------------------

New:
----
  libvorbis-CVE-2012-0444.diff

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libvorbis.spec ++++++
--- /var/tmp/diff_new_pack.655c9a/_old  2012-02-22 11:48:30.000000000 +0100
+++ /var/tmp/diff_new_pack.655c9a/_new  2012-02-22 11:48:30.000000000 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package libvorbis
 #
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -39,6 +39,7 @@
 Patch10:        libvorbis-pkgconfig.patch
 Patch11:        vorbis-fix-linking.patch
 Patch12:        vorbis-ocloexec.patch
+Patch20:        libvorbis-CVE-2012-0444.diff
 BuildRequires:  fdupes
 BuildRequires:  libogg-devel
 BuildRequires:  libtool
@@ -139,6 +140,7 @@
 fi
 %patch11
 %patch12
+%patch20 -p1
 
 %build
 # Fix optimization level                                                       
                                                                                
                                                                            

++++++ libvorbis-CVE-2012-0444.diff ++++++
---
 lib/floor1.c |    1 +
 1 file changed, 1 insertion(+)

--- a/lib/floor1.c
+++ b/lib/floor1.c
@@ -167,6 +167,7 @@ static vorbis_info_floor *floor1_unpack
 
   for(j=0,k=0;j<info->partitions;j++){
     count+=info->class_dim[info->partitionclass[j]];
+    if(count>VIF_POSIT) goto err_out;
     for(;k<count;k++){
       int t=info->postlist[k+2]=oggpack_read(opb,rangebits);
       if(t<0 || t>=(1<<rangebits))
-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

Reply via email to