Hello community,
here is the log from the commit of package taglib for
openSUSE:Leap:15.2:SLE-workarounds checked in at 2020-03-19 09:35:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2:SLE-workarounds/taglib (Old)
and /work/SRC/openSUSE:Leap:15.2:SLE-workarounds/.taglib.new.3160 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "taglib"
Thu Mar 19 09:35:46 2020 rev:1 rq: version:1.11.1
Changes:
--------
New Changes file:
--- /dev/null 2020-03-10 18:28:06.918142398 +0100
+++
/work/SRC/openSUSE:Leap:15.2:SLE-workarounds/.taglib.new.3160/taglib.changes
2020-03-19 09:35:46.435727947 +0100
@@ -0,0 +1,646 @@
+-------------------------------------------------------------------
+Thu Mar 12 10:01:24 UTC 2020 - Tomáš Chvátal <[email protected]>
+
+- Disable rpath explicitely to fix build on Leap 15.2 bsc#1166467
+
+-------------------------------------------------------------------
+Wed Jun 6 08:38:38 UTC 2018 - [email protected]
+
+- Added taglib-CVE-2018-11439.patch: Fix an out-of-bounds read when loading
+ invalid ogg flac files (CVE-2018-11439, bsc#1096180).
+- Applied spec-cleaner to specfile
+
+-------------------------------------------------------------------
+Tue Sep 26 09:27:25 UTC 2017 - [email protected]
+
+- Cleanup bit with spec-cleaner
+- Drop librcc dependency as there is no actual code dependency in taglib
+
+-------------------------------------------------------------------
+Tue Aug 8 22:36:41 CEST 2017 - [email protected]
+
+- Update to versio 1.11.1:
+ * Fixed binary incompatible change in TagLib::String.
+ * Fixed reading ID3v2 CTOC frames with a lot of entries.
+ * Fixed seeking ByteVectorStream from the end.
+- Prevent denial of service (bsc#1052699, CVE-2017-12678,
+ taglib-CVE-2017-12678.patch).
+
+-------------------------------------------------------------------
+Mon May 2 18:24:57 UTC 2016 - [email protected]
+
+- Update to 1.11
+ * Fixed reading APE items with long keys.
+ * Fixed reading ID3v2 SYLT frames when description is empty.
+ 1.11 BETA 2:
+ * Better handling of PCM WAV files with a 'fact' chunk.
+ * Better handling of corrupted APE tags.
+ * Efficient decoding of unsynchronized ID3v2 frames.
+ * Fixed text encoding when saving certain frames in ID3v2.3
+ tags.
+ * Fixed updating the size of RIFF files when removing chunks.
+ * Several smaller bug fixes and performance improvements.
+ 1.11 BETA:
+ * New API for creating FileRef from IOStream.
+ * Added support for ID3v2 PCST and WFED frames.
+ * Added support for pictures in XiphComment.
+ * Added String::clear().
+ * Added FLAC::File::strip() for removing non-standard tags.
+ * Added alternative functions to XiphComment::removeField().
+ * Added BUILD_BINDINGS build option.
+ * Added ENABLE_CCACHE build option.
+ * Replaced ENABLE_STATIC build option with BUILD_SHARED_LIBS.
+ * Better handling of duplicate ID3v2 tags in all kinds of
+ files.
+ * Better handling of duplicate tag chunks in WAV files.
+ * Better handling of duplicate tag chunks in AIFF files.
+ * Better handling of duplicate Vorbis comment blocks in FLAC
+ files.
+ * Better handling of broken MPEG audio frames.
+ * Fixed crash when calling File::properties() after strip().
+ * Fixed crash when parsing certain MPEG files.
+ * Fixed crash when saving Ogg files.
+ * Fixed possible file corruptions when saving ASF files.
+ * Fixed possible file corruptions when saving FLAC files.
+ * Fixed possible file corruptions when saving MP4 files.
+ * Fixed possible file corruptions when saving MPEG files.
+ * Fixed possible file corruptions when saving APE files.
+ * Fixed possible file corruptions when saving Musepack files.
+ * Fixed possible file corruptions when saving WavPack files.
+ * Fixed updating the comment field of Vorbis comments.
+ * Fixed reading date and time in ID3v2.3 tags.
+ * Marked ByteVector::null and ByteVector::isNull()
+ deprecated.
+ * Marked String::null and String::isNull() deprecated.
+ * Marked XiphComment::removeField() deprecated.
+ * Marked Ogg::Page::getCopyWithNewPageSequenceNumber()
+ deprecated. It returns null.
+ * Marked custom integer types deprecated.
+ * Many smaller bug fixes and performance improvements.
+
+-------------------------------------------------------------------
+Mon Jan 4 08:49:06 UTC 2016 - [email protected]
+
+- Fix build in SLE_11 by disabling post-install
+
+-------------------------------------------------------------------
+Sat Jan 2 17:06:39 UTC 2016 - [email protected]
+
+- Cleanup spec file with spec-cleaner
+- Use cmake macros
+- Update to 1.10
+ * New API for the audio length in milliseconds.
+ * Added new options to the tagwriter example.
+ * Added support for ID3v2 ETCO and SYLT frames.
+ * Added support for album artist in PropertyMap API of MP4 files.
+ * Added support for embedded frames in ID3v2 CHAP and CTOC
+ frames.
+ * Added support for AIFF-C files.
+ * Better handling of duplicate ID3v2 tags in MPEG files.
+ * Allowed generating taglib.pc on Windows.
+ * Added ZLIB_SOURCE build option.
+ * Fixed backwards-incompatible change in TagLib::String when
+ constructing UTF16 strings.
+ * Fixed crash when parsing certain FLAC files.
+ * Fixed crash when encoding empty strings.
+ * Fixed saving of certain XM files on OS X.
+ * Changed Xiph and APE generic getters to return
+ space-concatenated values.
+ * Fixed possible file corruptions when removing tags from WAV
+ files.
+ * Added support for MP4 files with 64-bit atoms in certain 64-bit
+ environments.
+ * Prevented ID3v2 padding from being too large.
+ * Fixed crash when parsing corrupted APE files.
+ * Fixed crash when parsing corrupted WAV files.
+ * Fixed crash when parsing corrupted Ogg FLAC files.
+ * Fixed crash when parsing corrupted MPEG files.
+ * Fixed saving empty tags in WAV files.
+ * Fixed crash when parsing corrupted Musepack files.
+ * Fixed possible memory leaks when parsing AIFF and WAV files.
+ * Fixed crash when parsing corrupted MP4 files.
+ * Stopped writing empty ID3v2 frames.
+ * Fixed possible file corruptions when saving WMA files.
+ * Added TagLib::MP4::Tag::isEmpty().
+ * Added accessors to manipulate MP4 tags.
+ * Fixed crash when parsing corrupted WavPack files.
+ * Fixed seeking MPEG frames.
+ * Fixed reading FLAC files with zero-sized padding blocks.
+ * Added support for reading the encoder information of WMA files.
+ * Added support for reading the codec of WAV files.
+ * Added support for multi channel WavPack files.
+ * Added support for reading the nominal bitrate of Ogg Speex
+ files.
+ * Added support for VBR headers in MPEG files.
+ * Marked FLAC::File::streamInfoData() deprecated. It returns an
+ empty ByteVector.
+ * Marked FLAC::File::streamLength() deprecated. It returns zero.
+ * Fixed possible file corruptions when adding an ID3v1 tag to
+ FLAC files.
+ * Fixed self-assignment operator in some types.
+ * Fixed extraction of MP4 tag keys with an empty list.
+ * Many smaller bug fixes and performance improvements.
+- Drop no longer needed patches:
+ * taglib-1.7.2-doxygen.patch
+ * taglib-1.8-strip-rpath.patch
+ * taglib-1.9.1.uint.patch
+
+-------------------------------------------------------------------
+Fri May 16 10:40:52 CEST 2014 - [email protected]
+
+- BuildRequire cmake >= 2.8
+
+-------------------------------------------------------------------
+Tue Apr 15 14:56:26 UTC 2014 - [email protected]
+
+- Fix build error in 11.4
+ taglib-1.9.1.uint.patch
+
+-------------------------------------------------------------------
+Wed Oct 9 00:04:23 UTC 2013 - [email protected]
+
+- Update to 1.9.1
+ * Fixed binary incompatible change in TagLib::Map and TagLib::List.
+ * Fixed constructing String from ByteVector.
+ * Fixed compilation on MSVC with the /Zc:wchar_t- option.
+ * Fixed detecting of RIFF files with invalid chunk sizes.
+ * Added TagLib::MP4::PropertyMap::codec().
+
+-------------------------------------------------------------------
+Sun Oct 6 23:51:11 UTC 2013 - [email protected]
+
+- Update to 1.9
+ * Added support for the Ogg Opus file format.
+ * Added support for INFO tags in WAV files.
+ * Changed FileStream to use Windows file API.
+ * Included taglib-config.cmd script for Windows.
+ * New ID3v1::Tag methods for working directly with
+ genre numbers.
+ * New MPEG::File methods for checking which tags are saved in
+ the file.
+ * Added support for the PropertyMap API to ASF and MP4 files.
+ * Added MusicBrainz identifiers to the PropertyMap API.
+ * Allowed reading of MP4 cover art without an explicitly
+ specified format.
+ * Better parsing of corrupted FLAC files.
+ * Fixed saving of PropertyMap comments without description
+ into ID3v2 tags.
+ * Fixed crash when parsing certain XM files.
+ * Fixed compilation of unit test with clang.
+ * Better handling of files that can't be open or have
+ read-only permissions.
+ * Improved atomic reference counting.
+ * New hookable API for debug messages.
+ * More complete Windows install instructions.
+ * Many smaller bug fixes and performance improvements.
+- Dropped taglib-1.8-ds-rusxmms-r9.patch, not required anymore
+- Dropped Added-check-if-file-is-open-before-attempting-to-rea.patch
++++ 449 more lines (skipped)
++++ between /dev/null
++++ and
/work/SRC/openSUSE:Leap:15.2:SLE-workarounds/.taglib.new.3160/taglib.changes
New:
----
baselibs.conf
taglib-1.11.1.tar.gz
taglib-CVE-2017-12678.patch
taglib-CVE-2018-11439.patch
taglib.changes
taglib.desktop
taglib.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ taglib.spec ++++++
#
# spec file for package taglib
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: taglib
Version: 1.11.1
Release: 0
Summary: Audio Meta-Data Library
License: LGPL-2.1-or-later AND MPL-1.1
Group: Productivity/Multimedia/Other
URL: http://taglib.github.io/
Source0: http://taglib.github.io/releases/%{name}-%{version}.tar.gz
Source1: %{name}.desktop
Source100: baselibs.conf
# PATCH-FIX-SECURITY taglib-CVE-2017-12678.patch bsc1052699 CVE-2017-12678
[email protected] -- Prevent denial of service.
Patch0: taglib-CVE-2017-12678.patch
Patch1: taglib-CVE-2018-11439.patch
BuildRequires: cmake >= 2.8
BuildRequires: doxygen
BuildRequires: fdupes
BuildRequires: gcc-c++
BuildRequires: graphviz-gnome
BuildRequires: libcppunit-devel
BuildRequires: pkgconfig
BuildRequires: update-desktop-files
BuildRequires: pkgconfig(zlib)
# NOTE: The tagreader and writer executables give different results when built
with
# an earlier taglib-1.8-ds-rusxmms patch. See bnc#814814
Requires: libtag1 = %{version}-%{release}
Requires: libtag_c0 = %{version}-%{release}
%description
TagLib is a library for reading and editing the meta-data of several popular
audio formats. Currently it supports both ID3v1 and ID3v2 for MP3 files, Ogg
Vorbis comments and ID3 tags and Vorbis comments in FLAC, MPC, Speex, WavPack
TrueAudio, WAV, AIFF, MP4 and ASF files.
This package contains built examples which manipulate tags from the
command line.
%package -n libtag1
Summary: Audio Meta-Data Library
License: LGPL-2.1-or-later
Group: System/Libraries
Conflicts: taglib <= 1.6.3
%description -n libtag1
TagLib is a library for reading and editing the meta-data of several popular
audio formats. Currently it supports both ID3v1 and ID3v2 for MP3 files, Ogg
Vorbis comments and ID3 tags and Vorbis comments in FLAC, MPC, Speex, WavPack
TrueAudio, WAV, AIFF, MP4 and ASF files.
%package -n libtag_c0
Summary: Audio Meta-Data Library
License: LGPL-2.1-or-later
Group: System/Libraries
Conflicts: taglib <= 1.6.3
%description -n libtag_c0
TagLib is a library for reading and editing the meta-data of several popular
audio formats. Currently it supports both ID3v1 and ID3v2 for MP3 files, Ogg
Vorbis comments and ID3 tags and Vorbis comments in FLAC, MPC, Speex, WavPack
TrueAudio, WAV, AIFF, MP4 and ASF files.
%package -n libtag-devel
Summary: Development files for taglib
License: LGPL-2.1-or-later
Group: Development/Libraries/C and C++
Requires: libstdc++-devel
Requires: libtag1 = %{version}-%{release}
Requires: libtag_c0 = %{version}-%{release}
# taglib-devel was last used in openSUSE 11.4 (taglib-devel-1.6.2)
# The last taglib-devel used was version 1.6.3 from multimedia:libs.
Provides: taglib-devel = %{version}
Obsoletes: taglib-devel <= 1.6.3
%description -n libtag-devel
This package contains development files for taglib.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%build
%cmake \
-DCMAKE_SKIP_RPATH=ON \
-DBUILD_TESTS:BOOL=ON \
-DWITH_ASF:BOOL=ON \
-DWITH_MP4:BOOL=ON \
-DBUILD_EXAMPLES:BOOL=ON
make %{?_smp_mflags} all docs
%install
%cmake_install
# install susehelp file
mkdir -p %{buildroot}%{_datadir}/susehelp/meta/Development/Libraries/
install -pm 0644 %{SOURCE1}
%{buildroot}%{_datadir}/susehelp/meta/Development/Libraries/
%suse_update_desktop_file
%{buildroot}%{_datadir}/susehelp/meta/Development/Libraries/%{name}.desktop
# Documentation
mkdir -p %{buildroot}%{_defaultdocdir}/libtag-devel
rm -f examples/CMake*
cp -a AUTHORS COPYING.LGPL COPYING.MPL NEWS build/doc/html/ examples/
%{buildroot}%{_defaultdocdir}/libtag-devel/
%fdupes -s %{buildroot}
# Add built examples to taglib package.
mkdir -p %{buildroot}%{_bindir}
for i in `find build/examples -maxdepth 1 ! -type d -executable`; do cp -v ${i}
%{buildroot}%{_bindir}/; done
%post
%desktop_database_post
%postun
%desktop_database_postun
%post -n libtag1 -p /sbin/ldconfig
%postun -n libtag1 -p /sbin/ldconfig
%post -n libtag_c0 -p /sbin/ldconfig
%postun -n libtag_c0 -p /sbin/ldconfig
%files -n libtag1
%{_libdir}/libtag.so.1
%{_libdir}/libtag.so.1.*
%files -n libtag_c0
%{_libdir}/libtag_c.so.0
%{_libdir}/libtag_c.so.0.*
%files -n libtag-devel
%doc %{_defaultdocdir}/libtag-devel
%{_bindir}/taglib-config
%{_includedir}/taglib/
%{_libdir}/libtag*.so
%{_libdir}/pkgconfig/*.pc
%{_datadir}/susehelp/
%files
%{_bindir}/*
%exclude %{_bindir}/taglib-config
%changelog
++++++ baselibs.conf ++++++
libtag1
libtag_c0
++++++ taglib-CVE-2017-12678.patch ++++++
https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6
>From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001
From: "Stephen F. Booth" <[email protected]>
Date: Sun, 23 Jul 2017 10:11:09 -0400
Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame
If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame
which causes problems in rebuildAggregateFrames() when it is assumed
that TDRC is a TextIdentificationFrame
---
taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp
b/taglib/mpeg/id3v2/id3v2framefactory.cpp
index 759a9b7b..9347ab86 100644
--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp
+++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp
@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag
*tag) const
tag->frameList("TDAT").size() == 1)
{
TextIdentificationFrame *tdrc =
- static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+ dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
UnknownFrame *tdat = static_cast<UnknownFrame
*>(tag->frameList("TDAT").front());
- if(tdrc->fieldList().size() == 1 &&
+ if(tdrc &&
+ tdrc->fieldList().size() == 1 &&
tdrc->fieldList().front().size() == 4 &&
tdat->data().size() >= 5)
{
--
2.13.1
++++++ taglib-CVE-2018-11439.patch ++++++
>From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001
From: Scott Gayou <[email protected]>
Date: Mon, 4 Jun 2018 11:34:36 -0400
Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)
CVE-2018-11439 is caused by a failure to check the minimum length
of a ogg flac header. This header is detailed in full at:
https://xiph.org/flac/ogg_mapping.html. Added more strict checking
for entire header.
---
taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
index 53d04508a..07ea9dccc 100644
--- a/taglib/ogg/flac/oggflacfile.cpp
+++ b/taglib/ogg/flac/oggflacfile.cpp
@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
if(!metadataHeader.startsWith("fLaC")) {
// FLAC 1.1.2+
+ // See https://xiph.org/flac/ogg_mapping.html for the header specification.
+ if(metadataHeader.size() < 13)
+ return;
+
+ if(metadataHeader[0] != 0x7f)
+ return;
+
if(metadataHeader.mid(1, 4) != "FLAC")
return;
- if(metadataHeader[5] != 1)
- return; // not version 1
+ if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
+ return; // not version 1.0
+
+ if(metadataHeader.mid(9, 4) != "fLaC")
+ return;
metadataHeader = metadataHeader.mid(13);
}
++++++ taglib.desktop ++++++
[Desktop Entry]
Name=Taglib API reference
Name[de]=Taglib API Referenz
Name[hu]=Taglib API referencia
DocPath=/usr/share/doc/packages/libtag-devel/html/index.html
X-DOC-SearchMethod=htdig
