Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2020-07-14 07:43:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new.3060 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvorbis" Tue Jul 14 07:43:12 2020 rev:52 rq:819992 version:1.3.7 Changes: -------- --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2018-06-08 23:10:34.782649932 +0200 +++ /work/SRC/openSUSE:Factory/.libvorbis.new.3060/libvorbis.changes 2020-07-14 07:43:27.498718138 +0200 @@ -1,0 +2,26 @@ +Fri Jul 10 10:14:43 UTC 2020 - Martin Hauke <[email protected]> + +- Update to version 1.3.7 + * Fix CVE-2018-10392 and CVE-2018-10393 - out-of-bounds read + encoding very low sample rates + * Fix CVE-2017-14160 - out-of-bounds read encoding very low + sample rates. + * Fix handling invalid bytes per sample arguments. + * Fix handling invalid channel count arguments. + * Fix invalid free on seek failure. + * Fix negative shift reading blocksize. + * Fix accepting unreasonable float32 values. + * Fix tag comparison depending on locale. + * Fix unnecessarily linking libm. + * Fix memory leak in test_sharedbook. + * Distribute CMake build files with the source package. + * Remove unnecessary configure --target switch. + * Add OSS-Fuzz support. + * Build system and integration updates. +- Drop not longer needed patches (fixed by upstream): + * vorbis-CVE-2017-14160.patch + * vorbis-CVE-2018-10392.patch + * vorbis-CVE-2018-10393.patch +- Add source verification + +------------------------------------------------------------------- Old: ---- libvorbis-1.3.6.tar.xz vorbis-CVE-2017-14160.patch vorbis-CVE-2018-10392.patch vorbis-CVE-2018-10393.patch New: ---- libvorbis-1.3.7.tar.xz libvorbis-1.3.7.tar.xz.asc libvorbis.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvorbis-doc.spec ++++++ --- /var/tmp/diff_new_pack.lGfyrL/_old 2020-07-14 07:43:31.634731490 +0200 +++ /var/tmp/diff_new_pack.lGfyrL/_new 2020-07-14 07:43:31.638731503 +0200 @@ -1,7 +1,7 @@ # # spec file for package libvorbis-doc # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -23,13 +23,15 @@ %endif Name: libvorbis-doc -Version: 1.3.6 +Version: 1.3.7 Release: 0 Summary: Documentation of Ogg/Vorbis library License: BSD-3-Clause Group: Documentation/Other -Url: http://www.vorbis.com/ -Source: http://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz +URL: https://www.vorbis.com/ +Source: https://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz +Source1: https://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz.asc +Source99: libvorbis.keyring Patch1: libvorbis-lib64.dif Patch2: libvorbis-m4.dif Patch12: vorbis-ocloexec.patch ++++++ libvorbis.spec ++++++ --- /var/tmp/diff_new_pack.lGfyrL/_old 2020-07-14 07:43:31.662731581 +0200 +++ /var/tmp/diff_new_pack.lGfyrL/_new 2020-07-14 07:43:31.666731593 +0200 @@ -1,7 +1,7 @@ # # spec file for package libvorbis # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,25 +12,24 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: libvorbis -Version: 1.3.6 +Version: 1.3.7 Release: 0 Summary: The Vorbis General Audio Compression Codec License: BSD-3-Clause Group: System/Libraries -Url: http://www.vorbis.com/ -Source: http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.xz -Source1: baselibs.conf +URL: http://www.vorbis.com/ +Source: https://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.xz +Source1: https://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz.asc +Source10: baselibs.conf +Source99: libvorbis.keyring Patch1: libvorbis-lib64.dif Patch2: libvorbis-m4.dif Patch12: vorbis-ocloexec.patch -Patch101: vorbis-CVE-2017-14160.patch -Patch102: vorbis-CVE-2018-10393.patch -Patch103: vorbis-CVE-2018-10392.patch BuildRequires: libogg-devel BuildRequires: libtool BuildRequires: pkgconfig @@ -119,9 +118,6 @@ %patch1 fi %patch12 -%patch101 -p1 -%patch102 -p1 -%patch103 -p1 %build # Fix optimization level ++++++ libvorbis-1.3.6.tar.xz -> libvorbis-1.3.7.tar.xz ++++++ ++++ 21021 lines of diff (skipped)
