Nam Nguyen: > Here is an update to flac 1.3.4, released on 20 Feb 2022. It comes with > security fixes.
> This update: > - removes upstreamed bitreader.c patch > - updates cpu.c ppc patch I have a different version of that patch that minimizes the changes. > - bumps library majors > > This commit adds -fvisibility=hidden for clang, which explains this > change, despite upstream reporting "Interface changes: ... (none)." Well, that poses a problem. If we bump the library majors, we can't commit this to -stable. Indeed I don't see any interface changes, except for the removal of a _lot_ of symbols that weren't intended as part of the API before. So our unsatisfactory choices are: (1) Bump, no backport to -stable. (2) No bump, in violation of our API policy. (3) No bump and remove -fvisibility to retain the old symbols. Suggestions? Index: Makefile =================================================================== RCS file: /cvs/ports/audio/flac/Makefile,v retrieving revision 1.62 diff -u -p -r1.62 Makefile --- Makefile 8 May 2021 15:19:22 -0000 1.62 +++ Makefile 24 Feb 2022 17:38:27 -0000 @@ -2,8 +2,7 @@ COMMENT= free lossless audio codec -DISTNAME= flac-1.3.3 -REVISION= 0 +DISTNAME= flac-1.3.4 CATEGORIES= audio archivers HOMEPAGE= https://www.xiph.org/flac/ SHARED_LIBS += FLAC 11.0 # 11.0 Index: distinfo =================================================================== RCS file: /cvs/ports/audio/flac/distinfo,v retrieving revision 1.13 diff -u -p -r1.13 distinfo --- distinfo 12 Aug 2019 21:47:23 -0000 1.13 +++ distinfo 24 Feb 2022 17:38:27 -0000 @@ -1,2 +1,2 @@ -SHA256 (flac-1.3.3.tar.xz) = IT6CvXFsnebbL5i8rbxMJMfi7+jHWTmhqE4oU5xOF0g= -SIZE (flac-1.3.3.tar.xz) = 1044472 +SHA256 (flac-1.3.4.tar.xz) = j/BgfnWjIt181uxI9PIlRxQEricw0OqUUSexNVFV5zc= +SIZE (flac-1.3.4.tar.xz) = 1038356 Index: patches/patch-src_libFLAC_bitreader_c =================================================================== RCS file: patches/patch-src_libFLAC_bitreader_c diff -N patches/patch-src_libFLAC_bitreader_c --- patches/patch-src_libFLAC_bitreader_c 8 May 2021 15:19:22 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,17 +0,0 @@ -$OpenBSD: patch-src_libFLAC_bitreader_c,v 1.1 2021/05/08 15:19:22 naddy Exp $ - -CVE-2020-0499: Fix out-of-bounds read -https://github.com/xiph/flac/commit/2e7931c27eb15e387da440a37f12437e35b22dd4 - -Index: src/libFLAC/bitreader.c ---- src/libFLAC/bitreader.c.orig -+++ src/libFLAC/bitreader.c -@@ -864,7 +864,7 @@ incomplete_lsbs: - cwords = br->consumed_words; - words = br->words; - ucbits = FLAC__BITS_PER_WORD - br->consumed_bits; -- b = br->buffer[cwords] << br->consumed_bits; -+ b = cwords < br->capacity ? br->buffer[cwords] << br->consumed_bits : 0; - } while(cwords >= words && val < end); - } - Index: patches/patch-src_libFLAC_cpu_c =================================================================== RCS file: /cvs/ports/audio/flac/patches/patch-src_libFLAC_cpu_c,v retrieving revision 1.3 diff -u -p -r1.3 patch-src_libFLAC_cpu_c --- patches/patch-src_libFLAC_cpu_c 15 Aug 2019 18:22:34 -0000 1.3 +++ patches/patch-src_libFLAC_cpu_c 24 Feb 2022 17:38:27 -0000 @@ -1,43 +1,16 @@ $OpenBSD: patch-src_libFLAC_cpu_c,v 1.3 2019/08/15 18:22:34 cwen Exp $ -Remove getauxval(3) code for ppc because we don't implement this +No support for reading PPC hwcaps on OpenBSD. Index: src/libFLAC/cpu.c --- src/libFLAC/cpu.c.orig +++ src/libFLAC/cpu.c -@@ -53,10 +53,6 @@ - #define dfprintf(file, format, ...) - #endif - --#if defined FLAC__CPU_PPC --#include <sys/auxv.h> --#endif -- - #if (defined FLAC__CPU_IA32 || defined FLAC__CPU_X86_64) && (defined FLAC__HAS_NASM || FLAC__HAS_X86INTRIN) && !defined FLAC__NO_ASM - - /* these are flags in EDX of CPUID AX=00000001 */ -@@ -236,24 +232,8 @@ x86_cpu_info (FLAC__CPUInfo *info) - static void - ppc_cpu_info (FLAC__CPUInfo *info) - { --#if defined FLAC__CPU_PPC --#ifndef PPC_FEATURE2_ARCH_3_00 --#define PPC_FEATURE2_ARCH_3_00 0x00800000 --#endif -- --#ifndef PPC_FEATURE2_ARCH_2_07 --#define PPC_FEATURE2_ARCH_2_07 0x80000000 --#endif -- -- if (getauxval(AT_HWCAP2) & PPC_FEATURE2_ARCH_3_00) { -- info->ppc.arch_3_00 = true; -- } else if (getauxval(AT_HWCAP2) & PPC_FEATURE2_ARCH_2_07) { -- info->ppc.arch_2_07 = true; -- } --#else +@@ -262,7 +262,7 @@ ppc_cpu_info (FLAC__CPUInfo *info) + } else if (hwcaps & PPC_FEATURE2_ARCH_2_07) { + info->ppc.arch_2_07 = true; + } +-#elif defined(__APPLE__) ++#elif defined(__APPLE__) || defined(__OpenBSD__) + /* no Mac OS X version supports CPU with Power AVI v2.07 or better */ info->ppc.arch_2_07 = false; info->ppc.arch_3_00 = false; --#endif - } - - void FLAC__cpu_info (FLAC__CPUInfo *info) -- Christian "naddy" Weisgerber [email protected]
