Hello community,
here is the log from the commit of package libmms.2762 for openSUSE:12.3:Update
checked in at 2014-05-02 13:54:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/libmms.2762 (Old)
and /work/SRC/openSUSE:12.3:Update/.libmms.2762.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libmms.2762"
Changes:
--------
New Changes file:
--- /dev/null 2014-04-28 00:21:37.460033756 +0200
+++ /work/SRC/openSUSE:12.3:Update/.libmms.2762.new/libmms.changes
2014-05-02 13:54:15.000000000 +0200
@@ -0,0 +1,41 @@
+-------------------------------------------------------------------
+Wed Apr 23 19:15:17 CEST 2014 - sbra...@suse.cz
+
+- Fix a possible heap memory overrun
+ (CVE-2014-2892.patch, CVE-2014-2892, bnc#874723).
+
+-------------------------------------------------------------------
+Thu Nov 22 18:40:37 UTC 2012 - crrodrig...@opensuse.org
+
+- libmms-pkgconfig.patch: DO not inject bogus build
+ dependencies via pkgconfig files, in this case glib2 which
+ will pull pcre and so on...
+
+-------------------------------------------------------------------
+Mon Mar 5 14:00:05 UTC 2012 - toddrme2...@gmail.com
+
+- Added 32bit-compatibility package, needed by
+ gstreamer-0_10-plugins-bad-32bit
+
+-------------------------------------------------------------------
+Tue Sep 20 10:02:16 UTC 2011 - toddrme2...@gmail.com
+
+- Changed one remaining case of %{name}0 to %{name}%{soname}
+- Removed some extraneous spaces
+
+-------------------------------------------------------------------
+Fri Sep 16 10:01:18 UTC 2011 - toddrme2...@gmail.com
+
+- Added xine mailing list discussions about LGPL relicensing of
+ xine code
+- Added note in spec file about LGPL relicensing of xine code
+
+-------------------------------------------------------------------
+Thu Aug 4 15:21:22 UTC 2011 - toddrme2...@gmail.com
+
+- Switch to stored tarball rather that using the download service
+
+-------------------------------------------------------------------
+Sun Jan 23 13:43:16 UTC 2011 - reddw...@opensuse.org
+
+- Update to 0.6.2
New:
----
CVE-2014-2892.patch
baselibs.conf
libmms-0.6.2.tar.bz2
libmms-pkgconfig.patch
libmms-relicensing-1.txt
libmms-relicensing-2.txt
libmms.changes
libmms.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libmms.spec ++++++
#
# spec file for package libmms
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define soname 0
Name: libmms
Version: 0.6.2
Release: 0
# NOTE: there are files from the xine project with GPL headers in the source,
# but these were re-licensed to LGPLv2+ with the explicit permission of all
# contributors.
# Please see the README.LICENSE file and the xine mailing list discussions in
# libmms-relicensing-1.txt and libmms-relicensing-2.txt
Summary: MMS stream protocol library
License: LGPL-2.1+
Group: System/Libraries
Url: http://www.sf.net/projects/%{name}
Source0: %{name}-%{version}.tar.bz2
Source1: libmms-relicensing-1.txt
Source2: libmms-relicensing-2.txt
Source3: baselibs.conf
BuildRequires: pkg-config
BuildRequires: pkgconfig(glib-2.0)
Patch0: libmms-pkgconfig.patch
# PATCH-FIX-SECURITY CVE-2014-2892.patch sbra...@suse.cz bnc874723 -- Fix a
possible heap memory overrun (CVE-2014-2892).
Patch1: CVE-2014-2892.patch
%description
LibMMS is a common library for parsing mms:// and mmsh:// type network streams.
These are commonly used to stream Windows Media Video content over the web.
LibMMS itself is only for receiving MMS stream, it doesn't handle sending at
all.
%package -n %{name}%{soname}
Summary: MMS stream protocol library
Group: System/Libraries
%description -n %{name}%{soname}
LibMMS is a common library for parsing mms:// and mmsh:// type network streams.
These are commonly used to stream Windows Media Video content over the web.
LibMMS itself is only for receiving MMS stream, it doesn't handle sending at
all.
%package -n %{name}-devel
Summary: Libmms development files
Group: Development/Libraries/C and C++
Requires: %{name}%{soname} = %{version}
Requires: glibc-devel
%description -n %{name}-devel
Headers and libraries to program against %{name}
%prep
%setup -q
%patch0
%patch1 -p1
%build
%configure --disable-static
%{__make} %{?_smp_mflags}
%install
%make_install
%{__rm} -f '%{buildroot}%{_libdir}/%{name}.la'
install -d -m 755 %{buildroot}%{_docdir}/%{name}%{soname}
install -m 644 %{SOURCE1} %{buildroot}%{_docdir}/%{name}%{soname}
install -m 644 %{SOURCE2} %{buildroot}%{_docdir}/%{name}%{soname}
%post -n %{name}%{soname} -p /sbin/ldconfig
%postun -n %{name}%{soname} -p /sbin/ldconfig
%files -n %{name}%{soname}
%defattr(0644, root, root, 0755)
%doc AUTHORS ChangeLog COPYING.LIB README README.LICENSE
%{_libdir}/%{name}.so.%{soname}*
%files -n %{name}-devel
%defattr(0644, root, root, 0755)
%{_libdir}/%{name}.so
%{_includedir}/%{name}
%{_libdir}/pkgconfig/%{name}.pc
%changelog
++++++ CVE-2014-2892.patch ++++++
commit 03bcfccc22919c72742b7338d02859962861e0e8
Author: blutomat <bluto...@gmail.com>
Date: Tue Apr 8 21:06:24 2014 -0600
Fix a possible heap memory overrun in get_answer().
Reported by Alex Chapman <acct...@users.sf.net>.
diff --git a/src/mmsh.c b/src/mmsh.c
old mode 100644
new mode 100755
index a0928db..a019f05
--- a/src/mmsh.c
+++ b/src/mmsh.c
@@ -310,7 +310,10 @@ static int get_answer (mms_io_t *io, mmsh_t *this) {
len = 0;
}
} else {
- len ++;
+ if (++len >= sizeof(this->buf)) {
+ lprintf("answer too large\n");
+ return 0;
+ }
}
}
if (this->stream_type == MMSH_UNKNOWN) {
++++++ baselibs.conf ++++++
libmms0
++++++ libmms-pkgconfig.patch ++++++
--- pkgconfig/libmms.pc.in.orig
+++ pkgconfig/libmms.pc.in
@@ -5,7 +5,8 @@ includedir=@includedir@/
Name: libmms
Description: Library implementing the MMS protocol
-Requires: glib-2.0
+# glib usage is private only for static linking
+#Requires.private: glib-2.0
Version: @VERSION@
Libs: -L${libdir} -lmms -lm
Cflags: -I${includedir}
++++++ libmms-relicensing-1.txt ++++++
from http://sourceforge.net/mailarchive/message.php?msg_id=15504496
[xine-devel] Library for mms protocol support
From: Mathrick <mnews2@wp...> - 2003-12-26 21:04
This was already sent once, but got swallowed waiting for moderator's approval:
(CC'ing gstreamer-devel)
Hi guys,
I want to propose development of library for mms protocol support. Right
now, each and every project that wants to support mms is required to
implement all of SDP specs itself, due to lack of common library for
that. To remedy that, I'd like to start project aimed at providing such
a library. The benefits are as usual from using lib:
- no code duplication
- larger userbase, more extensive testing
- possible larger developer base
- better feature parity between projects
- single fix benefits all users
etc.
Availability of such library would also benefit other projects, that may
want to support mms, but cannot currently afford developing yet another
proprietary implementation, like GStreamer or GnomeVFS, and possibly
others.
Technically, such a lib would be required to have been LGPL'd, because
both GStreamer and Gnome projects are LGPL.
It would be the coolest to turn existing xine implementation into
library, as it is pretty good one, and also largely independent from
xine itself, but I'm aware of your code being GPL, and that you may not
want or be able to relicense it as LGPL. Thus, just your cooperation and
support will be of great value.
I'd like to discuss available possibilities for few days, and then open
SF project in about a week or two. Unfortunately, I have finals coming
in late January, that may severly limit amount of my free time, but I'll
do my best. I look forward to your comments.
Cheers,
Maciej
--
"Tautologizm to coś tautologicznego"
Maciej Katafiasz <mnews2@...>
http://mathrick.blog.pl
Re: [xine-devel] Library for mms protocol support
From: Michael Roitzsch <mroi@us...> - 2003-12-27 11:25
Hi,
> Hi guys,
> I want to propose development of library for mms protocol support.
> Right now, each and every project that wants to support mms is
> required to implement all of SDP specs itself, due to lack of common
> library for that. To remedy that, I'd like to start project aimed at
> providing such a library. The benefits are as usual from using lib:
>
> - no code duplication
> - larger userbase, more extensive testing
> - possible larger developer base
> - better feature parity between projects
> - single fix benefits all users
> etc.
>
> Availability of such library would also benefit other projects, that
> may want to support mms, but cannot currently afford developing yet
> another proprietary implementation, like GStreamer or GnomeVFS, and
> possibly others.
Sounds like a good idea to me.
> Technically, such a lib would be required to have been LGPL'd,
> because both GStreamer and Gnome projects are LGPL.
> It would be the coolest to turn existing xine implementation into
> library, as it is pretty good one, and also largely independent from
> xine itself, but I'm aware of your code being GPL, and that you may
> not want or be able to relicense it as LGPL. Thus, just your
> cooperation and support will be of great value.
I guess you would have to write all people who committed changes to
input_mms.c and ask for their permission. Fortunately, these are not
too many.
Michael
--
Zero Administration: There is nothing you can do to fix it.
Re: [xine-devel] Library for mms protocol support
From: Mathrick <mnews2@wp...> - 2003-12-27 19:38
W liście z sob, 27-12-2003, godz. 12:24, Michael Roitzsch pisze:
> >
> > Availability of such library would also benefit other projects, that
> > may want to support mms, but cannot currently afford developing yet
> > another proprietary implementation, like GStreamer or GnomeVFS, and
> > possibly others.
>
> Sounds like a good idea to me.
Nice to hear :)
> > Technically, such a lib would be required to have been LGPL'd,
> > because both GStreamer and Gnome projects are LGPL.
> > It would be the coolest to turn existing xine implementation into
> > library, as it is pretty good one, and also largely independent from
> > xine itself, but I'm aware of your code being GPL, and that you may
> > not want or be able to relicense it as LGPL. Thus, just your
> > cooperation and support will be of great value.
>
> I guess you would have to write all people who committed changes to
> input_mms.c and ask for their permission. Fortunately, these are not
> too many.
OK, but copyright info contains "xine project" only. Will webcvs be
enough to get all the contributors?
Maciej
--
"Tautologizm to coś tautologicznego"
Maciej Katafiasz <mnews2@...>
http://mathrick.blog.pl
Re: [xine-devel] Library for mms protocol support
From: Miguel Freitas <miguel@ce...> - 2003-12-28 05:13
On Sat, 2003-12-27 at 14:17, Mathrick wrote:
> OK, but copyright info contains "xine project" only. Will webcvs be
> enough to get all the contributors?
you might need to ask "Major MMS" too ;-)
regards,
Miguel
Re: [xine-devel] Library for mms protocol support
From: Mathrick <mnews2@wp...> - 2003-12-28 11:12
W liście z nie, 28-12-2003, godz. 04:49, Miguel Freitas pisze:
> On Sat, 2003-12-27 at 14:17, Mathrick wrote:
> > OK, but copyright info contains "xine project" only. Will webcvs be
> > enough to get all the contributors?
>
> you might need to ask "Major MMS" too ;-)
Heh, is there any way to contact him? He seems to be some sort of
nameless hero, and that may complicate matters.
I will send mails asking about relicensing to everyone found on CVS log,
and also to the list, in case they don't read their sf mail accounts :).
--
"Tautologizm to coś tautologicznego"
Maciej Katafiasz <mnews2@...>
http://mathrick.blog.pl
Re: [gst-devel] Re: [xine-devel] Library for mms protocol support
From: Mathrick <mnews2@wp...> - 2003-12-28 11:43
W liście z nie, 28-12-2003, godz. 12:12, Mathrick pisze:
> W liście z nie, 28-12-2003, godz. 04:49, Miguel Freitas pisze:
> > On Sat, 2003-12-27 at 14:17, Mathrick wrote:
> > > OK, but copyright info contains "xine project" only. Will webcvs be
> > > enough to get all the contributors?
> >
> > you might need to ask "Major MMS" too ;-)
>
> Heh, is there any way to contact him? He seems to be some sort of
> nameless hero, and that may complicate matters.
>
> I will send mails asking about relicensing to everyone found on CVS log,
> and also to the list, in case they don't read their sf mail accounts :).
Sent mail asking for relicensing to the following people:
Bastien Nocera
Daniel Caujolle-Bert
Ewald Snel
Guenter Bartsch
James Courtier-Dutton
Michael Roitzsch
Miguel Freitas
Siggi Langauf
Stephen Torri
Thibaut Mattern
In case I missed anybody, or it wasn't delivered properly, please inform
me of that.
Maciej
--
"Tautologizm to coś tautologicznego"
Maciej Katafiasz <mnews2@...>
http://mathrick.blog.pl
++++++ libmms-relicensing-2.txt ++++++
from http://sourceforge.net/mailarchive/message.php?msg_id=15505755
[xine-devel] LibMMS continued
From: Mathrick <mnews2@wp...> - 2004-02-18 13:06
OK, now that libmms has been finally started, there are some things that
still need to be resolved. There were few people I haven't been able to
contact, namely:
Stephen Torri
Robin Kay
I'll be grateful if someone could give me working way of contacting
them, I hope this list will be enough :) (Robin's mailbox doesn't seem
to like either my ISP or Sourceforge alias, accusing them of spamming
incidents).
All others I asked agreed for relicensing (thanks guys! :D).
Now, for current issues:
We're currently cleaning source up to make it independent of xine-lib,
however mms.c includes demuxers/asfheader.h for some needed ASF defines.
My question is: is it okay for us to just copy it over under LGPL and
change accordingly? Most of it is taken almost verbatim from specs
anyway, I'm just not particularly fond of redoing all that work,
byteswapping macros were already stupid enough ;).
That's all for now, I will ask more if need arises.
Cheers,
Maciej
--
"Tautologizm to coś tautologicznego"
Maciej Katafiasz <mnews2@...>
http://mathrick.blog.pl
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
