Hello community, here is the log from the commit of package libmms.2762 for openSUSE:12.3:Update checked in at 2014-05-02 13:54:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/libmms.2762 (Old) and /work/SRC/openSUSE:12.3:Update/.libmms.2762.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libmms.2762" Changes: -------- New Changes file: --- /dev/null 2014-04-28 00:21:37.460033756 +0200 +++ /work/SRC/openSUSE:12.3:Update/.libmms.2762.new/libmms.changes 2014-05-02 13:54:15.000000000 +0200 @@ -0,0 +1,41 @@ +------------------------------------------------------------------- +Wed Apr 23 19:15:17 CEST 2014 - sbra...@suse.cz + +- Fix a possible heap memory overrun + (CVE-2014-2892.patch, CVE-2014-2892, bnc#874723). + +------------------------------------------------------------------- +Thu Nov 22 18:40:37 UTC 2012 - crrodrig...@opensuse.org + +- libmms-pkgconfig.patch: DO not inject bogus build + dependencies via pkgconfig files, in this case glib2 which + will pull pcre and so on... + +------------------------------------------------------------------- +Mon Mar 5 14:00:05 UTC 2012 - toddrme2...@gmail.com + +- Added 32bit-compatibility package, needed by + gstreamer-0_10-plugins-bad-32bit + +------------------------------------------------------------------- +Tue Sep 20 10:02:16 UTC 2011 - toddrme2...@gmail.com + +- Changed one remaining case of %{name}0 to %{name}%{soname} +- Removed some extraneous spaces + +------------------------------------------------------------------- +Fri Sep 16 10:01:18 UTC 2011 - toddrme2...@gmail.com + +- Added xine mailing list discussions about LGPL relicensing of + xine code +- Added note in spec file about LGPL relicensing of xine code + +------------------------------------------------------------------- +Thu Aug 4 15:21:22 UTC 2011 - toddrme2...@gmail.com + +- Switch to stored tarball rather that using the download service + +------------------------------------------------------------------- +Sun Jan 23 13:43:16 UTC 2011 - reddw...@opensuse.org + +- Update to 0.6.2 New: ---- CVE-2014-2892.patch baselibs.conf libmms-0.6.2.tar.bz2 libmms-pkgconfig.patch libmms-relicensing-1.txt libmms-relicensing-2.txt libmms.changes libmms.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libmms.spec ++++++ # # spec file for package libmms # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define soname 0 Name: libmms Version: 0.6.2 Release: 0 # NOTE: there are files from the xine project with GPL headers in the source, # but these were re-licensed to LGPLv2+ with the explicit permission of all # contributors. # Please see the README.LICENSE file and the xine mailing list discussions in # libmms-relicensing-1.txt and libmms-relicensing-2.txt Summary: MMS stream protocol library License: LGPL-2.1+ Group: System/Libraries Url: http://www.sf.net/projects/%{name} Source0: %{name}-%{version}.tar.bz2 Source1: libmms-relicensing-1.txt Source2: libmms-relicensing-2.txt Source3: baselibs.conf BuildRequires: pkg-config BuildRequires: pkgconfig(glib-2.0) Patch0: libmms-pkgconfig.patch # PATCH-FIX-SECURITY CVE-2014-2892.patch sbra...@suse.cz bnc874723 -- Fix a possible heap memory overrun (CVE-2014-2892). Patch1: CVE-2014-2892.patch %description LibMMS is a common library for parsing mms:// and mmsh:// type network streams. These are commonly used to stream Windows Media Video content over the web. LibMMS itself is only for receiving MMS stream, it doesn't handle sending at all. %package -n %{name}%{soname} Summary: MMS stream protocol library Group: System/Libraries %description -n %{name}%{soname} LibMMS is a common library for parsing mms:// and mmsh:// type network streams. These are commonly used to stream Windows Media Video content over the web. LibMMS itself is only for receiving MMS stream, it doesn't handle sending at all. %package -n %{name}-devel Summary: Libmms development files Group: Development/Libraries/C and C++ Requires: %{name}%{soname} = %{version} Requires: glibc-devel %description -n %{name}-devel Headers and libraries to program against %{name} %prep %setup -q %patch0 %patch1 -p1 %build %configure --disable-static %{__make} %{?_smp_mflags} %install %make_install %{__rm} -f '%{buildroot}%{_libdir}/%{name}.la' install -d -m 755 %{buildroot}%{_docdir}/%{name}%{soname} install -m 644 %{SOURCE1} %{buildroot}%{_docdir}/%{name}%{soname} install -m 644 %{SOURCE2} %{buildroot}%{_docdir}/%{name}%{soname} %post -n %{name}%{soname} -p /sbin/ldconfig %postun -n %{name}%{soname} -p /sbin/ldconfig %files -n %{name}%{soname} %defattr(0644, root, root, 0755) %doc AUTHORS ChangeLog COPYING.LIB README README.LICENSE %{_libdir}/%{name}.so.%{soname}* %files -n %{name}-devel %defattr(0644, root, root, 0755) %{_libdir}/%{name}.so %{_includedir}/%{name} %{_libdir}/pkgconfig/%{name}.pc %changelog ++++++ CVE-2014-2892.patch ++++++ commit 03bcfccc22919c72742b7338d02859962861e0e8 Author: blutomat <bluto...@gmail.com> Date: Tue Apr 8 21:06:24 2014 -0600 Fix a possible heap memory overrun in get_answer(). Reported by Alex Chapman <acct...@users.sf.net>. diff --git a/src/mmsh.c b/src/mmsh.c old mode 100644 new mode 100755 index a0928db..a019f05 --- a/src/mmsh.c +++ b/src/mmsh.c @@ -310,7 +310,10 @@ static int get_answer (mms_io_t *io, mmsh_t *this) { len = 0; } } else { - len ++; + if (++len >= sizeof(this->buf)) { + lprintf("answer too large\n"); + return 0; + } } } if (this->stream_type == MMSH_UNKNOWN) { ++++++ baselibs.conf ++++++ libmms0 ++++++ libmms-pkgconfig.patch ++++++ --- pkgconfig/libmms.pc.in.orig +++ pkgconfig/libmms.pc.in @@ -5,7 +5,8 @@ includedir=@includedir@/ Name: libmms Description: Library implementing the MMS protocol -Requires: glib-2.0 +# glib usage is private only for static linking +#Requires.private: glib-2.0 Version: @VERSION@ Libs: -L${libdir} -lmms -lm Cflags: -I${includedir} ++++++ libmms-relicensing-1.txt ++++++ from http://sourceforge.net/mailarchive/message.php?msg_id=15504496 [xine-devel] Library for mms protocol support From: Mathrick <mnews2@wp...> - 2003-12-26 21:04 This was already sent once, but got swallowed waiting for moderator's approval: (CC'ing gstreamer-devel) Hi guys, I want to propose development of library for mms protocol support. Right now, each and every project that wants to support mms is required to implement all of SDP specs itself, due to lack of common library for that. To remedy that, I'd like to start project aimed at providing such a library. The benefits are as usual from using lib: - no code duplication - larger userbase, more extensive testing - possible larger developer base - better feature parity between projects - single fix benefits all users etc. Availability of such library would also benefit other projects, that may want to support mms, but cannot currently afford developing yet another proprietary implementation, like GStreamer or GnomeVFS, and possibly others. Technically, such a lib would be required to have been LGPL'd, because both GStreamer and Gnome projects are LGPL. It would be the coolest to turn existing xine implementation into library, as it is pretty good one, and also largely independent from xine itself, but I'm aware of your code being GPL, and that you may not want or be able to relicense it as LGPL. Thus, just your cooperation and support will be of great value. I'd like to discuss available possibilities for few days, and then open SF project in about a week or two. Unfortunately, I have finals coming in late January, that may severly limit amount of my free time, but I'll do my best. I look forward to your comments. Cheers, Maciej -- "Tautologizm to coś tautologicznego" Maciej Katafiasz <mnews2@...> http://mathrick.blog.pl Re: [xine-devel] Library for mms protocol support From: Michael Roitzsch <mroi@us...> - 2003-12-27 11:25 Hi, > Hi guys, > I want to propose development of library for mms protocol support. > Right now, each and every project that wants to support mms is > required to implement all of SDP specs itself, due to lack of common > library for that. To remedy that, I'd like to start project aimed at > providing such a library. The benefits are as usual from using lib: > > - no code duplication > - larger userbase, more extensive testing > - possible larger developer base > - better feature parity between projects > - single fix benefits all users > etc. > > Availability of such library would also benefit other projects, that > may want to support mms, but cannot currently afford developing yet > another proprietary implementation, like GStreamer or GnomeVFS, and > possibly others. Sounds like a good idea to me. > Technically, such a lib would be required to have been LGPL'd, > because both GStreamer and Gnome projects are LGPL. > It would be the coolest to turn existing xine implementation into > library, as it is pretty good one, and also largely independent from > xine itself, but I'm aware of your code being GPL, and that you may > not want or be able to relicense it as LGPL. Thus, just your > cooperation and support will be of great value. I guess you would have to write all people who committed changes to input_mms.c and ask for their permission. Fortunately, these are not too many. Michael -- Zero Administration: There is nothing you can do to fix it. Re: [xine-devel] Library for mms protocol support From: Mathrick <mnews2@wp...> - 2003-12-27 19:38 W liście z sob, 27-12-2003, godz. 12:24, Michael Roitzsch pisze: > > > > Availability of such library would also benefit other projects, that > > may want to support mms, but cannot currently afford developing yet > > another proprietary implementation, like GStreamer or GnomeVFS, and > > possibly others. > > Sounds like a good idea to me. Nice to hear :) > > Technically, such a lib would be required to have been LGPL'd, > > because both GStreamer and Gnome projects are LGPL. > > It would be the coolest to turn existing xine implementation into > > library, as it is pretty good one, and also largely independent from > > xine itself, but I'm aware of your code being GPL, and that you may > > not want or be able to relicense it as LGPL. Thus, just your > > cooperation and support will be of great value. > > I guess you would have to write all people who committed changes to > input_mms.c and ask for their permission. Fortunately, these are not > too many. OK, but copyright info contains "xine project" only. Will webcvs be enough to get all the contributors? Maciej -- "Tautologizm to coś tautologicznego" Maciej Katafiasz <mnews2@...> http://mathrick.blog.pl Re: [xine-devel] Library for mms protocol support From: Miguel Freitas <miguel@ce...> - 2003-12-28 05:13 On Sat, 2003-12-27 at 14:17, Mathrick wrote: > OK, but copyright info contains "xine project" only. Will webcvs be > enough to get all the contributors? you might need to ask "Major MMS" too ;-) regards, Miguel Re: [xine-devel] Library for mms protocol support From: Mathrick <mnews2@wp...> - 2003-12-28 11:12 W liście z nie, 28-12-2003, godz. 04:49, Miguel Freitas pisze: > On Sat, 2003-12-27 at 14:17, Mathrick wrote: > > OK, but copyright info contains "xine project" only. Will webcvs be > > enough to get all the contributors? > > you might need to ask "Major MMS" too ;-) Heh, is there any way to contact him? He seems to be some sort of nameless hero, and that may complicate matters. I will send mails asking about relicensing to everyone found on CVS log, and also to the list, in case they don't read their sf mail accounts :). -- "Tautologizm to coś tautologicznego" Maciej Katafiasz <mnews2@...> http://mathrick.blog.pl Re: [gst-devel] Re: [xine-devel] Library for mms protocol support From: Mathrick <mnews2@wp...> - 2003-12-28 11:43 W liście z nie, 28-12-2003, godz. 12:12, Mathrick pisze: > W liście z nie, 28-12-2003, godz. 04:49, Miguel Freitas pisze: > > On Sat, 2003-12-27 at 14:17, Mathrick wrote: > > > OK, but copyright info contains "xine project" only. Will webcvs be > > > enough to get all the contributors? > > > > you might need to ask "Major MMS" too ;-) > > Heh, is there any way to contact him? He seems to be some sort of > nameless hero, and that may complicate matters. > > I will send mails asking about relicensing to everyone found on CVS log, > and also to the list, in case they don't read their sf mail accounts :). Sent mail asking for relicensing to the following people: Bastien Nocera Daniel Caujolle-Bert Ewald Snel Guenter Bartsch James Courtier-Dutton Michael Roitzsch Miguel Freitas Siggi Langauf Stephen Torri Thibaut Mattern In case I missed anybody, or it wasn't delivered properly, please inform me of that. Maciej -- "Tautologizm to coś tautologicznego" Maciej Katafiasz <mnews2@...> http://mathrick.blog.pl ++++++ libmms-relicensing-2.txt ++++++ from http://sourceforge.net/mailarchive/message.php?msg_id=15505755 [xine-devel] LibMMS continued From: Mathrick <mnews2@wp...> - 2004-02-18 13:06 OK, now that libmms has been finally started, there are some things that still need to be resolved. There were few people I haven't been able to contact, namely: Stephen Torri Robin Kay I'll be grateful if someone could give me working way of contacting them, I hope this list will be enough :) (Robin's mailbox doesn't seem to like either my ISP or Sourceforge alias, accusing them of spamming incidents). All others I asked agreed for relicensing (thanks guys! :D). Now, for current issues: We're currently cleaning source up to make it independent of xine-lib, however mms.c includes demuxers/asfheader.h for some needed ASF defines. My question is: is it okay for us to just copy it over under LGPL and change accordingly? Most of it is taken almost verbatim from specs anyway, I'm just not particularly fond of redoing all that work, byteswapping macros were already stupid enough ;). That's all for now, I will ask more if need arises. Cheers, Maciej -- "Tautologizm to coś tautologicznego" Maciej Katafiasz <mnews2@...> http://mathrick.blog.pl -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org