commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2020-07-14 07:43:12 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new.3060 (New) Package is "libvorbis" Tue Jul 14 07:43:12 2020 rev:52 rq:819992 version:1.3.7 Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2018-06-08 23:10:34.782649932 +0200 +++ /work/SRC/openSUSE:Factory/.libvorbis.new.3060/libvorbis.changes 2020-07-14 07:43:27.498718138 +0200 @@ -1,0 +2,26 @@ +Fri Jul 10 10:14:43 UTC 2020 - Martin Hauke + +- Update to version 1.3.7 + * Fix CVE-2018-10392 and CVE-2018-10393 - out-of-bounds read +encoding very low sample rates + * Fix CVE-2017-14160 - out-of-bounds read encoding very low +sample rates. + * Fix handling invalid bytes per sample arguments. + * Fix handling invalid channel count arguments. + * Fix invalid free on seek failure. + * Fix negative shift reading blocksize. + * Fix accepting unreasonable float32 values. + * Fix tag comparison depending on locale. + * Fix unnecessarily linking libm. + * Fix memory leak in test_sharedbook. + * Distribute CMake build files with the source package. + * Remove unnecessary configure --target switch. + * Add OSS-Fuzz support. + * Build system and integration updates. +- Drop not longer needed patches (fixed by upstream): + * vorbis-CVE-2017-14160.patch + * vorbis-CVE-2018-10392.patch + * vorbis-CVE-2018-10393.patch +- Add source verification + +--- Old: libvorbis-1.3.6.tar.xz vorbis-CVE-2017-14160.patch vorbis-CVE-2018-10392.patch vorbis-CVE-2018-10393.patch New: libvorbis-1.3.7.tar.xz libvorbis-1.3.7.tar.xz.asc libvorbis.keyring Other differences: -- ++ libvorbis-doc.spec ++ --- /var/tmp/diff_new_pack.lGfyrL/_old 2020-07-14 07:43:31.634731490 +0200 +++ /var/tmp/diff_new_pack.lGfyrL/_new 2020-07-14 07:43:31.638731503 +0200 @@ -1,7 +1,7 @@ # # spec file for package libvorbis-doc # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -23,13 +23,15 @@ %endif Name: libvorbis-doc -Version:1.3.6 +Version:1.3.7 Release:0 Summary:Documentation of Ogg/Vorbis library License:BSD-3-Clause Group: Documentation/Other -Url:http://www.vorbis.com/ -Source: http://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz +URL:https://www.vorbis.com/ +Source: https://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz +Source1: https://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz.asc +Source99: libvorbis.keyring Patch1: libvorbis-lib64.dif Patch2: libvorbis-m4.dif Patch12:vorbis-ocloexec.patch ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.lGfyrL/_old 2020-07-14 07:43:31.662731581 +0200 +++ /var/tmp/diff_new_pack.lGfyrL/_new 2020-07-14 07:43:31.666731593 +0200 @@ -1,7 +1,7 @@ # # spec file for package libvorbis # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,25 +12,24 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: libvorbis -Version:1.3.6 +Version:1.3.7 Release:0 Summary:The Vorbis General Audio Compression Codec License:BSD-3-Clause Group: System/Libraries -Url:http://www.vorbis.com/ -Source: http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.xz -Source1:baselibs.conf +URL:http://www.vorbis.com/ +Source: https://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.xz +Source1: https://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz.asc +Source10: baselibs.conf +Source99:
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2018-06-08 23:10:29 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is "libvorbis" Fri Jun 8 23:10:29 2018 rev:51 rq:614217 version:1.3.6 Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2018-05-06 15:00:58.138126005 +0200 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2018-06-08 23:10:34.782649932 +0200 @@ -1,0 +2,9 @@ +Tue Jun 5 11:37:54 CEST 2018 - ti...@suse.de + +- Replace vorbis-CVE-2017-14160.patch with the upstream fix + (commit 018ca26dece6), refresh vorbis-CVE-2018-10393.patch +- Fix the validation of channels in mapping0_forward() + (CVE-2018-10392, bsc#1091070): + vorbis-CVE-2018-10392.patch + +--- New: vorbis-CVE-2018-10392.patch Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.O8D1I0/_old 2018-06-08 23:10:38.182527176 +0200 +++ /var/tmp/diff_new_pack.O8D1I0/_new 2018-06-08 23:10:38.206526310 +0200 @@ -30,6 +30,7 @@ Patch12:vorbis-ocloexec.patch Patch101: vorbis-CVE-2017-14160.patch Patch102: vorbis-CVE-2018-10393.patch +Patch103: vorbis-CVE-2018-10392.patch BuildRequires: libogg-devel BuildRequires: libtool BuildRequires: pkgconfig @@ -120,6 +121,7 @@ %patch12 %patch101 -p1 %patch102 -p1 +%patch103 -p1 %build # Fix optimization level ++ vorbis-CVE-2017-14160.patch ++ --- /var/tmp/diff_new_pack.O8D1I0/_old 2018-06-08 23:10:38.254524576 +0200 +++ /var/tmp/diff_new_pack.O8D1I0/_new 2018-06-08 23:10:38.254524576 +0200 @@ -1,53 +1,27 @@ -From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001 -Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git@sigxcpu.org> -From: =?UTF-8?q?Guido=20G=C3=BCnther?= -Date: Wed, 15 Nov 2017 13:12:00 +0100 -Subject: [PATCH] CVE-2017-14160: make sure we don't overflow +From 018ca26dece618457dd13585cad52941193c4a25 Mon Sep 17 00:00:00 2001 +From: Thomas Daede +Date: Wed, 9 May 2018 14:56:59 -0700 +Subject: [PATCH] CVE-2017-14160: fix bounds check on very low sample rates. --- - lib/psy.c |9 - - 1 file changed, 4 insertions(+), 5 deletions(-) + lib/psy.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) +diff --git a/lib/psy.c b/lib/psy.c +index 422c6f1e412d..13101230ea3a 100644 --- a/lib/psy.c +++ b/lib/psy.c -@@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,co - XY[i] = tXY; - } - -- for (i = 0, x = 0.f;; i++, x += 1.f) { -+ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { - - lo = b[i] >> 16; - if( lo>=0 ) break; -@@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,co - noise[i] = R - offset; - } - -- for ( ;; i++, x += 1.f) { -+ for ( ; i < n; i++, x += 1.f) { +@@ -602,8 +602,9 @@ static void bark_noise_hybridmp(int n,const long *b, + for (i = 0, x = 0.f;; i++, x += 1.f) { lo = b[i] >> 16; +-if( lo>=0 ) break; hi = b[i] & 0x; - if(hi>=n)break; -- - tN = N[hi] - N[lo]; - tX = X[hi] - X[lo]; - tXX = XX[hi] - XX[lo]; -@@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,co ++if( lo>=0 ) break; ++if( hi>=n ) break; - if (fixed <= 0) return; - -- for (i = 0, x = 0.f;; i++, x += 1.f) { -+ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { - hi = i + fixed / 2; - lo = hi - fixed; - if(lo>=0)break; -@@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,co - - if (R - offset < noise[i]) noise[i] = R - offset; - } -- for ( ;; i++, x += 1.f) { -+ for ( ; i < n; i++, x += 1.f) { - - hi = i + fixed / 2; - lo = hi - fixed; + tN = N[hi] + N[-lo]; + tX = X[hi] - X[-lo]; +-- +2.17.0 + ++ vorbis-CVE-2018-10392.patch ++ >From 112d3bd0aaacad51305e1464d4b381dabad0e88b Mon Sep 17 00:00:00 2001 From: Thomas Daede Date: Thu, 17 May 2018 16:19:19 -0700 Subject: [PATCH] Sanity check number of channels in setup. Fixes #2335. --- lib/vorbisenc.c |1 + 1 file changed, 1 insertion(+) --- a/lib/vorbisenc.c +++ b/lib/vorbisenc.c @@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info highlevel_encode_setup *hi=>hi; if(ci==NULL)return(OV_EINVAL); + if(vi->channels<1||vi->channels>255)return(OV_EINVAL); if(!hi->impulse_block_p)i0=1; /* too low/high an ATH floater is nonsensical, but doesn't break anything */ ++ vorbis-CVE-2018-10393.patch ++ --- /var/tmp/diff_new_pack.O8D1I0/_old 2018-06-08 23:10:38.382519955 +0200 +++ /var/tmp/diff_new_pack.O8D1I0/_new 2018-06-08 23:10:38.386519811 +0200 @@ -1,27 +1,26 @@ --- - lib/psy.c |5
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2018-05-06 15:00:56 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is "libvorbis" Sun May 6 15:00:56 2018 rev:50 rq:604034 version:1.3.6 Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2018-03-22 11:58:42.591458369 +0100 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2018-05-06 15:00:58.138126005 +0200 @@ -1,0 +2,10 @@ +Thu May 3 15:56:28 CEST 2018 - ti...@suse.de + +- Fix out-of-bounds access inside bark_noise_hybridmp function + (CVE-2017-14160, bsc#1059812): + downstream fix: vorbis-CVE-2017-14160.patch +- Fix stack-basedbuffer over-read in bark_noise_hybridm + (CVE-2018-10393, bsc#1091072): + downstream fix: vorbis-CVE-2018-10393.patch + +--- New: vorbis-CVE-2017-14160.patch vorbis-CVE-2018-10393.patch Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.bmPoSJ/_old 2018-05-06 15:00:58.934096791 +0200 +++ /var/tmp/diff_new_pack.bmPoSJ/_new 2018-05-06 15:00:58.938096644 +0200 @@ -28,6 +28,8 @@ Patch1: libvorbis-lib64.dif Patch2: libvorbis-m4.dif Patch12:vorbis-ocloexec.patch +Patch101: vorbis-CVE-2017-14160.patch +Patch102: vorbis-CVE-2018-10393.patch BuildRequires: libogg-devel BuildRequires: libtool BuildRequires: pkgconfig @@ -116,6 +118,8 @@ %patch1 fi %patch12 +%patch101 -p1 +%patch102 -p1 %build # Fix optimization level ++ vorbis-CVE-2017-14160.patch ++ >From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001 Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git@sigxcpu.org> From: =?UTF-8?q?Guido=20G=C3=BCnther?=Date: Wed, 15 Nov 2017 13:12:00 +0100 Subject: [PATCH] CVE-2017-14160: make sure we don't overflow --- lib/psy.c |9 - 1 file changed, 4 insertions(+), 5 deletions(-) --- a/lib/psy.c +++ b/lib/psy.c @@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,co XY[i] = tXY; } - for (i = 0, x = 0.f;; i++, x += 1.f) { + for (i = 0, x = 0.f; i < n; i++, x += 1.f) { lo = b[i] >> 16; if( lo>=0 ) break; @@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,co noise[i] = R - offset; } - for ( ;; i++, x += 1.f) { + for ( ; i < n; i++, x += 1.f) { lo = b[i] >> 16; hi = b[i] & 0x; if(hi>=n)break; - tN = N[hi] - N[lo]; tX = X[hi] - X[lo]; tXX = XX[hi] - XX[lo]; @@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,co if (fixed <= 0) return; - for (i = 0, x = 0.f;; i++, x += 1.f) { + for (i = 0, x = 0.f; i < n; i++, x += 1.f) { hi = i + fixed / 2; lo = hi - fixed; if(lo>=0)break; @@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,co if (R - offset < noise[i]) noise[i] = R - offset; } - for ( ;; i++, x += 1.f) { + for ( ; i < n; i++, x += 1.f) { hi = i + fixed / 2; lo = hi - fixed; ++ vorbis-CVE-2018-10393.patch ++ --- lib/psy.c |5 - 1 file changed, 4 insertions(+), 1 deletion(-) --- a/lib/psy.c +++ b/lib/psy.c @@ -604,6 +604,7 @@ static void bark_noise_hybridmp(int n,co lo = b[i] >> 16; if( lo>=0 ) break; hi = b[i] & 0x; +if( hi>=n || -lo >=n ) break; tN = N[hi] + N[-lo]; tX = X[hi] - X[-lo]; @@ -625,7 +626,7 @@ static void bark_noise_hybridmp(int n,co lo = b[i] >> 16; hi = b[i] & 0x; -if(hi>=n)break; +if( hi>=n || lo >=n ) break; tN = N[hi] - N[lo]; tX = X[hi] - X[lo]; tXX = XX[hi] - XX[lo]; @@ -654,6 +655,7 @@ static void bark_noise_hybridmp(int n,co hi = i + fixed / 2; lo = hi - fixed; if(lo>=0)break; +if( hi>=n || -lo >=n ) break; tN = N[hi] + N[-lo]; tX = X[hi] - X[-lo]; @@ -674,6 +676,7 @@ static void bark_noise_hybridmp(int n,co hi = i + fixed / 2; lo = hi - fixed; if(hi>=n)break; +if( hi>=n || lo >=n ) break; tN = N[hi] - N[lo]; tX = X[hi] - X[lo];
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2018-03-22 11:55:59 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is "libvorbis" Thu Mar 22 11:55:59 2018 rev:49 rq:588197 version:1.3.6 Changes: New Changes file: --- /dev/null 2018-03-01 08:56:54.644963210 +0100 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis-doc.changes 2018-03-22 11:58:41.983480171 +0100 @@ -0,0 +1,5 @@ +--- +Sat Mar 17 14:55:12 CET 2018 - ti...@suse.de + +- Split from libvorbis.spec to reduce the build dependencies + --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2017-12-21 11:27:32.348828337 +0100 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2018-03-22 11:58:42.591458369 +0100 @@ -1,0 +2,36 @@ +Sat Mar 17 14:54:44 CET 2018 - ti...@suse.de + +- Split libvorbis-doc subpackage to a separate spec file for + reducing the dependencies + +--- +Fri Mar 16 22:12:35 CET 2018 - ti...@suse.de + +- Update to version 1.3.6: + * Fix CVE-2018-5146 - out-of-bounds write on codebook decoding. + * Fix CVE-2017-14632 - free() on unitialized data + * Fix CVE-2017-14633 - out-of-bounds read + * Fix bitrate metadata parsing. + * Fix out-of-bounds read in codebook parsing. + * Fix residue vector size in Vorbis I spec. + * Appveyor support + * Travis CI support + * Add secondary CMake build system. + * Build system fixes +- Build documents with doxygen, and many tex stuff; + this requires to disable parallel builds partially +- Move COPYING to license directory +- Drop obsoleted patches: + vorbis-fix-linking.patch + 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch + 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch + libvorbis-CVE-2018-5146.patch + +--- +Fri Mar 16 20:02:45 CET 2018 - ti...@suse.de + +- Fix VUL-0: libvorbis: Out of bounds memory write while processing + Vorbis audio data (CVE-2018-5146, bsc#1085687): + libvorbis-CVE-2018-5146.patch + +--- Old: 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch libvorbis-1.3.5.tar.xz vorbis-fix-linking.patch New: libvorbis-1.3.6.tar.xz libvorbis-doc.changes libvorbis-doc.spec Other differences: -- ++ libvorbis-doc.spec ++ # # spec file for package libvorbis-doc # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %if 0%{?suse_version} > 1320 %define build_docs 1 %else %define build_docs 0 %endif Name: libvorbis-doc Version:1.3.6 Release:0 Summary:Documentation of Ogg/Vorbis library License:BSD-3-Clause Group: Documentation/Other Url:http://www.vorbis.com/ Source: http://downloads.xiph.org/releases/vorbis/libvorbis-%{version}.tar.xz Patch1: libvorbis-lib64.dif Patch2: libvorbis-m4.dif Patch12:vorbis-ocloexec.patch BuildRequires: fdupes BuildRequires: libogg-devel BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: xz %if %build_docs BuildRequires: doxygen BuildRequires: texlive-babel-english BuildRequires: texlive-latex BuildRequires: texlive-tex4ht BuildRequires: tex(a4wide.sty) BuildRequires: tex(capt-of.sty) BuildRequires: tex(csquotes.sty) BuildRequires: tex(enumitem.sty) BuildRequires: tex(fancyvrb.sty) BuildRequires: tex(grffile.sty) BuildRequires: tex(parskip.sty) BuildRequires: tex(ulem.sty) BuildRequires: tex(underscore.sty) %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch %description This package contains documents for Ogg/Vorbis library, including the API reference. %prep %setup -q -n libvorbis-%{version} %patch2 # %%patch5 -p1 if [ "%{_lib}" == "lib64" ]; then %patch1 fi %patch12
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2017-12-21 11:27:31 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is "libvorbis" Thu Dec 21 11:27:31 2017 rev:48 rq:558541 version:1.3.5 Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2016-12-02 16:38:12.0 +0100 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2017-12-21 11:27:32.348828337 +0100 @@ -1,0 +2,11 @@ +Tue Dec 19 14:32:18 CET 2017 - ti...@suse.de + +- Fix VUL-0: out-of-bounds array read vulnerability exists in + function mapping0_forward() (CVE-2017-14633, bsc#1059811): + 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch +- Fix VUL-0: Remote Code Execution upon freeing uninitialized + memory in function vorbis_analysis_headerout(CVE-2017-14632, + bsc#1059809): + 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch + +--- New: 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.9IaHYV/_old 2017-12-21 11:27:33.184787576 +0100 +++ /var/tmp/diff_new_pack.9IaHYV/_new 2017-12-21 11:27:33.188787381 +0100 @@ -1,7 +1,7 @@ # # spec file for package libvorbis # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,6 +32,8 @@ # PATCH-FIX-UPSTREAM libvorbis-pkgconfig.patch https://trac.xiph.org/ticket/1759 reddw...@opensuse.org -- Use Requires/Libs.private to avoid overlinking Patch11:vorbis-fix-linking.patch Patch12:vorbis-ocloexec.patch +Patch21:0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch +Patch22:0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch BuildRequires: fdupes BuildRequires: libogg-devel BuildRequires: libtool @@ -53,9 +55,9 @@ %package -n libvorbis0 Summary:The Vorbis General Audio Compression Codec -Group: System/Libraries # # libvorbis was last used in openSUSE 11.3 +Group: System/Libraries Provides: %{name} = 1.3.2 Obsoletes: %{name} < 1.3.2 # bug437293 (SLES10 -> SLES11 upgrade path) @@ -133,6 +135,8 @@ fi %patch11 -p1 %patch12 +%patch21 -p1 +%patch22 -p1 %build # Fix optimization level ++ 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch ++ >From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Guido=20G=C3=BCnther?=Date: Tue, 31 Oct 2017 18:32:46 +0100 Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels Otherwise for(i=0;ichannels;i++){ /* the encoder setup assumes that all the modes used by any specific bitrate tweaking use the same floor */ int submap=info->chmuxlist[i]; overreads later in mapping0_forward since chmuxlist is a fixed array of 256 elements max. --- lib/info.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/lib/info.c +++ b/lib/info.c @@ -583,7 +583,7 @@ int vorbis_analysis_headerout(vorbis_dsp oggpack_buffer opb; private_state *b=v->backend_state; - if(!b||vi->channels<=0){ + if(!b||vi->channels<=0||vi->channels>256){ ret=OV_EFAULT; goto err_out; } ++ 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch ++ >From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Guido=20G=C3=BCnther?= Date: Wed, 15 Nov 2017 18:22:59 +0100 Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb if not initialized If the number of channels is not within the allowed range we call oggback_writeclear altough it's not initialized yet. This fixes =23371== Invalid free() / delete / delete[] / realloc() ==23371==at 0x4C2CE1B: free (vg_replace_malloc.c:530) ==23371==by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2) ==23371==by 0x84B96EE: vorbis_analysis_headerout (info.c:652) ==23371==by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) ==23371==by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) ==23371==by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) ==23371==by 0x10D82A: open_output_file (sox.c:1556) ==23371==
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2016-12-02 16:38:11 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is "libvorbis" Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2015-03-16 06:56:26.0 +0100 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2016-12-02 16:38:12.0 +0100 @@ -1,0 +2,5 @@ +Tue Nov 29 12:14:08 UTC 2016 - aloi...@gmx.com + +- Added 32bit libvorbis-devel in baselibs.conf + +--- Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.741UZA/_old 2016-12-02 16:38:13.0 +0100 +++ /var/tmp/diff_new_pack.741UZA/_new 2016-12-02 16:38:13.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package libvorbis # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ Group: System/Libraries Url:http://www.vorbis.com/ Source: http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.xz -Source2:baselibs.conf +Source1:baselibs.conf Patch1: libvorbis-lib64.dif Patch2: libvorbis-m4.dif # URL http://www.geocities.jp/aoyoume/aotuv/ ++ baselibs.conf ++ --- /var/tmp/diff_new_pack.741UZA/_old 2016-12-02 16:38:13.0 +0100 +++ /var/tmp/diff_new_pack.741UZA/_new 2016-12-02 16:38:13.0 +0100 @@ -3,3 +3,8 @@ targettype 32bit obsoletes "libvorbis- < 1.3.2" libvorbisenc2 libvorbisfile3 +libvorbis-devel +requires "libvorbis0- = " +requires "libvorbisenc2- = " +requires "libvorbisfile3- = " +
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2015-03-16 06:56:24 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is libvorbis Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2014-08-20 17:53:50.0 +0200 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2015-03-16 06:56:26.0 +0100 @@ -1,0 +2,13 @@ +Fri Mar 6 15:23:26 UTC 2015 - mplus...@suse.com + +- Cleanup spec file with spec-cleaner +- Update to 1.3.5 + * Tolerate single-entry codebooks. + * Fix decoder crash with invalid input. + * Fix encoder crash with non-positive sample rates. + * Fix issues in vorbisfile's seek bisection code. + * Spec errata. + * Reject multiple headers of the same type. + * Various build fixes and code cleanup. + +--- Old: libvorbis-1.3.4.tar.xz New: libvorbis-1.3.5.tar.xz Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.Hy2ZjX/_old 2015-03-16 06:56:27.0 +0100 +++ /var/tmp/diff_new_pack.Hy2ZjX/_new 2015-03-16 06:56:27.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package libvorbis # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,18 +17,12 @@ Name: libvorbis -Version:1.3.4 +Version:1.3.5 Release:0 -#to_be_filled_by_service Summary:The Vorbis General Audio Compression Codec License:BSD-3-Clause Group: System/Libraries Url:http://www.vorbis.com/ -# bug437293 (SLES10 - SLES11 upgrade path) -%ifarch ppc64 -Obsoletes: libvorbis-64bit -%endif -# Source: http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.xz Source2:baselibs.conf Patch1: libvorbis-lib64.dif @@ -44,6 +38,10 @@ BuildRequires: pkgconfig BuildRequires: xz BuildRoot: %{_tmppath}/%{name}-%{version}-build +# bug437293 (SLES10 - SLES11 upgrade path) +%ifarch ppc64 +Obsoletes: libvorbis-64bit +%endif %description Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and @@ -54,17 +52,16 @@ libmatroska (matroska) can also be used. %package -n libvorbis0 - Summary:The Vorbis General Audio Compression Codec Group: System/Libraries -# bug437293 (SLES10 - SLES11 upgrade path) -%ifarch ppc64 -Obsoletes: libvorbis-64bit -%endif # # libvorbis was last used in openSUSE 11.3 Provides: %{name} = 1.3.2 Obsoletes: %{name} 1.3.2 +# bug437293 (SLES10 - SLES11 upgrade path) +%ifarch ppc64 +Obsoletes: libvorbis-64bit +%endif %description -n libvorbis0 Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and @@ -75,7 +72,6 @@ libmatroska (matroska) can also be used. %package -n libvorbisenc2 - Summary:The Vorbis General Audio Compression Codec Group: System/Libraries @@ -88,7 +84,6 @@ libmatroska (matroska) can also be used. %package -n libvorbisfile3 - Summary:The Vorbis General Audio Compression Codec Group: System/Libraries @@ -144,21 +139,23 @@ sed -i s,-O20,-O3,g configure.ac autoreconf -fiv -%configure --disable-examples --disable-static +%configure \ + --disable-examples \ + --disable-static make %{?_smp_mflags} %install -%makeinstall +make DESTDIR=%{buildroot} install %{?_smp_mflags} mkdir -p %{buildroot}%{_docdir}/%{name} mv %{buildroot}%{_datadir}/doc/libvorbis-* %{buildroot}%{_docdir}/%{name} install -c -m 0644 doc/Vorbis_I_spec.* %{buildroot}%{_docdir}/%{name} # remove unneeded files -rm -f %{buildroot}%{_libdir}/*.la +find %{buildroot} -type f -name *.la -delete -print find %{buildroot}%{_docdir}/ -empty -delete %fdupes -s %{buildroot}%{_docdir} %check -%__make check +make %{?_smp_mflags} check %post -n libvorbis0 -p /sbin/ldconfig @@ -172,9 +169,6 @@ %postun -n libvorbisfile3 -p /sbin/ldconfig -%clean -[ %{buildroot} != / ] rm -rf %{buildroot} - %files -n libvorbis0 %defattr(0644,root,root,0755) %{_libdir}/libvorbis.so.0* ++ libvorbis-1.3.4.tar.xz - libvorbis-1.3.5.tar.xz ++ 41209 lines of diff (skipped) ++ vorbis-fix-linking.patch ++ --- /var/tmp/diff_new_pack.Hy2ZjX/_old 2015-03-16 06:56:28.0 +0100 +++ /var/tmp/diff_new_pack.Hy2ZjX/_new 2015-03-16 06:56:28.0 +0100 @@ -3,10 +3,10 @@ configure.ac |2 +- 2 files changed, 3
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2014-08-20 17:53:44 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is libvorbis Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2014-02-25 16:41:30.0 +0100 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2014-08-20 17:53:50.0 +0200 @@ -1,0 +2,5 @@ +Mon Aug 18 14:36:27 CEST 2014 - fcro...@suse.com + +- Fix obsoletes and provides in baselibs.conf. + +--- Other differences: -- ++ baselibs.conf ++ --- /var/tmp/diff_new_pack.cpKCNb/_old 2014-08-20 17:53:51.0 +0200 +++ /var/tmp/diff_new_pack.cpKCNb/_new 2014-08-20 17:53:51.0 +0200 @@ -1,5 +1,5 @@ libvorbis0 - targettype 32bit provides libvorbis-targettype = 1.3.2 - targettype 64bit obsoletes libvorbis-targettype 1.3.2 + targettype 32bit provides libvorbis-targettype = version + targettype 32bit obsoletes libvorbis-targettype 1.3.2 libvorbisenc2 libvorbisfile3 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2014-02-25 16:41:29 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is libvorbis Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2013-04-17 23:05:13.0 +0200 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2014-02-25 16:41:30.0 +0100 @@ -1,0 +2,11 @@ +Sun Feb 23 19:43:16 UTC 2014 - andreas.stie...@gmx.de + +- Xiph libvorbis 1.3.4 + * reduced static data size in libvorbisenc + * associated minor changes required to libvorbis and libvorbisfile + * minor build fixes and build system updates + * no functional changes over the previous 1.3.3 release +- removed libvorbis-pkgconfig.patch, in upstream +- updated vorbis-fix-linking.patch for context changes + +--- Old: libvorbis-1.3.3.tar.gz libvorbis-pkgconfig.patch New: libvorbis-1.3.4.tar.xz Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.Bs1b2o/_old 2014-02-25 16:41:31.0 +0100 +++ /var/tmp/diff_new_pack.Bs1b2o/_new 2014-02-25 16:41:31.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package libvorbis # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: libvorbis -Version:1.3.3 +Version:1.3.4 Release:0 #to_be_filled_by_service Summary:The Vorbis General Audio Compression Codec @@ -29,20 +29,20 @@ Obsoletes: libvorbis-64bit %endif # -Source: http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.gz +Source: http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.xz Source2:baselibs.conf Patch1: libvorbis-lib64.dif Patch2: libvorbis-m4.dif # URL http://www.geocities.jp/aoyoume/aotuv/ # 'Patch5: libvorbis-%%{version}-aotuv-b5.7.diff' # PATCH-FIX-UPSTREAM libvorbis-pkgconfig.patch https://trac.xiph.org/ticket/1759 reddw...@opensuse.org -- Use Requires/Libs.private to avoid overlinking -Patch10:libvorbis-pkgconfig.patch Patch11:vorbis-fix-linking.patch Patch12:vorbis-ocloexec.patch BuildRequires: fdupes BuildRequires: libogg-devel BuildRequires: libtool BuildRequires: pkgconfig +BuildRequires: xz BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -133,14 +133,11 @@ %setup -q %patch2 # %%patch5 -p1 -%patch10 if [ %{_lib} == lib64 ]; then %patch1 fi -%patch11 +%patch11 -p1 %patch12 -# automake-1.13 deprecated the old macro -sed -i 's/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' configure.ac %build # Fix optimization level ++ vorbis-fix-linking.patch ++ --- /var/tmp/diff_new_pack.Bs1b2o/_old 2014-02-25 16:41:31.0 +0100 +++ /var/tmp/diff_new_pack.Bs1b2o/_new 2014-02-25 16:41:31.0 +0100 @@ -1,5 +1,12 @@ Makefile.am2010-12-21 17:46:03.0 +0900 -+++ Makefile.am2012-06-16 15:43:41.143756104 +0900 +--- + Makefile.am |4 ++-- + configure.ac |2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +Index: libvorbis-1.3.4/Makefile.am +=== +--- libvorbis-1.3.4.orig/Makefile.am 2014-01-22 09:53:32.0 + libvorbis-1.3.4/Makefile.am2014-02-23 19:35:36.0 + @@ -1,8 +1,8 @@ ## Process this file with automake to produce Makefile.in @@ -11,14 +18,16 @@ SUBDIRS = m4 include vq lib test doc if BUILD_EXAMPLES configure.ac 2012-02-04 07:00:34.0 +0900 -+++ configure.ac 2012-06-16 15:43:05.647225479 +0900 -@@ -8,7 +8,7 @@ - AC_INIT([libvorbis],[1.3.3],[vorbis-...@xiph.org]) +Index: libvorbis-1.3.4/configure.ac +=== +--- libvorbis-1.3.4.orig/configure.ac 2014-01-22 11:09:44.0 + libvorbis-1.3.4/configure.ac 2014-02-23 19:35:36.0 + +@@ -8,7 +8,7 @@ dnl + AC_INIT([libvorbis],[1.3.4],[vorbis-...@xiph.org]) AC_CONFIG_SRCDIR([lib/mdct.c]) - +AC_CONFIG_MACRO_DIR([m4]) AC_CANONICAL_TARGET([]) - AM_INIT_AUTOMAKE($PACKAGE_NAME,$PACKAGE_VERSION) + AM_INIT_AUTOMAKE -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2013-04-17 23:05:11 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is libvorbis, Maintainer is ti...@suse.com Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2013-03-04 17:28:46.0 +0100 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2013-04-17 23:05:13.0 +0200 @@ -1,0 +2,6 @@ +Tue Apr 16 06:46:59 UTC 2013 - mmeis...@suse.com + +- Added url as source. + Please see http://en.opensuse.org/SourceUrls + +--- Old: libvorbis-1.3.3.tar.bz2 New: libvorbis-1.3.3.tar.gz Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.0Irca0/_old 2013-04-17 23:05:15.0 +0200 +++ /var/tmp/diff_new_pack.0Irca0/_new 2013-04-17 23:05:15.0 +0200 @@ -29,7 +29,7 @@ Obsoletes: libvorbis-64bit %endif # -Source: %{name}-%{version}.tar.bz2 +Source: http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.gz Source2:baselibs.conf Patch1: libvorbis-lib64.dif Patch2: libvorbis-m4.dif -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2013-03-04 17:28:45 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is libvorbis, Maintainer is ti...@suse.com Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2012-06-25 14:23:46.0 +0200 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2013-03-04 17:28:46.0 +0100 @@ -1,0 +2,5 @@ +Sat Mar 2 12:59:01 UTC 2013 - seife+...@b1-systems.com + +- fix build with automake-1.13.1 + +--- Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.JpPIOX/_old 2013-03-04 17:28:48.0 +0100 +++ /var/tmp/diff_new_pack.JpPIOX/_new 2013-03-04 17:28:48.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package libvorbis # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -139,6 +139,8 @@ fi %patch11 %patch12 +# automake-1.13 deprecated the old macro +sed -i 's/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' configure.ac %build # Fix optimization level -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2012-06-25 14:18:19 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is libvorbis, Maintainer is ti...@suse.com Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2012-02-22 11:48:29.0 +0100 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2012-06-25 14:23:46.0 +0200 @@ -1,0 +2,11 @@ +Wed Jun 20 15:42:24 UTC 2012 - ft...@geeko.jp + +- updated to 1.3.3 + * vorbis: additional proofing against invalid/malicious + streams in decode (see SVN for details). + * vorbis: fix a memory leak in vorbis_commentheader_out(). + * updates, corrections and clarifications in the Vorbis I + specification document + * build warning fixes + +--- Old: libvorbis-1.3.2.tar.bz2 libvorbis-CVE-2012-0444.diff New: libvorbis-1.3.3.tar.bz2 Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.53pbme/_old 2012-06-25 14:23:48.0 +0200 +++ /var/tmp/diff_new_pack.53pbme/_new 2012-06-25 14:23:48.0 +0200 @@ -17,7 +17,7 @@ Name: libvorbis -Version:1.3.2 +Version:1.3.3 Release:0 #to_be_filled_by_service Summary:The Vorbis General Audio Compression Codec @@ -39,7 +39,6 @@ Patch10:libvorbis-pkgconfig.patch Patch11:vorbis-fix-linking.patch Patch12:vorbis-ocloexec.patch -Patch20:libvorbis-CVE-2012-0444.diff BuildRequires: fdupes BuildRequires: libogg-devel BuildRequires: libtool @@ -104,11 +103,11 @@ %package devel Summary:Include Files and Libraries mandatory for Ogg Vorbis Development Group: Development/Libraries/C and C++ -Requires: libvorbis0 = %{version} -Requires: libvorbisfile3 = %{version} -Requires: libvorbisenc2 = %{version} Requires: glibc-devel Requires: libogg-devel +Requires: libvorbis0 = %{version} +Requires: libvorbisenc2 = %{version} +Requires: libvorbisfile3 = %{version} # bug437293 (SLES10 - SLES11 upgrade path) %ifarch ppc64 Obsoletes: libvorbis-devel-64bit @@ -140,7 +139,6 @@ fi %patch11 %patch12 -%patch20 -p1 %build # Fix optimization level ++ libvorbis-1.3.2.tar.bz2 - libvorbis-1.3.3.tar.bz2 ++ 51815 lines of diff (skipped) ++ vorbis-fix-linking.patch ++ --- /var/tmp/diff_new_pack.53pbme/_old 2012-06-25 14:23:49.0 +0200 +++ /var/tmp/diff_new_pack.53pbme/_new 2012-06-25 14:23:49.0 +0200 @@ -1,18 +1,20 @@ test/Makefile.am.orig -+++ test/Makefile.am -@@ -10,7 +10,7 @@ check: $(check_PROGRAMS) - ./test$(EXEEXT) +--- Makefile.am2010-12-21 17:46:03.0 +0900 Makefile.am2012-06-16 15:43:41.143756104 +0900 +@@ -1,8 +1,8 @@ + ## Process this file with automake to produce Makefile.in - test_SOURCES = util.c util.h write_read.c write_read.h test.c --test_LDADD = ../lib/libvorbisenc.la ../lib/libvorbis.la @OGG_LIBS@ -+test_LDADD = -lm ../lib/libvorbisenc.la ../lib/libvorbis.la @OGG_LIBS@ + #AUTOMAKE_OPTIONS = 1.7 foreign dist-zip dist-bzip2 +-AUTOMAKE_OPTIONS = foreign 1.11 dist-zip dist-xz +- ++AUTOMAKE_OPTIONS = foreign 1.10 dist-zip ++ACLOCAL_AMFLAGS = -I m4 + SUBDIRS = m4 include vq lib test doc - debug: - $(MAKE) all CFLAGS=@DEBUG@ configure.ac.orig -+++ configure.ac -@@ -8,13 +8,12 @@ dnl - AC_INIT([libvorbis],[1.3.2],[vorbis-...@xiph.org]) + if BUILD_EXAMPLES +--- configure.ac 2012-02-04 07:00:34.0 +0900 configure.ac 2012-06-16 15:43:05.647225479 +0900 +@@ -8,7 +8,7 @@ + AC_INIT([libvorbis],[1.3.3],[vorbis-...@xiph.org]) AC_CONFIG_SRCDIR([lib/mdct.c]) - @@ -20,29 +22,3 @@ AC_CANONICAL_TARGET([]) AM_INIT_AUTOMAKE($PACKAGE_NAME,$PACKAGE_VERSION) - AM_MAINTAINER_MODE - AM_CONFIG_HEADER([config.h]) -- - dnl Add parameters for aclocal - AC_SUBST(ACLOCAL_AMFLAGS, -I m4) - -@@ -53,7 +52,9 @@ dnl - dnl save $CFLAGS since AC_PROG_CC likes to insert -g -O2 - dnl if $CFLAGS is blank - cflags_save=$CFLAGS --AC_PROG_CC -+AC_PROG_CC_STDC -+AC_USE_SYSTEM_EXTENSIONS -+AC_SYS_LARGEFILE - AC_PROG_CPP - CFLAGS=$cflags_save - Makefile.am.orig -+++ Makefile.am -@@ -1,5 +1,6 @@ - ## Process this file with automake to produce Makefile.in - -+ACLOCAL_AMFLAGS =
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2012-02-22 11:48:21 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is libvorbis, Maintainer is ti...@suse.com Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2011-12-27 18:37:43.0 +0100 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2012-02-22 11:48:29.0 +0100 @@ -1,0 +2,6 @@ +Tue Feb 21 14:32:38 CET 2012 - ti...@suse.de + +- VUL-0: CVE-2012-0444: libvorbis: heap-based buffer overflow + (bnc#747912) + +--- New: libvorbis-CVE-2012-0444.diff Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.655c9a/_old 2012-02-22 11:48:30.0 +0100 +++ /var/tmp/diff_new_pack.655c9a/_new 2012-02-22 11:48:30.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package libvorbis # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -39,6 +39,7 @@ Patch10:libvorbis-pkgconfig.patch Patch11:vorbis-fix-linking.patch Patch12:vorbis-ocloexec.patch +Patch20:libvorbis-CVE-2012-0444.diff BuildRequires: fdupes BuildRequires: libogg-devel BuildRequires: libtool @@ -139,6 +140,7 @@ fi %patch11 %patch12 +%patch20 -p1 %build # Fix optimization level ++ libvorbis-CVE-2012-0444.diff ++ --- lib/floor1.c |1 + 1 file changed, 1 insertion(+) --- a/lib/floor1.c +++ b/lib/floor1.c @@ -167,6 +167,7 @@ static vorbis_info_floor *floor1_unpack for(j=0,k=0;jinfo-partitions;j++){ count+=info-class_dim[info-partitionclass[j]]; +if(countVIF_POSIT) goto err_out; for(;kcount;k++){ int t=info-postlist[k+2]=oggpack_read(opb,rangebits); if(t0 || t=(1rangebits)) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2011-12-27 18:36:57 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is libvorbis, Maintainer is ti...@suse.com Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2011-11-28 12:54:30.0 +0100 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2011-12-27 18:37:43.0 +0100 @@ -1,0 +2,5 @@ +Sun Dec 25 11:09:50 UTC 2011 - idon...@suse.com + +- -O20 optimization level doesn't exist, use -O3 + +--- Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.JGnrGW/_old 2011-12-27 18:37:48.0 +0100 +++ /var/tmp/diff_new_pack.JGnrGW/_new 2011-12-27 18:37:48.0 +0100 @@ -16,15 +16,14 @@ # - Name: libvorbis Version:1.3.2 -Release:10 +Release:0 #to_be_filled_by_service -License:BSD-3-Clause Summary:The Vorbis General Audio Compression Codec -Url:http://www.vorbis.com/ +License:BSD-3-Clause Group: System/Libraries +Url:http://www.vorbis.com/ # bug437293 (SLES10 - SLES11 upgrade path) %ifarch ppc64 Obsoletes: libvorbis-64bit @@ -40,8 +39,10 @@ Patch10:libvorbis-pkgconfig.patch Patch11:vorbis-fix-linking.patch Patch12:vorbis-ocloexec.patch +BuildRequires: fdupes BuildRequires: libogg-devel -BuildRequires: fdupes libtool pkgconfig +BuildRequires: libtool +BuildRequires: pkgconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -56,7 +57,6 @@ Summary:The Vorbis General Audio Compression Codec Group: System/Libraries -License:BSD-3-Clause # bug437293 (SLES10 - SLES11 upgrade path) %ifarch ppc64 Obsoletes: libvorbis-64bit @@ -78,7 +78,6 @@ Summary:The Vorbis General Audio Compression Codec Group: System/Libraries -License:BSD-3-Clause %description -n libvorbisenc2 Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and @@ -92,7 +91,6 @@ Summary:The Vorbis General Audio Compression Codec Group: System/Libraries -License:BSD-3-Clause %description -n libvorbisfile3 Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and @@ -103,7 +101,6 @@ libmatroska (matroska) can also be used. %package devel -License:BSD-3-Clause Summary:Include Files and Libraries mandatory for Ogg Vorbis Development Group: Development/Libraries/C and C++ Requires: libvorbis0 = %{version} @@ -122,7 +119,6 @@ to compile and develop applications that use libvorbis. %package doc -License:BSD-3-Clause Summary:Documentation of Ogg/Vorbis library Group: Documentation/Other %if 0%{?suse_version} = 1120 @@ -145,6 +141,9 @@ %patch12 %build +# Fix optimization level +sed -i s,-O20,-O3,g configure.ac + autoreconf -fiv %configure --disable-examples --disable-static make %{?_smp_mflags} -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2011-12-06 18:26:12 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is libvorbis, Maintainer is ti...@suse.com Changes: Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.OYL28D/_old 2011-12-06 18:47:32.0 +0100 +++ /var/tmp/diff_new_pack.OYL28D/_new 2011-12-06 18:47:32.0 +0100 @@ -21,7 +21,7 @@ Version:1.3.2 Release:10 #to_be_filled_by_service -License:BSD3c(or similar) +License:BSD-3-Clause Summary:The Vorbis General Audio Compression Codec Url:http://www.vorbis.com/ Group: System/Libraries @@ -56,7 +56,7 @@ Summary:The Vorbis General Audio Compression Codec Group: System/Libraries -License:BSD3c(or similar) +License:BSD-3-Clause # bug437293 (SLES10 - SLES11 upgrade path) %ifarch ppc64 Obsoletes: libvorbis-64bit @@ -78,7 +78,7 @@ Summary:The Vorbis General Audio Compression Codec Group: System/Libraries -License:BSD3c(or similar) +License:BSD-3-Clause %description -n libvorbisenc2 Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and @@ -92,7 +92,7 @@ Summary:The Vorbis General Audio Compression Codec Group: System/Libraries -License:BSD3c(or similar) +License:BSD-3-Clause %description -n libvorbisfile3 Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and @@ -103,7 +103,7 @@ libmatroska (matroska) can also be used. %package devel -License:BSD3c(or similar) +License:BSD-3-Clause Summary:Include Files and Libraries mandatory for Ogg Vorbis Development Group: Development/Libraries/C and C++ Requires: libvorbis0 = %{version} @@ -122,7 +122,7 @@ to compile and develop applications that use libvorbis. %package doc -License:BSD3c(or similar) +License:BSD-3-Clause Summary:Documentation of Ogg/Vorbis library Group: Documentation/Other %if 0%{?suse_version} = 1120 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2011-11-28 12:54:27 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is libvorbis, Maintainer is ti...@suse.com Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2011-11-23 19:36:22.0 +0100 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2011-11-28 12:54:30.0 +0100 @@ -1,0 +2,8 @@ +Fri Nov 25 21:08:52 UTC 2011 - crrodrig...@opensuse.org + +- open files with O_CLOEXEC, in order to avoid fd leaks + when calling applications fork() ..execve()... + This patch does not cover the executable tools since + it is not critical for them. + +--- New: vorbis-ocloexec.patch Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.0TrVDq/_old 2011-11-28 12:54:32.0 +0100 +++ /var/tmp/diff_new_pack.0TrVDq/_new 2011-11-28 12:54:32.0 +0100 @@ -39,6 +39,7 @@ # PATCH-FIX-UPSTREAM libvorbis-pkgconfig.patch https://trac.xiph.org/ticket/1759 reddw...@opensuse.org -- Use Requires/Libs.private to avoid overlinking Patch10:libvorbis-pkgconfig.patch Patch11:vorbis-fix-linking.patch +Patch12:vorbis-ocloexec.patch BuildRequires: libogg-devel BuildRequires: fdupes libtool pkgconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -141,6 +142,7 @@ %patch1 fi %patch11 +%patch12 %build autoreconf -fiv ++ vorbis-ocloexec.patch ++ --- lib/analysis.c.orig +++ lib/analysis.c @@ -73,7 +73,7 @@ void _analysis_output_always(char *base, char buffer[80]; sprintf(buffer,%s_%d.m,base,i); - of=fopen(buffer,w); + of=fopen(buffer,we); if(!of)perror(failed to open data dump file); --- lib/floor1.c.orig +++ lib/floor1.c @@ -899,7 +899,7 @@ int floor1_encode(oggpack_buffer *opb,vo char buffer[80]; sprintf(buffer,line_%dx%ld_class%d.vqd, vb-pcmend/2,posts-2,class); - of=fopen(buffer,a); + of=fopen(buffer,ae); fprintf(of,%d\n,cval); fclose(of); } @@ -923,7 +923,7 @@ int floor1_encode(oggpack_buffer *opb,vo char buffer[80]; sprintf(buffer,line_%dx%ld_%dsub%d.vqd, vb-pcmend/2,posts-2,class,bookas[k]); -of=fopen(buffer,a); +of=fopen(buffer,ae); fprintf(of,%d\n,out[j+k]); fclose(of); } --- lib/psytune.c.orig +++ lib/psytune.c @@ -202,7 +202,7 @@ void analysis(char *base,int i,float *v, FILE *of; char buffer[80]; sprintf(buffer,%s_%d.m,base,i); -of=fopen(buffer,w); +of=fopen(buffer,we); for(j=0;jn;j++){ if(dB v[j]==0) --- lib/res0.c.orig +++ lib/res0.c @@ -93,7 +93,7 @@ void res0_free_look(vorbis_look_residue /* long and short into the same bucket by current convention */ sprintf(buffer,res_sub%d_part%d_pass%d.vqd,look-submap,j,k); -of=fopen(buffer,a); +of=fopen(buffer,ae); for(l=0;lstatebook-entries;l++) fprintf(of,%d:%ld\n,l,look-training_data[k][j][l]); @@ -462,7 +462,7 @@ static long **_01class(vorbis_block *vb, for(i=0;ich;i++){ sprintf(buffer,resaux_%d.vqd,look-train_seq); - of=fopen(buffer,a); + of=fopen(buffer,ae); for(j=0;jpartvals;j++) fprintf(of,%ld, ,partword[i][j]); fprintf(of,\n); @@ -521,7 +521,7 @@ static long **_2class(vorbis_block *vb,v #ifdef TRAIN_RESAUX sprintf(buffer,resaux_%d.vqd,look-train_seq); - of=fopen(buffer,a); + of=fopen(buffer,ae); for(i=0;ipartvals;i++) fprintf(of,%ld, ,partword[0][i]); fprintf(of,\n); --- lib/vorbisfile.c.orig +++ lib/vorbisfile.c @@ -1010,7 +1010,7 @@ int ov_open(FILE *f,OggVorbis_File *vf,c int ov_fopen(const char *path,OggVorbis_File *vf){ int ret; - FILE *f = fopen(path,rb); + FILE *f = fopen(path,rbe); if(!f) return -1; ret = ov_open(f,vf,NULL,0); -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at 2011-11-23 19:36:21 Comparing /work/SRC/openSUSE:Factory/libvorbis (Old) and /work/SRC/openSUSE:Factory/.libvorbis.new (New) Package is libvorbis, Maintainer is ti...@suse.com Changes: --- /work/SRC/openSUSE:Factory/libvorbis/libvorbis.changes 2011-09-23 02:11:09.0 +0200 +++ /work/SRC/openSUSE:Factory/.libvorbis.new/libvorbis.changes 2011-11-23 19:36:22.0 +0100 @@ -1,0 +2,5 @@ +Tue Nov 22 10:21:04 UTC 2011 - co...@suse.com + +- add libtool as buildrequire to avoid implicit dependency + +--- Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.GI1lWG/_old 2011-11-23 19:36:25.0 +0100 +++ /var/tmp/diff_new_pack.GI1lWG/_new 2011-11-23 19:36:25.0 +0100 @@ -40,7 +40,7 @@ Patch10:libvorbis-pkgconfig.patch Patch11:vorbis-fix-linking.patch BuildRequires: libogg-devel -BuildRequires: fdupes pkgconfig +BuildRequires: fdupes libtool pkgconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build %description -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at Wed Aug 31 10:52:41 CEST 2011. --- libvorbis/libvorbis.changes 2011-05-05 22:56:30.0 +0200 +++ /mounts/work_src_done/STABLE/libvorbis/libvorbis.changes2011-08-29 21:02:09.0 +0200 @@ -1,0 +2,5 @@ +Mon Aug 29 19:00:55 UTC 2011 - crrodrig...@opensuse.org + +- Fix build with no-add-needed + +--- calling whatdependson for head-i586 New: vorbis-fix-linking.patch Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.5wk5q5/_old 2011-08-31 10:52:22.0 +0200 +++ /var/tmp/diff_new_pack.5wk5q5/_new 2011-08-31 10:52:22.0 +0200 @@ -19,7 +19,7 @@ Name: libvorbis Version:1.3.2 -Release:8 +Release:10 #to_be_filled_by_service License:BSD3c(or similar) Summary:The Vorbis General Audio Compression Codec @@ -38,6 +38,7 @@ # 'Patch5: libvorbis-%%{version}-aotuv-b5.7.diff' # PATCH-FIX-UPSTREAM libvorbis-pkgconfig.patch https://trac.xiph.org/ticket/1759 reddw...@opensuse.org -- Use Requires/Libs.private to avoid overlinking Patch10:libvorbis-pkgconfig.patch +Patch11:vorbis-fix-linking.patch BuildRequires: libogg-devel BuildRequires: fdupes pkgconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -139,9 +140,11 @@ if [ %{_lib} == lib64 ]; then %patch1 fi +%patch11 %build -%configure --disable-static +autoreconf -fiv +%configure --disable-examples --disable-static make %{?_smp_mflags} %install ++ vorbis-fix-linking.patch ++ --- test/Makefile.am.orig +++ test/Makefile.am @@ -10,7 +10,7 @@ check: $(check_PROGRAMS) ./test$(EXEEXT) test_SOURCES = util.c util.h write_read.c write_read.h test.c -test_LDADD = ../lib/libvorbisenc.la ../lib/libvorbis.la @OGG_LIBS@ +test_LDADD = -lm ../lib/libvorbisenc.la ../lib/libvorbis.la @OGG_LIBS@ debug: $(MAKE) all CFLAGS=@DEBUG@ --- configure.ac.orig +++ configure.ac @@ -8,13 +8,12 @@ dnl AC_INIT([libvorbis],[1.3.2],[vorbis-...@xiph.org]) AC_CONFIG_SRCDIR([lib/mdct.c]) - +AC_CONFIG_MACRO_DIR([m4]) AC_CANONICAL_TARGET([]) AM_INIT_AUTOMAKE($PACKAGE_NAME,$PACKAGE_VERSION) AM_MAINTAINER_MODE AM_CONFIG_HEADER([config.h]) - dnl Add parameters for aclocal AC_SUBST(ACLOCAL_AMFLAGS, -I m4) @@ -53,7 +52,9 @@ dnl dnl save $CFLAGS since AC_PROG_CC likes to insert -g -O2 dnl if $CFLAGS is blank cflags_save=$CFLAGS -AC_PROG_CC +AC_PROG_CC_STDC +AC_USE_SYSTEM_EXTENSIONS +AC_SYS_LARGEFILE AC_PROG_CPP CFLAGS=$cflags_save --- Makefile.am.orig +++ Makefile.am @@ -1,5 +1,6 @@ ## Process this file with automake to produce Makefile.in +ACLOCAL_AMFLAGS = -I m4 AUTOMAKE_OPTIONS = 1.7 foreign dist-zip dist-bzip2 SUBDIRS = m4 include vq lib test doc Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit libvorbis for openSUSE:Factory
Hello community, here is the log from the commit of package libvorbis for openSUSE:Factory checked in at Mon May 9 09:15:13 CEST 2011. --- libvorbis/libvorbis.changes 2010-12-10 15:14:37.0 +0100 +++ /mounts/work_src_done/STABLE/libvorbis/libvorbis.changes2011-05-05 22:56:30.0 +0200 @@ -1,0 +2,5 @@ +Thu May 5 22:56:15 CEST 2011 - dmuel...@suse.de + +- fix provides/obsoletes in baselibs + +--- calling whatdependson for head-i586 Other differences: -- ++ libvorbis.spec ++ --- /var/tmp/diff_new_pack.D1c25Y/_old 2011-05-09 09:14:20.0 +0200 +++ /var/tmp/diff_new_pack.D1c25Y/_new 2011-05-09 09:14:20.0 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libvorbis (Version 1.3.2) +# spec file for package libvorbis # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ Name: libvorbis Version:1.3.2 -Release:2 +Release:8 #to_be_filled_by_service License:BSD3c(or similar) Summary:The Vorbis General Audio Compression Codec @@ -61,9 +61,8 @@ %endif # # libvorbis was last used in openSUSE 11.3 - -Provides: %{name} = %{version} -Obsoletes: %{name} %{version} +Provides: %{name} = 1.3.2 +Obsoletes: %{name} 1.3.2 %description -n libvorbis0 Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and ++ baselibs.conf ++ --- /var/tmp/diff_new_pack.D1c25Y/_old 2011-05-09 09:14:20.0 +0200 +++ /var/tmp/diff_new_pack.D1c25Y/_new 2011-05-09 09:14:20.0 +0200 @@ -1,3 +1,5 @@ libvorbis0 + targettype 32bit provides libvorbis-targettype = 1.3.2 + targettype 64bit obsoletes libvorbis-targettype 1.3.2 libvorbisenc2 libvorbisfile3 Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org