GNU bug report logs - #42890
[PATCH] gnu: taglib: Include patch to prevent OGG corruption.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 42890 in the body.
You can then email your comments to 42890 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Pierre Langlois <pierre.langlois <at> gmx.com>
To: Guix-patches <guix-patches <at> gnu.org>
Subject: [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
Date: Sun, 16 Aug 2020 16:48:19 +0100

[Message part 1 (text/plain, inline)]

Hello Guix!

As I was looking into updating clementine, I noticed it would refuse to
build with the system's taglib saying it may have a bug that corrupts
OGG files. I haven't personally encountered this bug, but I think we
should patch it anyway to be safe. It should be included in the next
release but it's unclear when this is going happen :-/

See https://github.com/taglib/taglib/issues/864 for more details. It
seems other distributions such as Archlinux also apply this fix.

Thanks!
Pierre

[0001-gnu-taglib-Include-patch-to-prevent-OGG-corruption.patch (text/x-patch, attachment)]

Message #8 received at 42890 <at> debbugs.gnu.org (full text, mbox):

From: Brendan Tildesley <mail <at> brendan.scot>
To: 42890 <at> debbugs.gnu.org
Subject: [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
Date: Tue, 18 Aug 2020 13:04:17 +1000

[Message part 1 (text/plain, inline)]

I should apologise. I also prepared this same patch to submit over a 
year or two ago but ended up neglecting it. I also discovered these two 
CVE patches (attached)  from another distribution that i was going to 
add. Perhaps the best solution is to switch to git-reference and choose 
a more recent commit that includes all these fixes. Your patch is in 
master at 
https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4 
and the two I attached are also in master.

[taglib-CVE-2017-12678.patch (text/x-patch, attachment)]

[taglib-CVE-2018-11439.patch (text/x-patch, attachment)]

Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Pierre Langlois <pierre.langlois <at> gmx.com>
To: Brendan Tildesley <mail <at> brendan.scot>
Cc: 42890 <at> debbugs.gnu.org, guix-patches <at> gnu.org
Subject: Re: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG
 corruption.
Date: Tue, 18 Aug 2020 10:21:25 +0100

Hi Brendan,

Brendan Tildesley writes:

> I should apologise. I also prepared this same patch to submit over a
> year or two ago but ended up neglecting it. I also discovered these two
> CVE patches (attached)  from another distribution that i was going to
> add. Perhaps the best solution is to switch to git-reference and choose
> a more recent commit that includes all these fixes. Your patch is in
> master at
> https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4
> and the two I attached are also in master.

No worries! Yeah I think it's a good to just use a git-reference in this
case, I'll try that and submit another patch, thanks for the suggestion!

Pierre

Message #17 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Pierre Langlois <pierre.langlois <at> gmx.com>
To: Pierre Langlois <pierre.langlois <at> gmx.com>
Cc: 42890 <at> debbugs.gnu.org, Brendan Tildesley <mail <at> brendan.scot>,
 guix-patches <at> gnu.org
Subject: Re: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG
 corruption.
Date: Tue, 18 Aug 2020 18:59:00 +0100

[Message part 1 (text/plain, inline)]

Pierre Langlois writes:

> Hi Brendan,
>
> Brendan Tildesley writes:
>
>> I should apologise. I also prepared this same patch to submit over a
>> year or two ago but ended up neglecting it. I also discovered these two
>> CVE patches (attached)  from another distribution that i was going to
>> add. Perhaps the best solution is to switch to git-reference and choose
>> a more recent commit that includes all these fixes. Your patch is in
>> master at
>> https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4
>> and the two I attached are also in master.
>
> No worries! Yeah I think it's a good to just use a git-reference in this
> case, I'll try that and submit another patch, thanks for the suggestion!

I wasn't so sure which recent commit to use, but then I saw there was a
1.12-beta-1 pre-release from September 2019 so I thought we'd use that.
Looking at some discussions upstream [0], it might still be a while
until we get a proper release though :-/

0: https://github.com/taglib/taglib/issues/864#issuecomment-631874581

[0001-gnu-taglib-Update-to-1.12-beta-1.patch (text/x-patch, attachment)]

Message #23 received at 42890 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Pierre Langlois <pierre.langlois <at> gmx.com>
Cc: 42890 <at> debbugs.gnu.org, mail <at> brendan.scot
Subject: Re: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG
 corruption.
Date: Fri, 04 Sep 2020 11:32:09 +0200

Hi!

Pierre Langlois <pierre.langlois <at> gmx.com> skribis:

>>From 97a5d71bd50c72d2d7562a7d22baca04f4987657 Mon Sep 17 00:00:00 2001
> From: Pierre Langlois <pierre.langlois <at> gmx.com>
> Date: Tue, 18 Aug 2020 18:38:01 +0100
> Subject: [PATCH] gnu: taglib: Update to 1.12-beta-1.
>
> This switches to a yet unreleased version of taglib, to make sure long
> standings issues and CVEs are covered until a proper release is made upstream.
>
> Among these, we have:
>
> - CVE-2017-12678
> - CVE-2018-11439
> - https://github.com/taglib/taglib/issues/864
>
> * gnu/packges/mp3.scm (taglib): Update to 1.12-beta-1.
> [source]: Switch to using git-fetch.

It’s a good idea to add “[security fixes]” or to list CVEs in the
subject line of the commit log.

Otherwise LGTM!

You can now use your new super commit powers to push it.  :-)

Thanks,
Ludo’.

Message #28 received at 42890-done <at> debbugs.gnu.org (full text, mbox):

From: Pierre Langlois <pierre.langlois <at> gmx.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Pierre Langlois <pierre.langlois <at> gmx.com>, 42890-done <at> debbugs.gnu.org,
 mail <at> brendan.scot
Subject: Re: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG
 corruption.
Date: Fri, 04 Sep 2020 12:14:26 +0100

[Message part 1 (text/plain, inline)]

Ludovic Courtès writes:

> Hi!
>
> Pierre Langlois <pierre.langlois <at> gmx.com> skribis:
>
>>>From 97a5d71bd50c72d2d7562a7d22baca04f4987657 Mon Sep 17 00:00:00 2001
>> From: Pierre Langlois <pierre.langlois <at> gmx.com>
>> Date: Tue, 18 Aug 2020 18:38:01 +0100
>> Subject: [PATCH] gnu: taglib: Update to 1.12-beta-1.
>>
>> This switches to a yet unreleased version of taglib, to make sure long
>> standings issues and CVEs are covered until a proper release is made upstream.
>>
>> Among these, we have:
>>
>> - CVE-2017-12678
>> - CVE-2018-11439
>> - https://github.com/taglib/taglib/issues/864
>>
>> * gnu/packges/mp3.scm (taglib): Update to 1.12-beta-1.
>> [source]: Switch to using git-fetch.
>
> It’s a good idea to add “[security fixes]” or to list CVEs in the
> subject line of the commit log.
>
> Otherwise LGTM!
>
> You can now use your new super commit powers to push it.  :-)

Whoohoo! done :-)

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.