GNU bug report logs -
#46356
[PATCH] gnu: vorbis-tools: Update to 1.4.2.
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 46356 in the body.
You can then email your comments to 46356 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org
:
bug#46356
; Package
guix-patches
.
(Sun, 07 Feb 2021 10:29:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Vincent Legoll <vincent.legoll <at> gmail.com>
:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org
.
(Sun, 07 Feb 2021 10:29:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/xiph.scm (vorbis-tools): Update to 1.4.2.
(source): Remove upstreamed patches...
* gnu/local.mk (dist_patch_DATA): ...from here.
* gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch: remove file.
* gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch: remove file.
* gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch: remove file.
---
gnu/local.mk | 3 -
...is-tools-CVE-2014-9638+CVE-2014-9639.patch | 83 -------------------
.../patches/vorbis-tools-CVE-2014-9640.patch | 29 -------
.../patches/vorbis-tools-CVE-2015-6749.patch | 44 ----------
gnu/packages/xiph.scm | 8 +-
5 files changed, 2 insertions(+), 165 deletions(-)
delete mode 100644 gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch
delete mode 100644 gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch
delete mode 100644 gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index b9b4b664e4..fec9debfda 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1716,9 +1716,6 @@ dist_patch_DATA = \
%D%/packages/patches/vinagre-newer-freerdp.patch \
%D%/packages/patches/vinagre-newer-rdp-parameters.patch \
%D%/packages/patches/virglrenderer-CVE-2017-6386.patch \
- %D%/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch \
- %D%/packages/patches/vorbis-tools-CVE-2014-9640.patch \
- %D%/packages/patches/vorbis-tools-CVE-2015-6749.patch \
%D%/packages/patches/vsearch-unbundle-cityhash.patch \
%D%/packages/patches/vte-CVE-2012-2738-pt1.patch \
%D%/packages/patches/vte-CVE-2012-2738-pt2.patch \
diff --git a/gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch b/gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch
deleted file mode 100644
index 6e389dd59e..0000000000
--- a/gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From: Petter Reinholdtsen <pere <at> debian.org>
-Date: Tue, 22 Sep 2015 15:14:06 +0200
-Subject: oggenc: validate count of channels in the header (CVE-2014-9638 &
- CVE-2014-9639)
-
-Author: Kamil Dudka <kdudka <at> redhat.com>
-Origin: http://lists.xiph.org/pipermail/vorbis-dev/2015-February/020423.html
-Bug: https://trac.xiph.org/ticket/2136
-Bug: https://trac.xiph.org/ticket/2137
-Bug-Debian: https://bugs.debian.org/776086
-Forwarded: not-needed
-Reviewed-By: Petter Reinholdtsen <pere <at> hungry.com>
-Last-Update: 2015-09-22
----
- oggenc/audio.c | 18 ++++++++++++++++--
- 1 file changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/oggenc/audio.c b/oggenc/audio.c
-index 05e42b3..1b3f179 100644
---- a/oggenc/audio.c
-+++ b/oggenc/audio.c
-@@ -13,6 +13,7 @@
- #include <config.h>
- #endif
-
-+#include <limits.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <string.h>
-@@ -251,6 +252,7 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
- aiff_fmt format;
- aifffile *aiff = malloc(sizeof(aifffile));
- int i;
-+ long channels;
-
- if(buf[11]=='C')
- aifc=1;
-@@ -277,11 +279,16 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
- return 0;
- }
-
-- format.channels = READ_U16_BE(buffer);
-+ format.channels = channels = READ_U16_BE(buffer);
- format.totalframes = READ_U32_BE(buffer+2);
- format.samplesize = READ_U16_BE(buffer+6);
- format.rate = (int)read_IEEE80(buffer+8);
-
-+ if(channels <= 0L || SHRT_MAX < channels)
-+ {
-+ fprintf(stderr, _("Warning: Unsupported count of channels in AIFF header\n"));
-+ return 0;
-+ }
- aiff->bigendian = 1;
-
- if(aifc)
-@@ -412,6 +419,7 @@ int wav_open(FILE *in, oe_enc_opt *opt, unsigned char *oldbuf, int buflen)
- wav_fmt format;
- wavfile *wav = malloc(sizeof(wavfile));
- int i;
-+ long channels;
-
- /* Ok. At this point, we know we have a WAV file. Now we have to detect
- * whether we support the subtype, and we have to find the actual data
-@@ -449,12 +457,18 @@ int wav_open(FILE *in, oe_enc_opt *opt, unsigned char *oldbuf, int buflen)
- }
-
- format.format = READ_U16_LE(buf);
-- format.channels = READ_U16_LE(buf+2);
-+ format.channels = channels = READ_U16_LE(buf+2);
- format.samplerate = READ_U32_LE(buf+4);
- format.bytespersec = READ_U32_LE(buf+8);
- format.align = READ_U16_LE(buf+12);
- format.samplesize = READ_U16_LE(buf+14);
-
-+ if(channels <= 0L || SHRT_MAX < channels)
-+ {
-+ fprintf(stderr, _("Warning: Unsupported count of channels in WAV header\n"));
-+ return 0;
-+ }
-+
- if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */
- {
- if(len<40)
diff --git a/gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch b/gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch
deleted file mode 100644
index 97d18e0db7..0000000000
--- a/gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Index: vorbis-tools/oggenc/oggenc.c
-===================================================================
---- vorbis-tools/oggenc/oggenc.c (revision 19116)
-+++ vorbis-tools/oggenc/oggenc.c (revision 19117)
-@@ -98,4 +98,6 @@
- 0,0,0.f,
- 0, 0, 0, 0, 0};
-+ input_format raw_format = {NULL, 0, raw_open, wav_close, "raw",
-+ N_("RAW file reader")};
-
- int i;
-@@ -240,6 +242,4 @@
- if(opt.rawmode)
- {
-- input_format raw_format = {NULL, 0, raw_open, wav_close, "raw",
-- N_("RAW file reader")};
-
- enc_opts.rate=opt.raw_samplerate;
-Index: vorbis-tools/oggenc/skeleton.h
-===================================================================
---- vorbis-tools/oggenc/skeleton.h (revision 19116)
-+++ vorbis-tools/oggenc/skeleton.h (revision 19117)
-@@ -42,5 +42,5 @@
- ogg_int64_t start_granule; /* start granule value */
- ogg_uint32_t preroll; /* preroll */
-- unsigned char granule_shift; // a 8-bit field /* 1 byte value holding the granule shift */
-+ unsigned char granule_shift; /* 1 byte value holding the granule shift */
- char *message_header_fields; /* holds all the message header fields */
- /* current total size of the message header fields, for realloc purpose, initially zero */
diff --git a/gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch b/gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch
deleted file mode 100644
index bcddcbfd70..0000000000
--- a/gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Upstream fix for CVE-2015-6749.
-https://trac.xiph.org/ticket/2212
-
-From 04815d3e1bfae3a6cdfb2c25358a5a72b61299f7 Mon Sep 17 00:00:00 2001
-From: Mark Harris <mark.hsj <at> gmail.com>
-Date: Sun, 30 Aug 2015 05:54:46 -0700
-Subject: [PATCH] oggenc: Fix large alloca on bad AIFF input
-
-Fixes #2212
----
- oggenc/audio.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/oggenc/audio.c b/oggenc/audio.c
-index 477da8c..4921fb9 100644
---- a/oggenc/audio.c
-+++ b/oggenc/audio.c
-@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] =
- int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
- {
- int aifc; /* AIFC or AIFF? */
-- unsigned int len;
-- unsigned char *buffer;
-+ unsigned int len, readlen;
-+ unsigned char buffer[22];
- unsigned char buf2[8];
- aiff_fmt format;
- aifffile *aiff = malloc(sizeof(aifffile));
-@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
- return 0; /* Weird common chunk */
- }
-
-- buffer = alloca(len);
--
-- if(fread(buffer,1,len,in) < len)
-+ readlen = len < sizeof(buffer) ? len : sizeof(buffer);
-+ if(fread(buffer,1,readlen,in) < readlen ||
-+ (len > readlen && !seek_forward(in, len-readlen)))
- {
- fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
- return 0;
---
-2.5.0
-
diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm
index 4a3f25e009..8ed0e518a7 100644
--- a/gnu/packages/xiph.scm
+++ b/gnu/packages/xiph.scm
@@ -312,18 +312,14 @@ Kate stream.")
(define vorbis-tools
(package
(name "vorbis-tools")
- (version "1.4.0")
+ (version "1.4.2")
(source (origin
(method url-fetch)
(uri (string-append "https://downloads.xiph.org/releases/vorbis/"
"vorbis-tools-" version ".tar.gz"))
(sha256
(base32
- "1g12bnh5ah08v529y72kfdz5lhvy75iaz7f9jskyby23m9dkk2d3"))
- (patches (search-patches
- "vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch"
- "vorbis-tools-CVE-2014-9640.patch"
- "vorbis-tools-CVE-2015-6749.patch"))))
+ "1c7h4ivgfdyygz2hyh6nfibxlkz8kdk868a576qkkjgj5gn78xyv"))))
(build-system gnu-build-system)
(inputs `(("ao" ,ao)
("curl" ,curl)
--
2.30.0
Information forwarded
to
guix-patches <at> gnu.org
:
bug#46356
; Package
guix-patches
.
(Sun, 07 Feb 2021 10:31:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 46356 <at> debbugs.gnu.org (full text, mbox):
I checked that the patches have been applied
(by looking at the source code)
--
Vincent Legoll
Information forwarded
to
guix-patches <at> gnu.org
:
bug#46356
; Package
guix-patches
.
(Tue, 09 Feb 2021 20:00:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 46356 <at> debbugs.gnu.org (full text, mbox):
On Sun, Feb 07, 2021 at 11:30:34AM +0100, Vincent Legoll wrote:
> I checked that the patches have been applied
> (by looking at the source code)
Thanks, this note is really helpful when reviewing this kind of patch.
Reply sent
to
Leo Famulari <leo <at> famulari.name>
:
You have taken responsibility.
(Tue, 09 Feb 2021 20:07:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Vincent Legoll <vincent.legoll <at> gmail.com>
:
bug acknowledged by developer.
(Tue, 09 Feb 2021 20:07:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 46356-done <at> debbugs.gnu.org (full text, mbox):
On Sun, Feb 07, 2021 at 11:28:21AM +0100, Vincent Legoll wrote:
> * gnu/packages/xiph.scm (vorbis-tools): Update to 1.4.2.
> (source): Remove upstreamed patches...
> * gnu/local.mk (dist_patch_DATA): ...from here.
> * gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch: remove file.
> * gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch: remove file.
> * gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch: remove file.
Thanks! I tweaked the commit message and pushed as
d00380b0077b0df2a0b790bb115d07c1533b8863
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Wed, 10 Mar 2021 12:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 19 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.