GNU bug report logs - #46356
[PATCH] gnu: vorbis-tools: Update to 1.4.2.

Previous Next

Package: guix-patches;

Reported by: Vincent Legoll <vincent.legoll <at> gmail.com>

Date: Sun, 7 Feb 2021 10:29:01 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 46356 in the body.
You can then email your comments to 46356 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#46356; Package guix-patches. (Sun, 07 Feb 2021 10:29:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Legoll <vincent.legoll <at> gmail.com>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Sun, 07 Feb 2021 10:29:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Vincent Legoll <vincent.legoll <at> gmail.com>
To: guix-patches <at> gnu.org
Cc: Vincent Legoll <vincent.legoll <at> gmail.com>
Subject: [PATCH] gnu: vorbis-tools: Update to 1.4.2.
Date: Sun,  7 Feb 2021 11:28:21 +0100
* gnu/packages/xiph.scm (vorbis-tools): Update to 1.4.2.
(source): Remove upstreamed patches...
* gnu/local.mk (dist_patch_DATA): ...from here.
* gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch: remove file.
* gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch: remove file.
* gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch: remove file.
---
 gnu/local.mk                                  |  3 -
 ...is-tools-CVE-2014-9638+CVE-2014-9639.patch | 83 -------------------
 .../patches/vorbis-tools-CVE-2014-9640.patch  | 29 -------
 .../patches/vorbis-tools-CVE-2015-6749.patch  | 44 ----------
 gnu/packages/xiph.scm                         |  8 +-
 5 files changed, 2 insertions(+), 165 deletions(-)
 delete mode 100644 gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch
 delete mode 100644 gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch
 delete mode 100644 gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b9b4b664e4..fec9debfda 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1716,9 +1716,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/vinagre-newer-freerdp.patch             \
   %D%/packages/patches/vinagre-newer-rdp-parameters.patch      \
   %D%/packages/patches/virglrenderer-CVE-2017-6386.patch 	\
-  %D%/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch		\
-  %D%/packages/patches/vorbis-tools-CVE-2014-9640.patch		\
-  %D%/packages/patches/vorbis-tools-CVE-2015-6749.patch		\
   %D%/packages/patches/vsearch-unbundle-cityhash.patch		\
   %D%/packages/patches/vte-CVE-2012-2738-pt1.patch			\
   %D%/packages/patches/vte-CVE-2012-2738-pt2.patch			\
diff --git a/gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch b/gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch
deleted file mode 100644
index 6e389dd59e..0000000000
--- a/gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From: Petter Reinholdtsen <pere <at> debian.org>
-Date: Tue, 22 Sep 2015 15:14:06 +0200
-Subject: oggenc: validate count of channels in the header (CVE-2014-9638 &
- CVE-2014-9639)
-
-Author: Kamil Dudka <kdudka <at> redhat.com>
-Origin: http://lists.xiph.org/pipermail/vorbis-dev/2015-February/020423.html
-Bug: https://trac.xiph.org/ticket/2136
-Bug: https://trac.xiph.org/ticket/2137
-Bug-Debian: https://bugs.debian.org/776086
-Forwarded: not-needed
-Reviewed-By: Petter Reinholdtsen <pere <at> hungry.com>
-Last-Update: 2015-09-22
----
- oggenc/audio.c | 18 ++++++++++++++++--
- 1 file changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/oggenc/audio.c b/oggenc/audio.c
-index 05e42b3..1b3f179 100644
---- a/oggenc/audio.c
-+++ b/oggenc/audio.c
-@@ -13,6 +13,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <string.h>
-@@ -251,6 +252,7 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
-     aiff_fmt format;
-     aifffile *aiff = malloc(sizeof(aifffile));
-     int i;
-+    long channels;
- 
-     if(buf[11]=='C')
-         aifc=1;
-@@ -277,11 +279,16 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
-         return 0;
-     }
- 
--    format.channels = READ_U16_BE(buffer);
-+    format.channels = channels = READ_U16_BE(buffer);
-     format.totalframes = READ_U32_BE(buffer+2);
-     format.samplesize = READ_U16_BE(buffer+6);
-     format.rate = (int)read_IEEE80(buffer+8);
- 
-+    if(channels <= 0L || SHRT_MAX < channels)
-+    {
-+        fprintf(stderr, _("Warning: Unsupported count of channels in AIFF header\n"));
-+        return 0;
-+    }
-     aiff->bigendian = 1;
- 
-     if(aifc)
-@@ -412,6 +419,7 @@ int wav_open(FILE *in, oe_enc_opt *opt, unsigned char *oldbuf, int buflen)
-     wav_fmt format;
-     wavfile *wav = malloc(sizeof(wavfile));
-     int i;
-+    long channels;
- 
-     /* Ok. At this point, we know we have a WAV file. Now we have to detect
-      * whether we support the subtype, and we have to find the actual data
-@@ -449,12 +457,18 @@ int wav_open(FILE *in, oe_enc_opt *opt, unsigned char *oldbuf, int buflen)
-     }
- 
-     format.format =      READ_U16_LE(buf);
--    format.channels =    READ_U16_LE(buf+2);
-+    format.channels = channels = READ_U16_LE(buf+2);
-     format.samplerate =  READ_U32_LE(buf+4);
-     format.bytespersec = READ_U32_LE(buf+8);
-     format.align =       READ_U16_LE(buf+12);
-     format.samplesize =  READ_U16_LE(buf+14);
- 
-+    if(channels <= 0L || SHRT_MAX < channels)
-+    {
-+        fprintf(stderr, _("Warning: Unsupported count of channels in WAV header\n"));
-+        return 0;
-+    }
-+
-     if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */
-     {
-       if(len<40)
diff --git a/gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch b/gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch
deleted file mode 100644
index 97d18e0db7..0000000000
--- a/gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Index: vorbis-tools/oggenc/oggenc.c
-===================================================================
---- vorbis-tools/oggenc/oggenc.c	(revision 19116)
-+++ vorbis-tools/oggenc/oggenc.c	(revision 19117)
-@@ -98,4 +98,6 @@
-               0,0,0.f,
-               0, 0, 0, 0, 0};
-+    input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", 
-+      N_("RAW file reader")};
- 
-     int i;
-@@ -240,6 +242,4 @@
-         if(opt.rawmode)
-         {
--            input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", 
--                N_("RAW file reader")};
- 
-             enc_opts.rate=opt.raw_samplerate;
-Index: vorbis-tools/oggenc/skeleton.h
-===================================================================
---- vorbis-tools/oggenc/skeleton.h	(revision 19116)
-+++ vorbis-tools/oggenc/skeleton.h	(revision 19117)
-@@ -42,5 +42,5 @@
-     ogg_int64_t start_granule;                             /* start granule value */
-     ogg_uint32_t preroll;                                   /* preroll */
--    unsigned char granule_shift; // a 8-bit field           /* 1 byte value holding the granule shift */
-+    unsigned char granule_shift;                            /* 1 byte value holding the granule shift */
-     char *message_header_fields;                            /* holds all the message header fields */
-     /* current total size of the message header fields, for realloc purpose, initially zero */
diff --git a/gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch b/gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch
deleted file mode 100644
index bcddcbfd70..0000000000
--- a/gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Upstream fix for CVE-2015-6749.
-https://trac.xiph.org/ticket/2212
-
-From 04815d3e1bfae3a6cdfb2c25358a5a72b61299f7 Mon Sep 17 00:00:00 2001
-From: Mark Harris <mark.hsj <at> gmail.com>
-Date: Sun, 30 Aug 2015 05:54:46 -0700
-Subject: [PATCH] oggenc: Fix large alloca on bad AIFF input
-
-Fixes #2212
----
- oggenc/audio.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/oggenc/audio.c b/oggenc/audio.c
-index 477da8c..4921fb9 100644
---- a/oggenc/audio.c
-+++ b/oggenc/audio.c
-@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] =
- int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
- {
-     int aifc; /* AIFC or AIFF? */
--    unsigned int len;
--    unsigned char *buffer;
-+    unsigned int len, readlen;
-+    unsigned char buffer[22];
-     unsigned char buf2[8];
-     aiff_fmt format;
-     aifffile *aiff = malloc(sizeof(aifffile));
-@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
-         return 0; /* Weird common chunk */
-     }
- 
--    buffer = alloca(len);
--
--    if(fread(buffer,1,len,in) < len)
-+    readlen = len < sizeof(buffer) ? len : sizeof(buffer);
-+    if(fread(buffer,1,readlen,in) < readlen ||
-+       (len > readlen && !seek_forward(in, len-readlen)))
-     {
-         fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
-         return 0;
--- 
-2.5.0
-
diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm
index 4a3f25e009..8ed0e518a7 100644
--- a/gnu/packages/xiph.scm
+++ b/gnu/packages/xiph.scm
@@ -312,18 +312,14 @@ Kate stream.")
 (define vorbis-tools
   (package
    (name "vorbis-tools")
-   (version "1.4.0")
+   (version "1.4.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://downloads.xiph.org/releases/vorbis/"
                                 "vorbis-tools-" version ".tar.gz"))
             (sha256
              (base32
-              "1g12bnh5ah08v529y72kfdz5lhvy75iaz7f9jskyby23m9dkk2d3"))
-            (patches (search-patches 
-                       "vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch"
-                       "vorbis-tools-CVE-2014-9640.patch"
-                       "vorbis-tools-CVE-2015-6749.patch"))))
+              "1c7h4ivgfdyygz2hyh6nfibxlkz8kdk868a576qkkjgj5gn78xyv"))))
    (build-system gnu-build-system)
    (inputs `(("ao" ,ao)
              ("curl" ,curl)
-- 
2.30.0





Information forwarded to guix-patches <at> gnu.org:
bug#46356; Package guix-patches. (Sun, 07 Feb 2021 10:31:02 GMT) Full text and rfc822 format available.

Message #8 received at 46356 <at> debbugs.gnu.org (full text, mbox):

From: Vincent Legoll <vincent.legoll <at> gmail.com>
To: 46356 <at> debbugs.gnu.org
Subject: Re: bug#46356: Acknowledgement ([PATCH] gnu: vorbis-tools: Update to
 1.4.2.)
Date: Sun, 7 Feb 2021 11:30:34 +0100
I checked that the patches have been applied
(by looking at the source code)

-- 
Vincent Legoll




Information forwarded to guix-patches <at> gnu.org:
bug#46356; Package guix-patches. (Tue, 09 Feb 2021 20:00:02 GMT) Full text and rfc822 format available.

Message #11 received at 46356 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Vincent Legoll <vincent.legoll <at> gmail.com>
Cc: 46356 <at> debbugs.gnu.org
Subject: Re: [bug#46356] Acknowledgement ([PATCH] gnu: vorbis-tools: Update
 to 1.4.2.)
Date: Tue, 9 Feb 2021 14:59:08 -0500
On Sun, Feb 07, 2021 at 11:30:34AM +0100, Vincent Legoll wrote:
> I checked that the patches have been applied
> (by looking at the source code)

Thanks, this note is really helpful when reviewing this kind of patch.




Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Tue, 09 Feb 2021 20:07:02 GMT) Full text and rfc822 format available.

Notification sent to Vincent Legoll <vincent.legoll <at> gmail.com>:
bug acknowledged by developer. (Tue, 09 Feb 2021 20:07:02 GMT) Full text and rfc822 format available.

Message #16 received at 46356-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Vincent Legoll <vincent.legoll <at> gmail.com>
Cc: 46356-done <at> debbugs.gnu.org
Subject: Re: [bug#46356] [PATCH] gnu: vorbis-tools: Update to 1.4.2.
Date: Tue, 9 Feb 2021 15:06:36 -0500
On Sun, Feb 07, 2021 at 11:28:21AM +0100, Vincent Legoll wrote:
> * gnu/packages/xiph.scm (vorbis-tools): Update to 1.4.2.
> (source): Remove upstreamed patches...
> * gnu/local.mk (dist_patch_DATA): ...from here.
> * gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch: remove file.
> * gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch: remove file.
> * gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch: remove file.

Thanks! I tweaked the commit message and pushed as
d00380b0077b0df2a0b790bb115d07c1533b8863




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 10 Mar 2021 12:24:06 GMT) Full text and rfc822 format available.

This bug report was last modified 3 years and 19 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.