diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2017-11-23 10:46:34 +0100 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-11-23 10:55:09 +0100 |
commit | 28c5fe5ac7c34d80d4e8e1813212c7723ae8734c (patch) | |
tree | d595e7abeb02a56dc83a3522d82356d5251d4be8 | |
parent | 6e3ecd37f497c0cfbe5ce695900164b2b2d5c1c7 (diff) | |
download | aports-28c5fe5ac7c34d80d4e8e1813212c7723ae8734c.tar.bz2 aports-28c5fe5ac7c34d80d4e8e1813212c7723ae8734c.tar.xz |
main/libvorbis: fix CVE-2017-14160
fixes #7941
-rw-r--r-- | main/libvorbis/APKBUILD | 33 | ||||
-rw-r--r-- | main/libvorbis/CVE-2017-14160.patch | 58 |
2 files changed, 81 insertions, 10 deletions
diff --git a/main/libvorbis/APKBUILD b/main/libvorbis/APKBUILD index 86ad84de04..e70152f956 100644 --- a/main/libvorbis/APKBUILD +++ b/main/libvorbis/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libvorbis pkgver=1.3.5 -pkgrel=1 +pkgrel=2 pkgdesc="Vorbis codec library" url="http://www.xiph.org/ogg/vorbis/" arch="all" @@ -10,17 +10,27 @@ subpackages="$pkgname-dev $pkgname-doc" depends= depends_dev="libogg-dev" makedepends="$depends_dev" -#source="http://people.xiph.org/~giles/2008/$pkgname-$pkgver.tar.gz" -source="http://downloads.xiph.org/releases/vorbis/libvorbis-$pkgver.tar.gz" +source="http://downloads.xiph.org/releases/vorbis/libvorbis-$pkgver.tar.gz + CVE-2017-14160.patch + " -_builddir="$srcdir/$pkgname-$pkgver" +builddir="$srcdir/$pkgname-$pkgver" + +# secfixes: +# 1.3.5-r2: +# - CVE-2017-14160 prepare() { - cd "$_builddir" + cd "$builddir" + for i in $sources; do + case $i in + *.patch) patch -p1 -i $srcdir/$i || return 1;; + esac + done } build() { - cd "$_builddir" + cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -31,11 +41,14 @@ build() { } package() { - cd "$srcdir"/$pkgname-$pkgver + cd "$builddir" make DESTDIR="$pkgdir" install || return 1 install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING } -md5sums="7220e089f3be3412a2317d6fde9e3944 libvorbis-1.3.5.tar.gz" -sha256sums="6efbcecdd3e5dfbf090341b485da9d176eb250d893e3eb378c428a2db38301ce libvorbis-1.3.5.tar.gz" -sha512sums="6c729a227143abc744a779ec4d4ce9932cd1234e301b766cb5111c3894b7cd866f0267590c7864afd3841ac0d4ae2eb2386e8d14345b7c41c8ce35e996e3656c libvorbis-1.3.5.tar.gz" +md5sums="7220e089f3be3412a2317d6fde9e3944 libvorbis-1.3.5.tar.gz +943275d84d55dfa072ec3a2566fd9bfa CVE-2017-14160.patch" +sha256sums="6efbcecdd3e5dfbf090341b485da9d176eb250d893e3eb378c428a2db38301ce libvorbis-1.3.5.tar.gz +f93bf45de3a21db0fa9bb9cd25edefb1182bf24d61028a86cbf45fbcd11fbdf5 CVE-2017-14160.patch" +sha512sums="6c729a227143abc744a779ec4d4ce9932cd1234e301b766cb5111c3894b7cd866f0267590c7864afd3841ac0d4ae2eb2386e8d14345b7c41c8ce35e996e3656c libvorbis-1.3.5.tar.gz +4c2f7be947f2159ae47175cba89950c7b7d357b37a20d54382e4fbecd8c268b148e6cb86cb148945c7b68bbe8b14f466e910b35b80903ab51f1b02cfccf5806e CVE-2017-14160.patch" diff --git a/main/libvorbis/CVE-2017-14160.patch b/main/libvorbis/CVE-2017-14160.patch new file mode 100644 index 0000000000..9ad9d18f75 --- /dev/null +++ b/main/libvorbis/CVE-2017-14160.patch @@ -0,0 +1,58 @@ +From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001 +Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git.agx@sigxcpu.org> +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> +Date: Wed, 15 Nov 2017 13:12:00 +0100 +Subject: [PATCH] CVE-2017-14160: make sure we don't overflow + +--- + lib/psy.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/lib/psy.c b/lib/psy.c +index 422c6f1e..8bbf6cf3 100644 +--- a/lib/psy.c ++++ b/lib/psy.c +@@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,const long *b, + XY[i] = tXY; + } + +- for (i = 0, x = 0.f;; i++, x += 1.f) { ++ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { + + lo = b[i] >> 16; + if( lo>=0 ) break; +@@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,const long *b, + noise[i] = R - offset; + } + +- for ( ;; i++, x += 1.f) { ++ for ( ; i < n; i++, x += 1.f) { + + lo = b[i] >> 16; + hi = b[i] & 0xffff; + if(hi>=n)break; +- + tN = N[hi] - N[lo]; + tX = X[hi] - X[lo]; + tXX = XX[hi] - XX[lo]; +@@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,const long *b, + + if (fixed <= 0) return; + +- for (i = 0, x = 0.f;; i++, x += 1.f) { ++ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { + hi = i + fixed / 2; + lo = hi - fixed; + if(lo>=0)break; +@@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,const long *b, + + if (R - offset < noise[i]) noise[i] = R - offset; + } +- for ( ;; i++, x += 1.f) { ++ for ( ; i < n; i++, x += 1.f) { + + hi = i + fixed / 2; + lo = hi - fixed; +-- +2.15.0 + |