diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-09-18 13:27:34 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-09-18 13:27:38 +0000 |
| commit | 2272f43516da3b21db1048c3b8ffdc96a084c175 (patch) | |
| tree | c057611963c4ad1ae827a19a1e0c808d14bfdab2 /main/libsndfile | |
| parent | afe0110ff4d7c57358973a579df6686478b5e659 (diff) | |
| download | aports-2272f43516da3b21db1048c3b8ffdc96a084c175.tar.bz2 aports-2272f43516da3b21db1048c3b8ffdc96a084c175.tar.xz | |
main/libsndfile: security fix (CVE-2018-13139)
Partially fixes #9232
Diffstat (limited to 'main/libsndfile')
| -rw-r--r-- | main/libsndfile/APKBUILD | 24 | ||||
| -rw-r--r-- | main/libsndfile/CVE-2018-13139.patch | 31 |
2 files changed, 45 insertions, 10 deletions
diff --git a/main/libsndfile/APKBUILD b/main/libsndfile/APKBUILD index ffee783384..7ba879a154 100644 --- a/main/libsndfile/APKBUILD +++ b/main/libsndfile/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libsndfile pkgver=1.0.28 -pkgrel=3 +pkgrel=4 pkgdesc="A C library for reading and writing files containing sampled sound" url="http://www.mega-nerd.com/libsndfile" arch="all" @@ -15,22 +15,25 @@ source="http://www.mega-nerd.com/$pkgname/files/$pkgname-$pkgver.tar.gz CVE-2017-8361_CVE-2017-8363_CVE-2017-8365.patch CVE-2017-8362.patch CVE-2017-12562.patch + CVE-2018-13139.patch " # sporadic testsuite failures on armhf [ "$CARCH" = "armhf" ] && options="!check" # secfixes: +# 1.0.28-r4: +# - CVE-2018-13139 # 1.0.28-r2: -# - CVE-2017-12562 +# - CVE-2017-12562 # 1.0.28-r0: -# - CVE-2017-7585 -# - CVE-2017-7741 -# - CVE-2017-7742 +# - CVE-2017-7585 +# - CVE-2017-7741 +# - CVE-2017-7742 # 1.0.28-r1: -# - CVE-2017-8361 -# - CVE-2017-8362 -# - CVE-2017-8363 -# - CVE-2017-8365 +# - CVE-2017-8361 +# - CVE-2017-8362 +# - CVE-2017-8363 +# - CVE-2017-8365 build() { cd "$builddir" @@ -56,4 +59,5 @@ package() { sha512sums="890731a6b8173f714155ce05eaf6d991b31632c8ab207fbae860968861a107552df26fcf85602df2e7f65502c7256c1b41735e1122485a3a07ddb580aa83b57f libsndfile-1.0.28.tar.gz f98c40696fca3e7bca867df993de55bb4145c23428e65d1a669182eb2293046478ac727ae7f94bb77123ef0355c3c53be4f9d6a432665c90c74687d8d3afd9e3 CVE-2017-8361_CVE-2017-8363_CVE-2017-8365.patch dfd4b5f1c7471fc416eed5c6040580a020543f145de9103751adaad6ce1c5c6a22abc1cf0ffd381aed3072644cd5ee03ba3598265aa7d202d63167da251cb595 CVE-2017-8362.patch -814139567d90fb07908014e858c341fe933e04dca69b88ad66078910888237bbeba94f85d9e1489883c424f35fca312eb98c21ae2b122d9289bb6418725cd02e CVE-2017-12562.patch" +814139567d90fb07908014e858c341fe933e04dca69b88ad66078910888237bbeba94f85d9e1489883c424f35fca312eb98c21ae2b122d9289bb6418725cd02e CVE-2017-12562.patch +33817e7c85180635fa239e4ea38973b18312878522639f43071188a995f0e1a35dbca6d133555fb0875292b4b609950ae38e747a6b1949f8ae840db9dc3a2805 CVE-2018-13139.patch" diff --git a/main/libsndfile/CVE-2018-13139.patch b/main/libsndfile/CVE-2018-13139.patch new file mode 100644 index 0000000000..f75843267b --- /dev/null +++ b/main/libsndfile/CVE-2018-13139.patch @@ -0,0 +1,31 @@ +From df18323c622b54221ee7ace74b177cdcccc152d7 Mon Sep 17 00:00:00 2001 +From: "Brett T. Warden" <brett.t.warden@intel.com> +Date: Tue, 28 Aug 2018 12:01:17 -0700 +Subject: [PATCH] Check MAX_CHANNELS in sndfile-deinterleave + +Allocated buffer has space for only 16 channels. Verify that input file +meets this limit. + +Fixes #397 +--- + programs/sndfile-deinterleave.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c +index 53660310..225b4d54 100644 +--- a/programs/sndfile-deinterleave.c ++++ b/programs/sndfile-deinterleave.c +@@ -89,6 +89,13 @@ main (int argc, char **argv) + exit (1) ; + } ; + ++ if (sfinfo.channels > MAX_CHANNELS) ++ { printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n", ++ argv [1], sfinfo.channels, MAX_CHANNELS) ; ++ exit (1) ; ++ } ; ++ ++ + state.channels = sfinfo.channels ; + sfinfo.channels = 1 ; + |