diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2017-11-23 09:35:21 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-11-23 09:35:21 +0000 |
| commit | 24168e0dc14497566f17471bee3a02945832af40 (patch) | |
| tree | 6830df78a083ee2acf081c6ffd9c11694c4f5e5f /main/libvorbis | |
| parent | c3ffef0e8fdbf281e019ab997b2323426d235e1c (diff) | |
| download | aports-24168e0dc14497566f17471bee3a02945832af40.tar.bz2 aports-24168e0dc14497566f17471bee3a02945832af40.tar.xz | |
main/libvorbis: fix for CVE-2017-14160
upstream issue: https://gitlab.xiph.org/xiph/vorbis/issues/2330
fixes #7937
Diffstat (limited to 'main/libvorbis')
| -rw-r--r-- | main/libvorbis/APKBUILD | 13 | ||||
| -rw-r--r-- | main/libvorbis/CVE-2017-14160.patch | 58 |
2 files changed, 68 insertions, 3 deletions
diff --git a/main/libvorbis/APKBUILD b/main/libvorbis/APKBUILD index 01794075a7..46528ec484 100644 --- a/main/libvorbis/APKBUILD +++ b/main/libvorbis/APKBUILD @@ -1,16 +1,22 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libvorbis pkgver=1.3.5 -pkgrel=2 +pkgrel=3 pkgdesc="Vorbis codec library" url="https://xiph.org/vorbis/" arch="all" license="custom" subpackages="$pkgname-dev $pkgname-doc" makedepends="libogg-dev" -source="http://downloads.xiph.org/releases/vorbis/$pkgname-$pkgver.tar.gz" +source="http://downloads.xiph.org/releases/vorbis/$pkgname-$pkgver.tar.gz + CVE-2017-14160.patch + " builddir="$srcdir/$pkgname-$pkgver" +# secfixes: +# 1.3.5-r3: +# - CVE-2017-14160 + build() { cd "$builddir" @@ -28,4 +34,5 @@ package() { install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING } -sha512sums="6c729a227143abc744a779ec4d4ce9932cd1234e301b766cb5111c3894b7cd866f0267590c7864afd3841ac0d4ae2eb2386e8d14345b7c41c8ce35e996e3656c libvorbis-1.3.5.tar.gz" +sha512sums="6c729a227143abc744a779ec4d4ce9932cd1234e301b766cb5111c3894b7cd866f0267590c7864afd3841ac0d4ae2eb2386e8d14345b7c41c8ce35e996e3656c libvorbis-1.3.5.tar.gz +4c2f7be947f2159ae47175cba89950c7b7d357b37a20d54382e4fbecd8c268b148e6cb86cb148945c7b68bbe8b14f466e910b35b80903ab51f1b02cfccf5806e CVE-2017-14160.patch" diff --git a/main/libvorbis/CVE-2017-14160.patch b/main/libvorbis/CVE-2017-14160.patch new file mode 100644 index 0000000000..9ad9d18f75 --- /dev/null +++ b/main/libvorbis/CVE-2017-14160.patch @@ -0,0 +1,58 @@ +From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001 +Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git.agx@sigxcpu.org> +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> +Date: Wed, 15 Nov 2017 13:12:00 +0100 +Subject: [PATCH] CVE-2017-14160: make sure we don't overflow + +--- + lib/psy.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/lib/psy.c b/lib/psy.c +index 422c6f1e..8bbf6cf3 100644 +--- a/lib/psy.c ++++ b/lib/psy.c +@@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,const long *b, + XY[i] = tXY; + } + +- for (i = 0, x = 0.f;; i++, x += 1.f) { ++ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { + + lo = b[i] >> 16; + if( lo>=0 ) break; +@@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,const long *b, + noise[i] = R - offset; + } + +- for ( ;; i++, x += 1.f) { ++ for ( ; i < n; i++, x += 1.f) { + + lo = b[i] >> 16; + hi = b[i] & 0xffff; + if(hi>=n)break; +- + tN = N[hi] - N[lo]; + tX = X[hi] - X[lo]; + tXX = XX[hi] - XX[lo]; +@@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,const long *b, + + if (fixed <= 0) return; + +- for (i = 0, x = 0.f;; i++, x += 1.f) { ++ for (i = 0, x = 0.f; i < n; i++, x += 1.f) { + hi = i + fixed / 2; + lo = hi - fixed; + if(lo>=0)break; +@@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,const long *b, + + if (R - offset < noise[i]) noise[i] = R - offset; + } +- for ( ;; i++, x += 1.f) { ++ for ( ; i < n; i++, x += 1.f) { + + hi = i + fixed / 2; + lo = hi - fixed; +-- +2.15.0 + |