diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2018-07-30 08:02:45 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-07-30 10:37:45 +0200 |
| commit | e0d5deae108e57c22e638a24118d0850b0ab09a7 (patch) | |
| tree | 1416597d6178ac72d1a3331852ca7e923d801dc5 /main | |
| parent | f77113ff5f50a2b6e8a207bae850994250dec650 (diff) | |
| download | aports-e0d5deae108e57c22e638a24118d0850b0ab09a7.tar.bz2 aports-e0d5deae108e57c22e638a24118d0850b0ab09a7.tar.xz | |
main/libvorbis: security fix for CVE-2018-10392
fixes #9144
Diffstat (limited to 'main')
| -rw-r--r-- | main/libvorbis/APKBUILD | 11 | ||||
| -rw-r--r-- | main/libvorbis/CVE-2018-10392.patch | 25 |
2 files changed, 33 insertions, 3 deletions
diff --git a/main/libvorbis/APKBUILD b/main/libvorbis/APKBUILD index eabf99b0d1..634613fd6e 100644 --- a/main/libvorbis/APKBUILD +++ b/main/libvorbis/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libvorbis pkgver=1.3.6 -pkgrel=0 +pkgrel=1 pkgdesc="Vorbis codec library" url="https://xiph.org/vorbis" arch="all" @@ -11,10 +11,14 @@ depends= depends_dev="libogg-dev" makedepends="$depends_dev" source="http://downloads.xiph.org/releases/vorbis/$pkgname-$pkgver.tar.xz - CVE-2017-14160.patch" + CVE-2017-14160.patch + CVE-2018-10392.patch + " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 1.3.6-r1: +# - CVE-2018-10392 # 1.3.6-r0: # - CVE-2018-5146 # 1.3.5-r3: @@ -52,4 +56,5 @@ md5sums="b7d1692f275c73e7833ed1cc2697cd65 libvorbis-1.3.6.tar.xz sha256sums="af00bb5a784e7c9e69f56823de4637c350643deedaf333d0fa86ecdba6fcb415 libvorbis-1.3.6.tar.xz f93bf45de3a21db0fa9bb9cd25edefb1182bf24d61028a86cbf45fbcd11fbdf5 CVE-2017-14160.patch" sha512sums="a5d990bb88db2501b16f8eaee9f2ecb599cefd7dab2134d16538d8905263a972157c7671867848c2a8a358bf5e5dbc7721205ece001032482f168be7bda4f132 libvorbis-1.3.6.tar.xz -4c2f7be947f2159ae47175cba89950c7b7d357b37a20d54382e4fbecd8c268b148e6cb86cb148945c7b68bbe8b14f466e910b35b80903ab51f1b02cfccf5806e CVE-2017-14160.patch" +4c2f7be947f2159ae47175cba89950c7b7d357b37a20d54382e4fbecd8c268b148e6cb86cb148945c7b68bbe8b14f466e910b35b80903ab51f1b02cfccf5806e CVE-2017-14160.patch +a60d45144882bc72c3f4937a34baa5e2bda80a3a858b858637fee508755349b616690519e013ff6aafa7e8ff85fd1d0687a3e748b0e8bce25df1abeece97dc36 CVE-2018-10392.patch" diff --git a/main/libvorbis/CVE-2018-10392.patch b/main/libvorbis/CVE-2018-10392.patch new file mode 100644 index 0000000000..3d3a16cdea --- /dev/null +++ b/main/libvorbis/CVE-2018-10392.patch @@ -0,0 +1,25 @@ +From 112d3bd0aaacad51305e1464d4b381dabad0e88b Mon Sep 17 00:00:00 2001 +From: Thomas Daede <daede003@umn.edu> +Date: Thu, 17 May 2018 16:19:19 -0700 +Subject: [PATCH] Sanity check number of channels in setup. + +Fixes #2335. +--- + lib/vorbisenc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/vorbisenc.c b/lib/vorbisenc.c +index 4fc7b62..64a51b5 100644 +--- a/lib/vorbisenc.c ++++ b/lib/vorbisenc.c +@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info *vi){ + highlevel_encode_setup *hi=&ci->hi; + + if(ci==NULL)return(OV_EINVAL); ++ if(vi->channels<1||vi->channels>255)return(OV_EINVAL); + if(!hi->impulse_block_p)i0=1; + + /* too low/high an ATH floater is nonsensical, but doesn't break anything */ +-- +libgit2 0.26.0 + |