aboutsummaryrefslogtreecommitdiffstats
path: root/main/lame
diff options
context:
space:
mode:
authorFrancesco Colista <fcolista@alpinelinux.org>2017-08-07 08:47:52 +0000
committerFrancesco Colista <fcolista@alpinelinux.org>2017-08-07 08:55:32 +0000
commit2c851aafb18a59c7927ff1db648b5b4767d7e300 (patch)
treea6e4ffe6f82932b59a390f57595bf8f9d366bedc /main/lame
parent2e380c1151ba54817062f96f023b6f41d1816660 (diff)
downloadaports-2c851aafb18a59c7927ff1db648b5b4767d7e300.tar.bz2
aports-2c851aafb18a59c7927ff1db648b5b4767d7e300.tar.xz
main/lame: security fixes:
Diffstat (limited to 'main/lame')
-rw-r--r--main/lame/APKBUILD31
-rw-r--r--main/lame/CVE-2015-9099.patch31
-rw-r--r--main/lame/CVE-2015-9100_2017-9410_2017-9411.patch0
-rw-r--r--main/lame/CVE-2017-9412_CVE-2017-11720.patch17
4 files changed, 74 insertions, 5 deletions
diff --git a/main/lame/APKBUILD b/main/lame/APKBUILD
index 1013b29f94..9117e787ea 100644
--- a/main/lame/APKBUILD
+++ b/main/lame/APKBUILD
@@ -2,7 +2,7 @@
pkgname=lame
pkgver=3.99.5
_ver=${pkgver%.*}
-pkgrel=5
+pkgrel=6
pkgdesc="An MP3 encoder and graphical frame analyzer"
url="http://lame.sourceforge.net/"
arch="all"
@@ -12,10 +12,22 @@ depends=
makedepends="nasm ncurses-dev autoconf automake libtool"
source="http://downloads.sourceforge.net/project/lame/lame/$_ver/lame-$pkgver.tar.gz
sse.patch
- lame-automake-1.12.patch"
+ lame-automake-1.12.patch
+ CVE-2015-9099.patch
+ CVE-2015-9100_2017-9410_2017-9411.patch
+ CVE-2017-9412_CVE-2017-11720.patch"
_builddir="$srcdir"/$pkgname-$pkgver
+# secfixes:ss
+# 3.99.5-r6:
+# - CVE-2015-9099
+# - CVE-2015-9100
+# - CVE-2017-9410
+# - CVE-2017-9411
+# - CVE-2017-9412
+# - CVE-2017-11720
+
prepare() {
cd "$_builddir"
for i in $source; do
@@ -65,10 +77,19 @@ package() {
md5sums="84835b313d4a8b68f5349816d33e07ce lame-3.99.5.tar.gz
ca77f3259ed398ae1c55073dacdd752f sse.patch
-54814745b84480da3b643582f2e5b485 lame-automake-1.12.patch"
+54814745b84480da3b643582f2e5b485 lame-automake-1.12.patch
+67e2b8ce0551d70ca391b59a3de3d195 CVE-2015-9099.patch
+d41d8cd98f00b204e9800998ecf8427e CVE-2015-9100_2017-9410_2017-9411.patch
+8baf1f177fd1622c1cb30a81a8b85e97 CVE-2017-9412_CVE-2017-11720.patch"
sha256sums="24346b4158e4af3bd9f2e194bb23eb473c75fb7377011523353196b19b9a23ff lame-3.99.5.tar.gz
1c8e1798391f45ee37632287ceaff7bcb9cd0221b6e5cf1d40a989b9541e341f sse.patch
-52ba7c70db1223775b3f1f84f1895f27c1c01f73c58ea381ec97ec8e5236e0d7 lame-automake-1.12.patch"
+52ba7c70db1223775b3f1f84f1895f27c1c01f73c58ea381ec97ec8e5236e0d7 lame-automake-1.12.patch
+ffe13b2c1f3c0f1533a63c335b7f2e1f427c6a825824fe050ea966ba203e31be CVE-2015-9099.patch
+e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 CVE-2015-9100_2017-9410_2017-9411.patch
+cf2e798e835b08034a5ab26cf9739653034cff11c10c44b9ac680a0f97ba185a CVE-2017-9412_CVE-2017-11720.patch"
sha512sums="ce62d7eb9fc8c53c343374ded30f11153a296910f0be7e649197bca7412c6660aad1aa6143d56b750f866229eb492cf7bb4f682535c383fb4aa57d7077d8b4d8 lame-3.99.5.tar.gz
89c1a3b52c6469c78ab1fcb52e7dbb3a62dac20953905027301f659ebcb166d0fc4ef78b8459feec0c26e458f3e1415bb88209b9c43a5af1e0643764ffb6fe83 sse.patch
-fa789f706e5efffaac9d7a6cf001b5a0fef7e04845ee2c02d5af4e735629b5f225e355673890892f028d6c35d3969124b3ef4a28c980050f1635c2a58b8f25ed lame-automake-1.12.patch"
+fa789f706e5efffaac9d7a6cf001b5a0fef7e04845ee2c02d5af4e735629b5f225e355673890892f028d6c35d3969124b3ef4a28c980050f1635c2a58b8f25ed lame-automake-1.12.patch
+15de6a6f55c0c8d600b71ef93a38a8a3b42cea90657ee8295e49209dbe4c6215a0c6fd9572d0de2bd523e76bb414a876a828d26029230fe93e11711df4991fe5 CVE-2015-9099.patch
+cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e CVE-2015-9100_2017-9410_2017-9411.patch
+769dd3e7693689c9a35b33111ff99da657df720d9f63d4c2ee30b97ac28c25ba89ff3690f68da3f72b59e6812c2d19af6321fabd605563c3819882ddcfa814e4 CVE-2017-9412_CVE-2017-11720.patch"
diff --git a/main/lame/CVE-2015-9099.patch b/main/lame/CVE-2015-9099.patch
new file mode 100644
index 0000000000..5be534bd02
--- /dev/null
+++ b/main/lame/CVE-2015-9099.patch
@@ -0,0 +1,31 @@
+From 1ea4eac3e7d57dbad42fb067a32ac1600a0397a0 Mon Sep 17 00:00:00 2001
+From: Maks Naumov <maksqwe1@ukr.net>
+Date: Thu, 22 Jan 2015 16:20:40 +0200
+Subject: [PATCH] Add check for invalid input sample rate
+
+Signed-off-by: Maks Naumov <maksqwe1@ukr.net>
+---
+ libmp3lame/lame.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libmp3lame/lame.c b/libmp3lame/lame.c
+index 5989160..51d689c 100644
+--- a/libmp3lame/lame.c
++++ b/libmp3lame/lame.c
+@@ -822,6 +822,12 @@ lame_init_params(lame_global_flags * gfp)
+ }
+ #endif
+
++ if (gfp->samplerate_in < 0) {
++ freegfc(gfc);
++ gfp->internal_flags = NULL;
++ return -1;
++ }
++
+ cfg->disable_reservoir = gfp->disable_reservoir;
+ cfg->lowpassfreq = gfp->lowpassfreq;
+ cfg->highpassfreq = gfp->highpassfreq;
+--
+1.9.4.msysgit.1
+
+
diff --git a/main/lame/CVE-2015-9100_2017-9410_2017-9411.patch b/main/lame/CVE-2015-9100_2017-9410_2017-9411.patch
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/main/lame/CVE-2015-9100_2017-9410_2017-9411.patch
diff --git a/main/lame/CVE-2017-9412_CVE-2017-11720.patch b/main/lame/CVE-2017-9412_CVE-2017-11720.patch
new file mode 100644
index 0000000000..214ca459c6
--- /dev/null
+++ b/main/lame/CVE-2017-9412_CVE-2017-11720.patch
@@ -0,0 +1,17 @@
+Description: Avoid malformed wav causing floating point exception (integer divide by zero)
+Author: Fabian Greffrath <fabian+debian@greffrath.com>
+Bug-Debian: https://bugs.debian.org/777159
+
+--- a/frontend/get_audio.c
++++ b/frontend/get_audio.c
+@@ -1448,6 +1448,10 @@ parse_wave_header(lame_global_flags * gf
+ else {
+ (void) lame_set_in_samplerate(gfp, global_reader.input_samplerate);
+ }
++ /* avoid division by zero */
++ if (bits_per_sample < 1)
++ return -1;
++
+ global. pcmbitwidth = bits_per_sample;
+ global. pcm_is_unsigned_8bit = 1;
+ global. pcm_is_ieee_float = (format_tag == WAVE_FORMAT_IEEE_FLOAT ? 1 : 0);