pullup ticket #2353 - requested by wiz vorbis-tools: resolves security issue revisions pulled up: - pkgsrc/audio/vorbis-tools/Makefile 1.50 - pkgsrc/audio/vorbis-tools/distinfo 1.21 - pkgsrc/audio/vorbis-tools/patches/patch-ad 1.3 Module Name: pkgsrc Committed By: wiz Date: Tue Apr 29 05:51:10 UTC 2008 Modified Files: pkgsrc/audio/vorbis-tools: Makefile distinfo Added Files: pkgsrc/audio/vorbis-tools/patches: patch-ad Log Message: Add upstream patch fixing http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686 Bump PKGREVISION.diff -r1.49 -r1.49.2.1 pkgsrc/audio/vorbis-tools/Makefile
(rtr)
| @@ -1,16 +1,17 @@ | @@ -1,16 +1,17 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.49 2008/03/14 18:55:54 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.49.2.1 2008/04/30 09:23:27 rtr Exp $ | |
| 2 | 2 | |||
| 3 | DISTNAME= vorbis-tools-1.2.0 | 3 | DISTNAME= vorbis-tools-1.2.0 | |
| 4 | PKGREVISION= 1 | |||
| 4 | CATEGORIES= audio | 5 | CATEGORIES= audio | |
| 5 | MASTER_SITES= http://downloads.xiph.org/releases/vorbis/ | 6 | MASTER_SITES= http://downloads.xiph.org/releases/vorbis/ | |
| 6 | 7 | |||
| 7 | MAINTAINER= wiz@NetBSD.org | 8 | MAINTAINER= wiz@NetBSD.org | |
| 8 | HOMEPAGE= http://www.vorbis.com/ | 9 | HOMEPAGE= http://www.vorbis.com/ | |
| 9 | COMMENT= Ogg Vorbis encoder and player | 10 | COMMENT= Ogg Vorbis encoder and player | |
| 10 | 11 | |||
| 11 | PKG_DESTDIR_SUPPORT= user-destdir | 12 | PKG_DESTDIR_SUPPORT= user-destdir | |
| 12 | 13 | |||
| 13 | BUILD_DEFS+= IPV6_READY | 14 | BUILD_DEFS+= IPV6_READY | |
| 14 | 15 | |||
| 15 | CONFLICTS= vorbis-[0-9]* | 16 | CONFLICTS= vorbis-[0-9]* | |
| 16 | 17 |
| @@ -1,8 +1,9 @@ | @@ -1,8 +1,9 @@ | |||
| 1 | $NetBSD: distinfo,v 1.20 2008/03/14 18:55:54 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.20.2.1 2008/04/30 09:23:27 rtr Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (vorbis-tools-1.2.0.tar.gz) = c5c5ee4637ab8c9fc953d203663b7264432f874a | 3 | SHA1 (vorbis-tools-1.2.0.tar.gz) = c5c5ee4637ab8c9fc953d203663b7264432f874a | |
| 4 | RMD160 (vorbis-tools-1.2.0.tar.gz) = 8cb6925c6e4e69373b6c91ff20d7ed8d75153b7c | 4 | RMD160 (vorbis-tools-1.2.0.tar.gz) = 8cb6925c6e4e69373b6c91ff20d7ed8d75153b7c | |
| 5 | Size (vorbis-tools-1.2.0.tar.gz) = 1076814 bytes | 5 | Size (vorbis-tools-1.2.0.tar.gz) = 1076814 bytes | |
| 6 | SHA1 (patch-aa) = a9fe36760479678df09f840671c515e0d9f37796 | 6 | SHA1 (patch-aa) = a9fe36760479678df09f840671c515e0d9f37796 | |
| 7 | SHA1 (patch-ab) = b706ae0bc9e13c5ccff689aa1451efc782e340e9 | 7 | SHA1 (patch-ab) = b706ae0bc9e13c5ccff689aa1451efc782e340e9 | |
| 8 | SHA1 (patch-ac) = 53065c4db39f7e975712c2cba51ff5542cf5a77f | 8 | SHA1 (patch-ac) = 53065c4db39f7e975712c2cba51ff5542cf5a77f | |
| 9 | SHA1 (patch-ad) = 6fe04631cd098fc64bf0914f1fd4ef654c0089b0 |
$NetBSD: patch-ad,v 1.2.2.1 2008/04/30 09:23:27 rtr Exp $
https://trac.xiph.org/attachment/ticket/1347/vorbis-tools-1.2.0-sec.patch
for
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686
--- ogg123/speex_format.c.orig 2008-03-03 06:37:26.000000000 +0100
+++ ogg123/speex_format.c
@@ -475,7 +475,7 @@ void *process_header(ogg_packet *op, int
cb->printf_error(callback_arg, ERROR, _("Cannot read header"));
return NULL;
}
- if ((*header)->mode >= SPEEX_NB_MODES) {
+ if ((*header)->mode >= SPEEX_NB_MODES || (*header)->mode < 0) {
cb->printf_error(callback_arg, ERROR,
_("Mode number %d does not (any longer) exist in this version"),
(*header)->mode);