pullup ticket #2353 - requested by wiz vorbis-tools: resolves security issue revisions pulled up: - pkgsrc/audio/vorbis-tools/Makefile 1.50 - pkgsrc/audio/vorbis-tools/distinfo 1.21 - pkgsrc/audio/vorbis-tools/patches/patch-ad 1.3 Module Name: pkgsrc Committed By: wiz Date: Tue Apr 29 05:51:10 UTC 2008 Modified Files: pkgsrc/audio/vorbis-tools: Makefile distinfo Added Files: pkgsrc/audio/vorbis-tools/patches: patch-ad Log Message: Add upstream patch fixing http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686 Bump PKGREVISION.diff -r1.49 -r1.49.2.1 pkgsrc/audio/vorbis-tools/Makefile
(rtr)
@@ -1,38 +1,39 @@ | @@ -1,38 +1,39 @@ | |||
1 | # $NetBSD: Makefile,v 1.49 2008/03/14 18:55:54 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.49.2.1 2008/04/30 09:23:27 rtr Exp $ | |
2 | 2 | |||
3 | DISTNAME= vorbis-tools-1.2.0 | 3 | DISTNAME= vorbis-tools-1.2.0 | |
4 | PKGREVISION= 1 | |||
4 | CATEGORIES= audio | 5 | CATEGORIES= audio | |
5 | MASTER_SITES= http://downloads.xiph.org/releases/vorbis/ | 6 | MASTER_SITES= http://downloads.xiph.org/releases/vorbis/ | |
6 | 7 | |||
7 | MAINTAINER= wiz@NetBSD.org | 8 | MAINTAINER= wiz@NetBSD.org | |
8 | HOMEPAGE= http://www.vorbis.com/ | 9 | HOMEPAGE= http://www.vorbis.com/ | |
9 | COMMENT= Ogg Vorbis encoder and player | 10 | COMMENT= Ogg Vorbis encoder and player | |
10 | 11 | |||
11 | PKG_DESTDIR_SUPPORT= user-destdir | 12 | PKG_DESTDIR_SUPPORT= user-destdir | |
12 | 13 | |||
13 | BUILD_DEFS+= IPV6_READY | 14 | BUILD_DEFS+= IPV6_READY | |
14 | 15 | |||
15 | CONFLICTS= vorbis-[0-9]* | 16 | CONFLICTS= vorbis-[0-9]* | |
16 | 17 | |||
17 | USE_PKGLOCALEDIR= yes | 18 | USE_PKGLOCALEDIR= yes | |
18 | GNU_CONFIGURE= yes | 19 | GNU_CONFIGURE= yes | |
19 | USE_LIBTOOL= yes | 20 | USE_LIBTOOL= yes | |
20 | CONFIGURE_ARGS+= --with-ogg-prefix=${BUILDLINK_PREFIX.libogg} \ | 21 | CONFIGURE_ARGS+= --with-ogg-prefix=${BUILDLINK_PREFIX.libogg} \ | |
21 | --with-vorbis-prefix=${BUILDLINK_PREFIX.libvorbis} \ | 22 | --with-vorbis-prefix=${BUILDLINK_PREFIX.libvorbis} \ | |
22 | --with-ao-prefix=${BUILDLINK_PREFIX.libao} \ | 23 | --with-ao-prefix=${BUILDLINK_PREFIX.libao} \ | |
23 | --enable-vcut | 24 | --enable-vcut | |
24 | 25 | |||
25 | PLIST_SUBST+= DISTNAME=${DISTNAME:Q} | 26 | PLIST_SUBST+= DISTNAME=${DISTNAME:Q} | |
26 | 27 | |||
27 | PTHREAD_OPTS+= require | 28 | PTHREAD_OPTS+= require | |
28 | 29 | |||
29 | .include "../../audio/flac/buildlink3.mk" | 30 | .include "../../audio/flac/buildlink3.mk" | |
30 | .include "../../audio/libao/buildlink3.mk" | 31 | .include "../../audio/libao/buildlink3.mk" | |
31 | .include "../../audio/libvorbis/buildlink3.mk" | 32 | .include "../../audio/libvorbis/buildlink3.mk" | |
32 | .include "../../audio/speex/buildlink3.mk" | 33 | .include "../../audio/speex/buildlink3.mk" | |
33 | .include "../../converters/libiconv/buildlink3.mk" | 34 | .include "../../converters/libiconv/buildlink3.mk" | |
34 | .include "../../multimedia/libogg/buildlink3.mk" | 35 | .include "../../multimedia/libogg/buildlink3.mk" | |
35 | .include "../../www/curl/buildlink3.mk" | 36 | .include "../../www/curl/buildlink3.mk" | |
36 | 37 | |||
37 | .include "../../mk/pthread.buildlink3.mk" | 38 | .include "../../mk/pthread.buildlink3.mk" | |
38 | .include "../../mk/bsd.pkg.mk" | 39 | .include "../../mk/bsd.pkg.mk" |
@@ -1,8 +1,9 @@ | @@ -1,8 +1,9 @@ | |||
1 | $NetBSD: distinfo,v 1.20 2008/03/14 18:55:54 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.20.2.1 2008/04/30 09:23:27 rtr Exp $ | |
2 | 2 | |||
3 | SHA1 (vorbis-tools-1.2.0.tar.gz) = c5c5ee4637ab8c9fc953d203663b7264432f874a | 3 | SHA1 (vorbis-tools-1.2.0.tar.gz) = c5c5ee4637ab8c9fc953d203663b7264432f874a | |
4 | RMD160 (vorbis-tools-1.2.0.tar.gz) = 8cb6925c6e4e69373b6c91ff20d7ed8d75153b7c | 4 | RMD160 (vorbis-tools-1.2.0.tar.gz) = 8cb6925c6e4e69373b6c91ff20d7ed8d75153b7c | |
5 | Size (vorbis-tools-1.2.0.tar.gz) = 1076814 bytes | 5 | Size (vorbis-tools-1.2.0.tar.gz) = 1076814 bytes | |
6 | SHA1 (patch-aa) = a9fe36760479678df09f840671c515e0d9f37796 | 6 | SHA1 (patch-aa) = a9fe36760479678df09f840671c515e0d9f37796 | |
7 | SHA1 (patch-ab) = b706ae0bc9e13c5ccff689aa1451efc782e340e9 | 7 | SHA1 (patch-ab) = b706ae0bc9e13c5ccff689aa1451efc782e340e9 | |
8 | SHA1 (patch-ac) = 53065c4db39f7e975712c2cba51ff5542cf5a77f | 8 | SHA1 (patch-ac) = 53065c4db39f7e975712c2cba51ff5542cf5a77f | |
9 | SHA1 (patch-ad) = 6fe04631cd098fc64bf0914f1fd4ef654c0089b0 |
$NetBSD: patch-ad,v 1.2.2.1 2008/04/30 09:23:27 rtr Exp $
https://trac.xiph.org/attachment/ticket/1347/vorbis-tools-1.2.0-sec.patch
for
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686
--- ogg123/speex_format.c.orig 2008-03-03 06:37:26.000000000 +0100
+++ ogg123/speex_format.c
@@ -475,7 +475,7 @@ void *process_header(ogg_packet *op, int
cb->printf_error(callback_arg, ERROR, _("Cannot read header"));
return NULL;
}
- if ((*header)->mode >= SPEEX_NB_MODES) {
+ if ((*header)->mode >= SPEEX_NB_MODES || (*header)->mode < 0) {
cb->printf_error(callback_arg, ERROR,
_("Mode number %d does not (any longer) exist in this version"),
(*header)->mode);