Mon Aug 6 13:25:38 2018 UTC ()
audio/libvorbis: Fix CVE-2017-14160, CVE-2018-10392, and CVE-2018-10393.
Bump PKGREVISION to 1.
(snj)
diff -r1.61 -r1.62 pkgsrc/audio/libvorbis/Makefile
diff -r1.26 -r1.27 pkgsrc/audio/libvorbis/distinfo
diff -r0 -r1.1 pkgsrc/audio/libvorbis/patches/patch-lib_psy.c
diff -r0 -r1.1 pkgsrc/audio/libvorbis/patches/patch-lib_vorbisenc.c
--- pkgsrc/audio/libvorbis/Makefile 2018/03/16 20:37:10 1.61
+++ pkgsrc/audio/libvorbis/Makefile 2018/08/06 13:25:38 1.62
| @@ -1,16 +1,17 @@ | | | @@ -1,16 +1,17 @@ |
| 1 | # $NetBSD: Makefile,v 1.61 2018/03/16 20:37:10 maya Exp $ | | 1 | # $NetBSD: Makefile,v 1.62 2018/08/06 13:25:38 snj Exp $ |
| 2 | | | 2 | |
| 3 | DISTNAME= libvorbis-1.3.6 | | 3 | DISTNAME= libvorbis-1.3.6 |
| | | 4 | PKGREVISION= 1 |
| 4 | CATEGORIES= devel audio | | 5 | CATEGORIES= devel audio |
| 5 | MASTER_SITES= http://downloads.xiph.org/releases/vorbis/ | | 6 | MASTER_SITES= http://downloads.xiph.org/releases/vorbis/ |
| 6 | EXTRACT_SUFX= .tar.xz | | 7 | EXTRACT_SUFX= .tar.xz |
| 7 | | | 8 | |
| 8 | MAINTAINER= pkgsrc-users@NetBSD.org | | 9 | MAINTAINER= pkgsrc-users@NetBSD.org |
| 9 | HOMEPAGE= https://www.xiph.org/vorbis/ | | 10 | HOMEPAGE= https://www.xiph.org/vorbis/ |
| 10 | COMMENT= Library for the Ogg Vorbis audio encoding format | | 11 | COMMENT= Library for the Ogg Vorbis audio encoding format |
| 11 | LICENSE= modified-bsd | | 12 | LICENSE= modified-bsd |
| 12 | | | 13 | |
| 13 | USE_LIBTOOL= yes | | 14 | USE_LIBTOOL= yes |
| 14 | GNU_CONFIGURE= yes | | 15 | GNU_CONFIGURE= yes |
| 15 | TEST_TARGET= check | | 16 | TEST_TARGET= check |
| 16 | | | 17 | |
--- pkgsrc/audio/libvorbis/distinfo 2018/03/16 20:23:53 1.26
+++ pkgsrc/audio/libvorbis/distinfo 2018/08/06 13:25:38 1.27
| @@ -1,6 +1,8 @@ | | | @@ -1,6 +1,8 @@ |
| 1 | $NetBSD: distinfo,v 1.26 2018/03/16 20:23:53 maya Exp $ | | 1 | $NetBSD: distinfo,v 1.27 2018/08/06 13:25:38 snj Exp $ |
| 2 | | | 2 | |
| 3 | SHA1 (libvorbis-1.3.6.tar.xz) = 237e3d1c66452734fd9b32f494f44238b4f0185e | | 3 | SHA1 (libvorbis-1.3.6.tar.xz) = 237e3d1c66452734fd9b32f494f44238b4f0185e |
| 4 | RMD160 (libvorbis-1.3.6.tar.xz) = 80213c5a1506438a342588ae58097a1590b6657c | | 4 | RMD160 (libvorbis-1.3.6.tar.xz) = 80213c5a1506438a342588ae58097a1590b6657c |
| 5 | SHA512 (libvorbis-1.3.6.tar.xz) = a5d990bb88db2501b16f8eaee9f2ecb599cefd7dab2134d16538d8905263a972157c7671867848c2a8a358bf5e5dbc7721205ece001032482f168be7bda4f132 | | 5 | SHA512 (libvorbis-1.3.6.tar.xz) = a5d990bb88db2501b16f8eaee9f2ecb599cefd7dab2134d16538d8905263a972157c7671867848c2a8a358bf5e5dbc7721205ece001032482f168be7bda4f132 |
| 6 | Size (libvorbis-1.3.6.tar.xz) = 1195388 bytes | | 6 | Size (libvorbis-1.3.6.tar.xz) = 1195388 bytes |
| | | 7 | SHA1 (patch-lib_psy.c) = acbc6fd4e4e7710a05b6342c10270f085214a84f |
| | | 8 | SHA1 (patch-lib_vorbisenc.c) = e65377b441c71e75e86064292dccfb86acf298b2 |
$NetBSD: patch-lib_psy.c,v 1.1 2018/08/06 13:25:38 snj Exp $
CVE-2017-14160: fix bounds check on very low sample rates.
https://github.com/xiph/vorbis/commit/018ca26dece618457dd13585cad52941193c4a25#diff-3b415297c1f1559ee10baa1284561e46
--- lib/psy.c.orig 2018-08-06 06:10:59.234730587 -0700
+++ lib/psy.c 2018-08-06 06:13:28.935699414 -0700
@@ -602,8 +602,9 @@ static void bark_noise_hybridmp(int n,co
for (i = 0, x = 0.f;; i++, x += 1.f) {
lo = b[i] >> 16;
- if( lo>=0 ) break;
hi = b[i] & 0xffff;
+ if( lo>=0 ) break;
+ if( hi>=n ) break;
tN = N[hi] + N[-lo];
tX = X[hi] - X[-lo];
$NetBSD: patch-lib_vorbisenc.c,v 1.1 2018/08/06 13:25:38 snj Exp $
https://gitlab.xiph.org/xiph/vorbis/issues/2335
--- lib/vorbisenc.c.orig 2018-08-06 06:17:42.209959046 -0700
+++ lib/vorbisenc.c 2018-08-06 06:18:01.425700460 -0700
@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info
highlevel_encode_setup *hi=&ci->hi;
if(ci==NULL)return(OV_EINVAL);
+ if(vi->channels<1||vi->channels>255)return(OV_EINVAL);
if(!hi->impulse_block_p)i0=1;
/* too low/high an ATH floater is nonsensical, but doesn't break anything */