summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorA. Wilcox <AWilcox@Wilcox-Tech.com>2018-07-09 21:49:59 -0500
committerA. Wilcox <AWilcox@Wilcox-Tech.com>2018-07-09 21:49:59 -0500
commit48062dbff757ffabd9a580ee8de6b05d37dcc4bd (patch)
tree70bd6e6f498a431e88878efa74fc55b5c5dcda14
parent47424b96d5cdc44a0ccaded226a80733b4df37ec (diff)
downloadpackages-48062dbff757ffabd9a580ee8de6b05d37dcc4bd.tar.gz
packages-48062dbff757ffabd9a580ee8de6b05d37dcc4bd.tar.bz2
packages-48062dbff757ffabd9a580ee8de6b05d37dcc4bd.tar.xz
packages-48062dbff757ffabd9a580ee8de6b05d37dcc4bd.zip
user/libvorbis: pull in, bump, fix
-rw-r--r--user/libvorbis/APKBUILD41
-rw-r--r--user/libvorbis/CVE-2017-14160.patch58
2 files changed, 99 insertions, 0 deletions
diff --git a/user/libvorbis/APKBUILD b/user/libvorbis/APKBUILD
new file mode 100644
index 000000000..2b5b41f4c
--- /dev/null
+++ b/user/libvorbis/APKBUILD
@@ -0,0 +1,41 @@
+# Maintainer:
+pkgname=libvorbis
+pkgver=1.3.6
+pkgrel=0
+pkgdesc="Vorbis audio codec library"
+url="https://xiph.org/vorbis/"
+arch="all"
+options="!check" # Test suite doesn't compile.
+license="BSD-3-Clause"
+subpackages="$pkgname-dev $pkgname-doc"
+makedepends="libogg-dev"
+source="https://downloads.xiph.org/releases/vorbis/$pkgname-$pkgver.tar.xz
+ CVE-2017-14160.patch
+ "
+
+# secfixes:
+# 1.3.5-r4:
+# - CVE-2017-14632
+# - CVE-2017-14633
+# 1.3.5-r3:
+# - CVE-2017-14160
+
+build() {
+ cd "$builddir"
+ ./configure \
+ --build=$CBUILD \
+ --host=$CHOST \
+ --prefix=/usr \
+ --sysconfdir=/etc \
+ --mandir=/usr/share/man \
+ --localstatedir=/var
+ make
+}
+
+package() {
+ cd "$builddir"
+ make DESTDIR="$pkgdir" install
+}
+
+sha512sums="a5d990bb88db2501b16f8eaee9f2ecb599cefd7dab2134d16538d8905263a972157c7671867848c2a8a358bf5e5dbc7721205ece001032482f168be7bda4f132 libvorbis-1.3.6.tar.xz
+4c2f7be947f2159ae47175cba89950c7b7d357b37a20d54382e4fbecd8c268b148e6cb86cb148945c7b68bbe8b14f466e910b35b80903ab51f1b02cfccf5806e CVE-2017-14160.patch"
diff --git a/user/libvorbis/CVE-2017-14160.patch b/user/libvorbis/CVE-2017-14160.patch
new file mode 100644
index 000000000..9ad9d18f7
--- /dev/null
+++ b/user/libvorbis/CVE-2017-14160.patch
@@ -0,0 +1,58 @@
+From 98a60969315dba8c1e8231f561e1551670bc80ae Mon Sep 17 00:00:00 2001
+Message-Id: <98a60969315dba8c1e8231f561e1551670bc80ae.1511192857.git.agx@sigxcpu.org>
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 15 Nov 2017 13:12:00 +0100
+Subject: [PATCH] CVE-2017-14160: make sure we don't overflow
+
+---
+ lib/psy.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/lib/psy.c b/lib/psy.c
+index 422c6f1e..8bbf6cf3 100644
+--- a/lib/psy.c
++++ b/lib/psy.c
+@@ -599,7 +599,7 @@ static void bark_noise_hybridmp(int n,const long *b,
+ XY[i] = tXY;
+ }
+
+- for (i = 0, x = 0.f;; i++, x += 1.f) {
++ for (i = 0, x = 0.f; i < n; i++, x += 1.f) {
+
+ lo = b[i] >> 16;
+ if( lo>=0 ) break;
+@@ -621,12 +621,11 @@ static void bark_noise_hybridmp(int n,const long *b,
+ noise[i] = R - offset;
+ }
+
+- for ( ;; i++, x += 1.f) {
++ for ( ; i < n; i++, x += 1.f) {
+
+ lo = b[i] >> 16;
+ hi = b[i] & 0xffff;
+ if(hi>=n)break;
+-
+ tN = N[hi] - N[lo];
+ tX = X[hi] - X[lo];
+ tXX = XX[hi] - XX[lo];
+@@ -651,7 +650,7 @@ static void bark_noise_hybridmp(int n,const long *b,
+
+ if (fixed <= 0) return;
+
+- for (i = 0, x = 0.f;; i++, x += 1.f) {
++ for (i = 0, x = 0.f; i < n; i++, x += 1.f) {
+ hi = i + fixed / 2;
+ lo = hi - fixed;
+ if(lo>=0)break;
+@@ -670,7 +669,7 @@ static void bark_noise_hybridmp(int n,const long *b,
+
+ if (R - offset < noise[i]) noise[i] = R - offset;
+ }
+- for ( ;; i++, x += 1.f) {
++ for ( ; i < n; i++, x += 1.f) {
+
+ hi = i + fixed / 2;
+ lo = hi - fixed;
+--
+2.15.0
+