1 |
commit: e2ec2c790cf28858ec8dd4da007ca7ca12ffeca1 |
2 |
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Sep 18 21:23:22 2018 +0000 |
4 |
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Sep 18 21:24:08 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2ec2c79 |
7 |
|
8 |
media-libs/libsndfile: Fix CVE-2018-13139 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/660452 |
11 |
Package-Manager: Portage-2.3.49, Repoman-2.3.10 |
12 |
|
13 |
.../files/libsndfile-1.0.28-CVE-2018-13139.patch | 31 ++++++++++ |
14 |
media-libs/libsndfile/libsndfile-1.0.28-r3.ebuild | 67 ++++++++++++++++++++++ |
15 |
2 files changed, 98 insertions(+) |
16 |
|
17 |
diff --git a/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2018-13139.patch b/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2018-13139.patch |
18 |
new file mode 100644 |
19 |
index 00000000000..18e6ae76e62 |
20 |
--- /dev/null |
21 |
+++ b/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2018-13139.patch |
22 |
@@ -0,0 +1,31 @@ |
23 |
+From df18323c622b54221ee7ace74b177cdcccc152d7 Mon Sep 17 00:00:00 2001 |
24 |
+From: "Brett T. Warden" <brett.t.warden@×××××.com> |
25 |
+Date: Tue, 28 Aug 2018 12:01:17 -0700 |
26 |
+Subject: [PATCH] Check MAX_CHANNELS in sndfile-deinterleave |
27 |
+ |
28 |
+Allocated buffer has space for only 16 channels. Verify that input file |
29 |
+meets this limit. |
30 |
+ |
31 |
+Fixes #397 |
32 |
+--- |
33 |
+ programs/sndfile-deinterleave.c | 7 +++++++ |
34 |
+ 1 file changed, 7 insertions(+) |
35 |
+ |
36 |
+diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c |
37 |
+index 53660310..225b4d54 100644 |
38 |
+--- a/programs/sndfile-deinterleave.c |
39 |
++++ b/programs/sndfile-deinterleave.c |
40 |
+@@ -89,6 +89,13 @@ main (int argc, char **argv) |
41 |
+ exit (1) ; |
42 |
+ } ; |
43 |
+ |
44 |
++ if (sfinfo.channels > MAX_CHANNELS) |
45 |
++ { printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n", |
46 |
++ argv [1], sfinfo.channels, MAX_CHANNELS) ; |
47 |
++ exit (1) ; |
48 |
++ } ; |
49 |
++ |
50 |
++ |
51 |
+ state.channels = sfinfo.channels ; |
52 |
+ sfinfo.channels = 1 ; |
53 |
+ |
54 |
\ No newline at end of file |
55 |
|
56 |
diff --git a/media-libs/libsndfile/libsndfile-1.0.28-r3.ebuild b/media-libs/libsndfile/libsndfile-1.0.28-r3.ebuild |
57 |
new file mode 100644 |
58 |
index 00000000000..a6eb6e3a48c |
59 |
--- /dev/null |
60 |
+++ b/media-libs/libsndfile/libsndfile-1.0.28-r3.ebuild |
61 |
@@ -0,0 +1,67 @@ |
62 |
+# Copyright 1999-2018 Gentoo Foundation |
63 |
+# Distributed under the terms of the GNU General Public License v2 |
64 |
+ |
65 |
+EAPI=7 |
66 |
+ |
67 |
+PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} pypy{,3} ) |
68 |
+ |
69 |
+inherit python-any-r1 multilib-minimal |
70 |
+ |
71 |
+MY_P=${P/_pre/pre} |
72 |
+ |
73 |
+DESCRIPTION="C library for reading and writing files containing sampled sound" |
74 |
+HOMEPAGE="http://www.mega-nerd.com/libsndfile" |
75 |
+if [[ ${MY_P} == ${P} ]]; then |
76 |
+ SRC_URI="http://www.mega-nerd.com/libsndfile/files/${P}.tar.gz" |
77 |
+else |
78 |
+ SRC_URI="http://www.mega-nerd.com/tmp/${MY_P}b.tar.gz" |
79 |
+fi |
80 |
+ |
81 |
+LICENSE="LGPL-2.1" |
82 |
+SLOT="0" |
83 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" |
84 |
+IUSE="alsa minimal sqlite static-libs test" |
85 |
+ |
86 |
+RDEPEND=" |
87 |
+ !minimal? ( |
88 |
+ >=media-libs/flac-1.2.1-r5[${MULTILIB_USEDEP}] |
89 |
+ >=media-libs/libogg-1.3.0[${MULTILIB_USEDEP}] |
90 |
+ >=media-libs/libvorbis-1.3.3-r1[${MULTILIB_USEDEP}] |
91 |
+ ) |
92 |
+ alsa? ( media-libs/alsa-lib ) |
93 |
+ sqlite? ( >=dev-db/sqlite-3.2 )" |
94 |
+DEPEND="${RDEPEND}" |
95 |
+BDEPEND=" |
96 |
+ virtual/pkgconfig |
97 |
+ test? ( ${PYTHON_DEPS} )" |
98 |
+ |
99 |
+S=${WORKDIR}/${MY_P} |
100 |
+ |
101 |
+PATCHES=( |
102 |
+ "${FILESDIR}"/${P}-arm-varargs-failure.patch |
103 |
+ "${FILESDIR}"/${P}-CVE-2017-12562.patch |
104 |
+ "${FILESDIR}"/${P}-CVE-2018-13139.patch |
105 |
+) |
106 |
+ |
107 |
+pkg_setup() { |
108 |
+ use test && python-any-r1_pkg_setup |
109 |
+} |
110 |
+ |
111 |
+multilib_src_configure() { |
112 |
+ ECONF_SOURCE="${S}" econf \ |
113 |
+ --disable-octave \ |
114 |
+ --enable-gcc-pipe \ |
115 |
+ --enable-gcc-opt \ |
116 |
+ $(use_enable static-libs static) \ |
117 |
+ $(use_enable !minimal external-libs) \ |
118 |
+ $(multilib_native_enable full-suite) \ |
119 |
+ $(multilib_native_use_enable alsa) \ |
120 |
+ $(multilib_native_use_enable sqlite) |
121 |
+} |
122 |
+ |
123 |
+multilib_src_install_all() { |
124 |
+ einstalldocs |
125 |
+ |
126 |
+ # package provides .pc files |
127 |
+ find "${D}" -name '*.la' -delete || die |
128 |
+} |