diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2018-07-30 08:02:45 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-07-30 10:30:09 +0200 |
commit | 602d91945a5a2a9e239d0dd0d65f7d8219105767 (patch) | |
tree | a794ec667eafeb758fbb50bc3be2626aed731d7d | |
parent | d306aa6cfcff4a7559cb685f450de8970e6cc399 (diff) | |
download | alpine_aports-602d91945a5a2a9e239d0dd0d65f7d8219105767.tar.bz2 alpine_aports-602d91945a5a2a9e239d0dd0d65f7d8219105767.tar.xz alpine_aports-602d91945a5a2a9e239d0dd0d65f7d8219105767.zip |
main/libvorbis: security fix for CVE-2018-10392
fixes #9143
-rw-r--r-- | main/libvorbis/APKBUILD | 11 | ||||
-rw-r--r-- | main/libvorbis/CVE-2018-10392.patch | 25 |
2 files changed, 33 insertions, 3 deletions
diff --git a/main/libvorbis/APKBUILD b/main/libvorbis/APKBUILD index 58411ac47f..2703139afb 100644 --- a/main/libvorbis/APKBUILD +++ b/main/libvorbis/APKBUILD | |||
@@ -1,7 +1,7 @@ | |||
1 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 1 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
2 | pkgname=libvorbis | 2 | pkgname=libvorbis |
3 | pkgver=1.3.6 | 3 | pkgver=1.3.6 |
4 | pkgrel=0 | 4 | pkgrel=1 |
5 | pkgdesc="Vorbis codec library" | 5 | pkgdesc="Vorbis codec library" |
6 | url="https://xiph.org/vorbis" | 6 | url="https://xiph.org/vorbis" |
7 | arch="all" | 7 | arch="all" |
@@ -11,10 +11,14 @@ depends= | |||
11 | depends_dev="libogg-dev" | 11 | depends_dev="libogg-dev" |
12 | makedepends="$depends_dev" | 12 | makedepends="$depends_dev" |
13 | source="http://downloads.xiph.org/releases/vorbis/$pkgname-$pkgver.tar.xz | 13 | source="http://downloads.xiph.org/releases/vorbis/$pkgname-$pkgver.tar.xz |
14 | CVE-2017-14160.patch" | 14 | CVE-2017-14160.patch |
15 | CVE-2018-10392.patch | ||
16 | " | ||
15 | builddir="$srcdir/$pkgname-$pkgver" | 17 | builddir="$srcdir/$pkgname-$pkgver" |
16 | 18 | ||
17 | # secfixes: | 19 | # secfixes: |
20 | # 1.3.6-r1: | ||
21 | # - CVE-2018-10392 | ||
18 | # 1.3.6-r0: | 22 | # 1.3.6-r0: |
19 | # - CVE-2018-5146 | 23 | # - CVE-2018-5146 |
20 | # 1.3.5-r3: | 24 | # 1.3.5-r3: |
@@ -47,4 +51,5 @@ package() { | |||
47 | } | 51 | } |
48 | 52 | ||
49 | sha512sums="a5d990bb88db2501b16f8eaee9f2ecb599cefd7dab2134d16538d8905263a972157c7671867848c2a8a358bf5e5dbc7721205ece001032482f168be7bda4f132 libvorbis-1.3.6.tar.xz | 53 | sha512sums="a5d990bb88db2501b16f8eaee9f2ecb599cefd7dab2134d16538d8905263a972157c7671867848c2a8a358bf5e5dbc7721205ece001032482f168be7bda4f132 libvorbis-1.3.6.tar.xz |
50 | 4c2f7be947f2159ae47175cba89950c7b7d357b37a20d54382e4fbecd8c268b148e6cb86cb148945c7b68bbe8b14f466e910b35b80903ab51f1b02cfccf5806e CVE-2017-14160.patch" | 54 | 4c2f7be947f2159ae47175cba89950c7b7d357b37a20d54382e4fbecd8c268b148e6cb86cb148945c7b68bbe8b14f466e910b35b80903ab51f1b02cfccf5806e CVE-2017-14160.patch |
55 | a60d45144882bc72c3f4937a34baa5e2bda80a3a858b858637fee508755349b616690519e013ff6aafa7e8ff85fd1d0687a3e748b0e8bce25df1abeece97dc36 CVE-2018-10392.patch" | ||
diff --git a/main/libvorbis/CVE-2018-10392.patch b/main/libvorbis/CVE-2018-10392.patch new file mode 100644 index 0000000000..3d3a16cdea --- /dev/null +++ b/main/libvorbis/CVE-2018-10392.patch | |||
@@ -0,0 +1,25 @@ | |||
1 | From 112d3bd0aaacad51305e1464d4b381dabad0e88b Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Daede <daede003@umn.edu> | ||
3 | Date: Thu, 17 May 2018 16:19:19 -0700 | ||
4 | Subject: [PATCH] Sanity check number of channels in setup. | ||
5 | |||
6 | Fixes #2335. | ||
7 | --- | ||
8 | lib/vorbisenc.c | 1 + | ||
9 | 1 file changed, 1 insertion(+) | ||
10 | |||
11 | diff --git a/lib/vorbisenc.c b/lib/vorbisenc.c | ||
12 | index 4fc7b62..64a51b5 100644 | ||
13 | --- a/lib/vorbisenc.c | ||
14 | +++ b/lib/vorbisenc.c | ||
15 | @@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info *vi){ | ||
16 | highlevel_encode_setup *hi=&ci->hi; | ||
17 | |||
18 | if(ci==NULL)return(OV_EINVAL); | ||
19 | + if(vi->channels<1||vi->channels>255)return(OV_EINVAL); | ||
20 | if(!hi->impulse_block_p)i0=1; | ||
21 | |||
22 | /* too low/high an ATH floater is nonsensical, but doesn't break anything */ | ||
23 | -- | ||
24 | libgit2 0.26.0 | ||
25 | |||