rpms/libvorbis/devel r16326.diff, NONE, 1.1 r16597.diff, NONE, 1.1 libvorbis.spec, 1.39, 1.40

Jindrich Novy jnovy at fedoraproject.org
Mon Nov 2 14:12:15 UTC 2009 

Author: jnovy

Update of /cvs/pkgs/rpms/libvorbis/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25407

Modified Files:
	libvorbis.spec 
Added Files:
	r16326.diff r16597.diff 
Log Message:
* Mon Nov  2 2009 Jindrich Novy <jnovy at redhat.com> 1.2.3-3
- backport patches to fix CVE-2009-3379 (#531765) from upstream


r16326.diff:
 backends.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE r16326.diff ---
diff -up libvorbis-1.2.3/lib/backends.h.r16326 libvorbis-1.2.3/lib/backends.h
--- libvorbis-1.2.3/lib/backends.h.r16326	2009-07-09 11:12:08.000000000 +0200
+++ libvorbis-1.2.3/lib/backends.h	2009-11-02 14:55:42.000000000 +0100
@@ -111,7 +111,7 @@ typedef struct vorbis_info_residue0{
   int    partitions;       /* possible codebooks for a partition */
   int    groupbook;        /* huffbook for partitioning */
   int    secondstages[64]; /* expanded out to pointers in lookup */
-  int    booklist[256];    /* list of second stage books */
+  int    booklist[512];    /* list of second stage books */
 
   const float classmetric1[64];
   const float classmetric2[64];

r16597.diff:
 codebook.c |    1 +
 1 file changed, 1 insertion(+)

--- NEW FILE r16597.diff ---
diff -up libvorbis-1.2.3/lib/codebook.c.r16597 libvorbis-1.2.3/lib/codebook.c
--- libvorbis-1.2.3/lib/codebook.c.r16597	2009-07-09 11:12:08.000000000 +0200
+++ libvorbis-1.2.3/lib/codebook.c	2009-11-02 14:51:15.000000000 +0100
@@ -198,6 +198,7 @@ int vorbis_staticbook_unpack(oggpack_buf
       for(i=0;i<s->entries;){
         long num=oggpack_read(opb,_ilog(s->entries-i));
         if(num==-1)goto _eofout;
+        if(length>32)goto _errout;
         for(j=0;j<num && i<s->entries;j++,i++)
           s->lengthlist[i]=length;
         length++;


Index: libvorbis.spec
===================================================================
RCS file: /cvs/pkgs/rpms/libvorbis/devel/libvorbis.spec,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -p -r1.39 -r1.40
--- libvorbis.spec	25 Jul 2009 08:53:44 -0000	1.39
+++ libvorbis.spec	2 Nov 2009 14:12:13 -0000	1.40
@@ -9,6 +9,8 @@ URL:		http://www.xiph.org/
 Source:		http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.bz2
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)	
 BuildRequires: 	libogg-devel >= 2:1.1
+Patch0:		r16326.diff
+Patch1:		r16597.diff
 
 %description
 Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free,
@@ -40,6 +42,8 @@ Documentation for developing application
 %prep
 
 %setup -q
+%patch0 -p1
+%patch1 -p1
 sed -i "s/-O20/$RPM_OPT_FLAGS/" configure
 sed -i "s/-ffast-math//" configure
 
@@ -82,6 +86,9 @@ rm -rf $RPM_BUILD_ROOT
 %postun -p /sbin/ldconfig
 
 %changelog
+* Mon Nov  2 2009 Jindrich Novy <jnovy at redhat.com> 1.2.3-3
+- backport patches to fix CVE-2009-3379 (#531765) from upstream
+
 * Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1:1.2.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

More information about the fedora-extras-commits mailing list