From 02a1a45e5d072b75ba1077bb65f0155d37453513 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 27 Mar 2024 20:38:52 +0000 Subject: [PATCH] import CS vorbis-tools-1.4.0-29.el8 --- SOURCES/vorbis-tools-1.4.0-CVE-2023-43361.patch | 13 +++++++++++++ SPECS/vorbis-tools.spec | 9 ++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 SOURCES/vorbis-tools-1.4.0-CVE-2023-43361.patch diff --git a/SOURCES/vorbis-tools-1.4.0-CVE-2023-43361.patch b/SOURCES/vorbis-tools-1.4.0-CVE-2023-43361.patch new file mode 100644 index 0000000..7e50570 --- /dev/null +++ b/SOURCES/vorbis-tools-1.4.0-CVE-2023-43361.patch @@ -0,0 +1,13 @@ +diff --git a/oggenc/platform.c b/oggenc/platform.c +index 6d9f4ef..c63304b 100644 +--- a/oggenc/platform.c ++++ b/oggenc/platform.c +@@ -147,7 +147,7 @@ int create_directories(char *fn, int isutf8) + start = start+2; + #endif + +- while((end = strpbrk(start+1, PATH_SEPS)) != NULL) ++ while((end = strpbrk(start + strspn(start, PATH_SEPS), PATH_SEPS)) != NULL) + { + int rv; + memcpy(segment, fn, end-fn); diff --git a/SPECS/vorbis-tools.spec b/SPECS/vorbis-tools.spec index baad895..4d637f1 100644 --- a/SPECS/vorbis-tools.spec +++ b/SPECS/vorbis-tools.spec @@ -1,7 +1,7 @@ Summary: The Vorbis General Audio Compression Codec tools Name: vorbis-tools Version: 1.4.0 -Release: 28%{?dist} +Release: 29%{?dist} Epoch: 1 Group: Applications/Multimedia License: GPLv2 @@ -27,6 +27,9 @@ Patch5: vorbis-tools-1.4.0-CVE-2014-9638-CVE-2014-9639.patch # oggenc: fix large alloca on bad AIFF input (CVE-2015-6749) Patch6: vorbis-tools-1.4.0-CVE-2015-6749.patch +# fix out-of-bounds read in oggenc (CVE-2023-43361) +Patch7: vorbis-tools-1.4.0-CVE-2023-43361.patch + BuildRequires: flac-devel BuildRequires: gettext BuildRequires: gcc @@ -55,6 +58,7 @@ comment editor. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %build @@ -82,6 +86,9 @@ rm -rf $RPM_BUILD_ROOT%{_docdir}/%{name}* %changelog +* Thu Jan 18 2024 Lukáš Zaoral - 1:1.4.0-29 +- fix out-of-bounds read in oggenc (CVE-2023-43361) + * Mon Feb 19 2018 Kamil Dudka - 1:1.4.0-28 - add explicit BR for the gcc compiler