gnu: flac: Fix CVE-2017-6888.
* gnu/packages/xiph.scm (flac)[replacement]: New field. (flac/fixed): New variable. * gnu/packages/patches/flac-CVE-2017-6888.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it.
This commit is contained in:
parent
6e5ecbfbae
commit
2beca2a55c
|
@ -777,6 +777,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/findutils-localstatedir.patch \
|
||||
%D%/packages/patches/findutils-makedev.patch \
|
||||
%D%/packages/patches/findutils-test-xargs.patch \
|
||||
%D%/packages/patches/flac-CVE-2017-6888.patch \
|
||||
%D%/packages/patches/flann-cmake-3.11.patch \
|
||||
%D%/packages/patches/flint-ldconfig.patch \
|
||||
%D%/packages/patches/foomatic-filters-CVE-2015-8327.patch \
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
https://git.xiph.org/?p=flac.git;a=patch;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67
|
||||
|
||||
From 4f47b63e9c971e6391590caf00a0f2a5ed612e67 Mon Sep 17 00:00:00 2001
|
||||
From: Erik de Castro Lopo <erikd@mega-nerd.com>
|
||||
Date: Sat, 8 Apr 2017 18:34:49 +1000
|
||||
Subject: [PATCH] stream_decoder.c: Fix a memory leak
|
||||
|
||||
Leak reported by Secunia Research.
|
||||
---
|
||||
src/libFLAC/stream_decoder.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c
|
||||
index 14d5fe7f..a5527511 100644
|
||||
--- a/src/libFLAC/stream_decoder.c
|
||||
+++ b/src/libFLAC/stream_decoder.c
|
||||
@@ -1753,6 +1753,9 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre
|
||||
}
|
||||
memset (obj->comments[i].entry, 0, obj->comments[i].length) ;
|
||||
if (!FLAC__bitreader_read_byte_block_aligned_no_crc(decoder->private_->input, obj->comments[i].entry, obj->comments[i].length)) {
|
||||
+ /* Current i-th entry is bad, so we delete it. */
|
||||
+ free (obj->comments[i].entry) ;
|
||||
+ obj->comments[i].entry = NULL ;
|
||||
obj->num_comments = i;
|
||||
goto skip;
|
||||
}
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -5,7 +5,7 @@
|
|||
;;; Copyright © 2014 Sree Harsha Totakura <sreeharsha@totakura.in>
|
||||
;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
|
||||
;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org>
|
||||
;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
|
||||
;;; Copyright © 2015, 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il>
|
||||
;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
|
||||
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
|
||||
;;; Copyright © 2018 Leo Famulari <leo@famulari.name>
|
||||
|
@ -235,6 +235,7 @@ It currently supports:
|
|||
(define flac
|
||||
(package
|
||||
(name "flac")
|
||||
(replacement flac/fixed)
|
||||
(version "1.3.2")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
|
@ -256,6 +257,14 @@ meaning that audio is compressed in FLAC without any loss in quality.")
|
|||
"See COPYING in the distribution.")) ; and LGPL and GPL
|
||||
(home-page "https://xiph.org/flac/")))
|
||||
|
||||
(define flac/fixed
|
||||
(package
|
||||
(inherit flac)
|
||||
(source
|
||||
(origin
|
||||
(inherit (package-source flac))
|
||||
(patches (search-patches "flac-CVE-2017-6888.patch"))))))
|
||||
|
||||
(define libkate
|
||||
(package
|
||||
(name "libkate")
|
||||
|
|
Loading…
Reference in New Issue