From 356f47550a1d05cd1115e186a6816d614bbf8eeb Mon Sep 17 00:00:00 2001 From: James Meyer Date: Tue, 7 Aug 2012 09:57:31 -0500 Subject: libid3tag .15.1b --- abs/core/libid3tag/10_utf16.diff | 48 +++++++++++++++++++++++++++++ abs/core/libid3tag/11_unknown_encoding.diff | 37 ++++++++++++++++++++++ abs/core/libid3tag/CVE-2008-2109.patch | 11 +++++++ abs/core/libid3tag/PKGBUILD | 41 ++++++++++++++++-------- abs/core/libid3tag/id3tag.pc | 2 +- 5 files changed, 126 insertions(+), 13 deletions(-) create mode 100644 abs/core/libid3tag/10_utf16.diff create mode 100644 abs/core/libid3tag/11_unknown_encoding.diff create mode 100644 abs/core/libid3tag/CVE-2008-2109.patch diff --git a/abs/core/libid3tag/10_utf16.diff b/abs/core/libid3tag/10_utf16.diff new file mode 100644 index 0000000..a3218d2 --- /dev/null +++ b/abs/core/libid3tag/10_utf16.diff @@ -0,0 +1,48 @@ +#! /bin/sh -e +## 10_utf16.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Handle bogus UTF16 sequences that have a length that is not +## DP: an even number of 8 bit characters. + +if [ $# -lt 1 ]; then + echo "`basename $0`: script expects -patch|-unpatch as argument" >&2 + exit 1 +fi + +[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts +patch_opts="${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}" + +case "$1" in + -patch) patch -p1 ${patch_opts} < $0;; + -unpatch) patch -R -p1 ${patch_opts} < $0;; + *) + echo "`basename $0`: script expects -patch|-unpatch as argument" >&2 + exit 1;; +esac + +exit 0 + +@DPATCH@ +diff -urNad libid3tag-0.15.1b/utf16.c /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c +--- libid3tag-0.15.1b/utf16.c 2006-01-13 15:26:29.000000000 +0100 ++++ /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c 2006-01-13 15:27:19.000000000 +0100 +@@ -282,5 +282,18 @@ + + free(utf16); + ++ if (end == *ptr && length % 2 != 0) ++ { ++ /* We were called with a bogus length. It should always ++ * be an even number. We can deal with this in a few ways: ++ * - Always give an error. ++ * - Try and parse as much as we can and ++ * - return an error if we're called again when we ++ * already tried to parse everything we can. ++ * - tell that we parsed it, which is what we do here. ++ */ ++ (*ptr)++; ++ } ++ + return ucs4; + } diff --git a/abs/core/libid3tag/11_unknown_encoding.diff b/abs/core/libid3tag/11_unknown_encoding.diff new file mode 100644 index 0000000..7387f2f --- /dev/null +++ b/abs/core/libid3tag/11_unknown_encoding.diff @@ -0,0 +1,37 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 11_unknown_encoding.dpatch by Andreas Henriksson +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: In case of an unknown/invalid encoding, id3_parse_string() will +## DP: return NULL, but the return value wasn't checked resulting +## DP: in segfault in id3_ucs4_length(). This is the only place +## DP: the return value wasn't checked. + +@DPATCH@ +diff -urNad libid3tag-0.15.1b~/compat.gperf libid3tag-0.15.1b/compat.gperf +--- libid3tag-0.15.1b~/compat.gperf 2004-01-23 09:41:32.000000000 +0000 ++++ libid3tag-0.15.1b/compat.gperf 2007-01-14 14:36:53.000000000 +0000 +@@ -236,6 +236,10 @@ + + encoding = id3_parse_uint(&data, 1); + string = id3_parse_string(&data, end - data, encoding, 0); ++ if (!string) ++ { ++ continue; ++ } + + if (id3_ucs4_length(string) < 4) { + free(string); +diff -urNad libid3tag-0.15.1b~/parse.c libid3tag-0.15.1b/parse.c +--- libid3tag-0.15.1b~/parse.c 2004-01-23 09:41:32.000000000 +0000 ++++ libid3tag-0.15.1b/parse.c 2007-01-14 14:37:34.000000000 +0000 +@@ -165,6 +165,9 @@ + case ID3_FIELD_TEXTENCODING_UTF_8: + ucs4 = id3_utf8_deserialize(ptr, length); + break; ++ default: ++ /* FIXME: Unknown encoding! Print warning? */ ++ return NULL; + } + + if (ucs4 && !full) { diff --git a/abs/core/libid3tag/CVE-2008-2109.patch b/abs/core/libid3tag/CVE-2008-2109.patch new file mode 100644 index 0000000..26c54c5 --- /dev/null +++ b/abs/core/libid3tag/CVE-2008-2109.patch @@ -0,0 +1,11 @@ +--- field.c.orig 2008-05-05 09:49:15.000000000 -0400 ++++ field.c 2008-05-05 09:49:25.000000000 -0400 +@@ -291,7 +291,7 @@ + + end = *ptr + length; + +- while (end - *ptr > 0) { ++ while (end - *ptr > 0 && **ptr != '\0') { + ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0); + if (ucs4 == 0) + goto fail; diff --git a/abs/core/libid3tag/PKGBUILD b/abs/core/libid3tag/PKGBUILD index aad7fb2..6f2b929 100644 --- a/abs/core/libid3tag/PKGBUILD +++ b/abs/core/libid3tag/PKGBUILD @@ -1,21 +1,38 @@ -# $Id: PKGBUILD 356 2008-04-18 22:56:27Z aaron $ -# Maintainer: dorphell +# $Id: PKGBUILD 150540 2012-02-18 12:17:15Z pierre $ +# Maintainer: +# Contributor: dorphell + pkgname=libid3tag pkgver=0.15.1b -pkgrel=2 +pkgrel=7 pkgdesc="library for id3 tagging" -url="http://www.underbit.com/products/mad/" -depends=('zlib') arch=('i686' 'x86_64') -source=(ftp://ftp.mars.org/pub/mpeg/$pkgname-$pkgver.tar.gz id3tag.pc) url="http://www.underbit.com/products/mad/" -md5sums=('e5808ad997ba32c498803822078748c3' 'cd5ea001dc24505040b781ad1de9ddf2') +license=('GPL') +depends=('zlib') +makedepends=('gperf') +options=('!libtool') +source=("ftp://ftp.mars.org/pub/mpeg/${pkgname}-${pkgver}.tar.gz" + 'id3tag.pc' + '10_utf16.diff' '11_unknown_encoding.diff' 'CVE-2008-2109.patch') +md5sums=('e5808ad997ba32c498803822078748c3' + '8bb41fd814fafcc37ec8bc88f5545a4a' + '4f9df4011e6a8c23240fff5de2d05f6e' + '3ca856b97924d48a0fdfeff0bd83ce7d' + 'c51822ea6301b1ca469975f0c9ee8e34') build() { - cd $startdir/src/$pkgname-$pkgver + cd "${srcdir}/${pkgname}-${pkgver}" + patch -p1 -i ${srcdir}/10_utf16.diff + patch -p1 -i ${srcdir}/11_unknown_encoding.diff + patch -Np0 -i ${srcdir}/CVE-2008-2109.patch + ./configure --prefix=/usr - make || return 1 - make DESTDIR=$startdir/pkg install - install -D -m644 $startdir/src/id3tag.pc $startdir/pkg/usr/lib/pkgconfig/id3tag.pc - find $startdir/pkg -name '*.la' -exec rm {} \; + make +} + +package() { + cd "${srcdir}/${pkgname}-${pkgver}" + make DESTDIR="${pkgdir}" install + install -D -m644 "${srcdir}/id3tag.pc" "${pkgdir}/usr/lib/pkgconfig/id3tag.pc" } diff --git a/abs/core/libid3tag/id3tag.pc b/abs/core/libid3tag/id3tag.pc index 07a8fae..3155de7 100644 --- a/abs/core/libid3tag/id3tag.pc +++ b/abs/core/libid3tag/id3tag.pc @@ -6,5 +6,5 @@ includedir=/usr/include Name: ID3TAG Description: libid3tag - ID3 tag manipulation library Version: 0.15.0b -Libs: -L${libdir} -lid3tag -zf +Libs: -L${libdir} -lid3tag -lz Cflags: -- cgit v0.12