From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id sFLbNTIXPF/lfQAA0tVLHw
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 18 Aug 2020 18:00:18 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id mE+MMTIXPF+PPgAAbx9fmQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 18 Aug 2020 18:00:18 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id AEE9194060F
	for <larch@yhetil.org>; Tue, 18 Aug 2020 18:00:17 +0000 (UTC)
Received: from localhost ([::1]:55054 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1k85uC-0000qa-9N
	for larch@yhetil.org; Tue, 18 Aug 2020 14:00:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37826)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1k85tz-0000qL-Gw
 for guix-patches@gnu.org; Tue, 18 Aug 2020 14:00:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:53579)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1k85tz-00024n-41
 for guix-patches@gnu.org; Tue, 18 Aug 2020 14:00:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1k85tz-00045X-2a
 for guix-patches@gnu.org; Tue, 18 Aug 2020 14:00:03 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG
 corruption.
Resent-From: Pierre Langlois <pierre.langlois@gmx.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 18 Aug 2020 18:00:02 +0000
Resent-Message-ID: <handler.42890.B42890.159777355715580@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 42890
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Pierre Langlois <pierre.langlois@gmx.com>
Cc: 42890@debbugs.gnu.org, mail@brendan.scot
X-Debbugs-Original-Cc: 42890@debbugs.gnu.org,
 Brendan Tildesley <mail@brendan.scot>, guix-patches@gnu.org
Received: via spool by 42890-submit@debbugs.gnu.org id=B42890.159777355715580
 (code B ref 42890); Tue, 18 Aug 2020 18:00:02 +0000
Received: (at 42890) by debbugs.gnu.org; 18 Aug 2020 17:59:17 +0000
Received: from localhost ([127.0.0.1]:36888 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1k85t7-000435-UL
 for submit@debbugs.gnu.org; Tue, 18 Aug 2020 13:59:16 -0400
Received: from mout.gmx.net ([212.227.15.15]:43579)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pierre.langlois@gmx.com>) id 1k85t6-00042r-DW
 for 42890@debbugs.gnu.org; Tue, 18 Aug 2020 13:59:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1597773541;
 bh=/6asiQaJ/N7hbp0dYw4fUhWGH32CbUeERo1zB5OrhIw=;
 h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date;
 b=cKCviK/Z1jBIPvXmFchk9qrPk+Kc573AUGNXvg8zp2U+msZSJ6MiImvEHBJCmpvdV
 8ZWZVQXxJWZwoQ4DqOoIlw7l5205fzGtHf5W8KgEDRGoPC/mpszs4MuftJpEM0sHws
 tzFoGtFbJwJPo52dqzqDG9EvVYhJLUM/0UhycrkE=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from labiere ([82.69.64.142]) by mail.gmx.com (mrgmx004
 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MXGrE-1k9pcZ2326-00Yj9R; Tue, 18
 Aug 2020 19:59:01 +0200
References: <87r1s6oam4.fsf@gmx.com>
 <98bfcbfa-4142-2985-864f-c146ac8d1f92@brendan.scot> <87blj82tt6.fsf@gmx.com>
User-agent: mu4e 1.4.13; emacs 26.3
From: Pierre Langlois <pierre.langlois@gmx.com>
In-reply-to: <87blj82tt6.fsf@gmx.com>
Date: Tue, 18 Aug 2020 18:59:00 +0100
Message-ID: <87pn7ndee3.fsf@gmx.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Provags-ID: V03:K1:tF2Kab6701CT1e+8nzHVXwBgaxmpvE9BMKwPwFqhaHWQZq60y+S
 reRUY1yHk8miZv3ZY4HZx/pPF+0P5phu8kqtOGT0VMkcXZLI4qyXGzPKqjAFK9YKw6Z8qPy
 4evDsPxihyQL7O47NIIOB7nszMCWsqPDdbgNNEDoK1HBBuPp6Z6PtMr/kzwLDGLvRKdAGzh
 vKw0wiavODftW1DG3f2Cw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:k0LBwixxlmQ=:9AXBdHS2DFudxirArrqNxc
 /VTiQIu1dBhN+c5OoXF5lLmHGo4nf61WQXpR6ii9MEn8YCejbwfkduppQju/Kd40xSAjPHrP9
 llZtIkajaKftlycMF7CaBRBpuBwRPvFv+m3dtMLRHgVXKU8Uvnyh8BZxrlZjTd6nnInGsyryS
 f/rL1sAy3O7IsnYMbGw6grFR2j+clHeDhwKp4lpxdJxv8J5f0mvSFhp5lqUq4Hcbv0Smrdw5s
 Hwgq91G8nWo/8Na0W6gZNH9HYbhRzIBEs3F7IfehaEO0DkwUUcMvcDvYDqfP5O/SCVijYq1F8
 7aRPR9lj4NEFqtBa/ZVkcnBEHk3Js+uzQmTBq4sMcM1/NrJ2dDrO+aOulLHpZ4EXhkoFAUF7i
 z5fTeRqanBY/lv4BIrAKuH1cmjLkFW9jGvMPjjULNhX8J2HkykilgZYWjKW7Pw078pC/DEaP8
 6WjU+Zv8OdZpnvzdLhqUGYeSbcRIF00sf/lDHTJJSVKS2G3mae9pvMGYMUhEpm5RKK6NM1dsI
 an2j2fYlYUFI89dLb3MBN8VM0BTZHDySJ1gKpL1/4QXTWdLmXZ/PMJhUzWx3XvCiRDUaxOMcW
 ycwGMk11odEz0Y8EhppKaWIQ38xjMx5SjKQDO00qB0jCu6OD0JQZ7ueRHCBtLyRsxiIpxzuGQ
 yp5rz9sm4/zPSoKOn4p/EJhEQQJCN8Q5q/indE45keglIaeFAWNbFYXvLdEqY996y5XABw7OM
 N9UnNJqQ5HZGBgyWx7Pw9D5F9IRjazhJ2e4RPYP7eMuFMGiR4u0pYZbgh9tlqJdAse+8HitWp
 9YrkCLxx9410/y/ncT1DIR80/WmD92aXet0Tt+JFnf/QMIb+URLjqw3KdPos5oyKufo0ASFUT
 kRjWEkJ7aZH4aeDrUDavUCiAwPXG5hkux77yaVu9e59bi9dBXbPuh/bSGYLE6ZknxSjEavfA1
 zWJoc0K16FDvwajBjVYA+Ydr1xC50EZ02fy7FSYgvBL4vun5E1NMyjC3c0M2yhXciaqawP7BC
 5LpNSUCB/+SMR5lEQ3IknD06Bbi0Nm+HjlFsVcI3RB1RRuXZMBtfqxGsdSmBfpMNIdL++HrZ7
 f9lDl2BTve26mJetis5Pj2rUj3DpmnUr3RgCh9ePV3pw6Ec9PrPL/h32MqgxTiiXzLEs4RmYB
 Y5DXuFwifyeo+Jf0d0zzPzIhJh21VXfGyFNATk9SIztZARAyx3tQt/+WOqg4LMUegQf+467I/
 mDevK7sryzBezgm6KDvWB3iNZJT1+iByy+AzRpA==
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-Spam-Score: -1.0 (-)
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
Authentication-Results: aspmx1.migadu.com;
	dkim=fail (rsa verify failed) header.d=gmx.net header.s=badeba3b8450 header.b=cKCviK/Z;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Spam-Score: -0.01
X-TUID: xGoxBmZCOm10

--=-=-=
Content-Type: text/plain


Pierre Langlois writes:

> Hi Brendan,
>
> Brendan Tildesley writes:
>
>> I should apologise. I also prepared this same patch to submit over a
>> year or two ago but ended up neglecting it. I also discovered these two
>> CVE patches (attached)  from another distribution that i was going to
>> add. Perhaps the best solution is to switch to git-reference and choose
>> a more recent commit that includes all these fixes. Your patch is in
>> master at
>> https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4
>> and the two I attached are also in master.
>
> No worries! Yeah I think it's a good to just use a git-reference in this
> case, I'll try that and submit another patch, thanks for the suggestion!

I wasn't so sure which recent commit to use, but then I saw there was a
1.12-beta-1 pre-release from September 2019 so I thought we'd use that.
Looking at some discussions upstream [0], it might still be a while
until we get a proper release though :-/

0: https://github.com/taglib/taglib/issues/864#issuecomment-631874581


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: attachment;
 filename=0001-gnu-taglib-Update-to-1.12-beta-1.patch
Content-Transfer-Encoding: quoted-printable

>From 97a5d71bd50c72d2d7562a7d22baca04f4987657 Mon Sep 17 00:00:00 2001
From: Pierre Langlois <pierre.langlois@gmx.com>
Date: Tue, 18 Aug 2020 18:38:01 +0100
Subject: [PATCH] gnu: taglib: Update to 1.12-beta-1.

This switches to a yet unreleased version of taglib, to make sure long
standings issues and CVEs are covered until a proper release is made upstre=
am.

Among these, we have:

- CVE-2017-12678
- CVE-2018-11439
- https://github.com/taglib/taglib/issues/864

* gnu/packges/mp3.scm (taglib): Update to 1.12-beta-1.
[source]: Switch to using git-fetch.
---
 gnu/packages/mp3.scm | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm
index 92e3d5d5f8..7ee009df74 100644
--- a/gnu/packages/mp3.scm
+++ b/gnu/packages/mp3.scm
@@ -4,7 +4,7 @@
 ;;; Copyright =C2=A9 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright =C2=A9 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright =C2=A9 2017 Thomas Danckaert <post@thomasdanckaert.be>
-;;; Copyright =C2=A9 2017, 2019 Pierre Langlois <pierre.langlois@gmx.com>
+;;; Copyright =C2=A9 2017, 2019, 2020 Pierre Langlois <pierre.langlois@gmx=
.com>
 ;;; Copyright =C2=A9 2018, 2019, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright =C2=A9 2019 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright =C2=A9 2020 Michael Rohleder <mike@rohleder.de>
@@ -50,6 +50,7 @@
   #:use-module (gnu packages video)               ;ffmpeg
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix git-download)
   #:use-module (guix utils)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system python)
@@ -160,14 +161,16 @@ a highly stable and efficient implementation.")
 (define-public taglib
   (package
     (name "taglib")
-    (version "1.11.1")
+    (version "1.12-beta-1")
     (source (origin
-              (method url-fetch)
-              (uri (string-append "http://taglib.github.io/releases/taglib=
-"
-                                  version ".tar.gz"))
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://github.com/taglib/taglib")
+                    (commit (string-append "v" version))))
+              (file-name (git-file-name name version))
               (sha256
                (base32
-                "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn"))))
+                "1mp6w2ikniw8w6d5wr0h20j0ijg8jw7s9dli5a8k9znpznvxpym4"))))
     (build-system cmake-build-system)
     (arguments
       '(#:tests? #f ; Tests are not ran with BUILD_SHARED_LIBS on.
--=20
2.28.0


--=-=-=--