* [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
@ 2020-08-16 15:48 Pierre Langlois
2020-08-18 3:04 ` Brendan Tildesley
0 siblings, 1 reply; 6+ messages in thread
From: Pierre Langlois @ 2020-08-16 15:48 UTC (permalink / raw)
To: 42890
[-- Attachment #1: Type: text/plain, Size: 500 bytes --]
Hello Guix!
As I was looking into updating clementine, I noticed it would refuse to
build with the system's taglib saying it may have a bug that corrupts
OGG files. I haven't personally encountered this bug, but I think we
should patch it anyway to be safe. It should be included in the next
release but it's unclear when this is going happen :-/
See https://github.com/taglib/taglib/issues/864 for more details. It
seems other distributions such as Archlinux also apply this fix.
Thanks!
Pierre
[-- Attachment #2: 0001-gnu-taglib-Include-patch-to-prevent-OGG-corruption.patch --]
[-- Type: text/x-patch, Size: 4042 bytes --]
From fb029863097e216111b40c410167ea7e36c3bf3d Mon Sep 17 00:00:00 2001
From: Pierre Langlois <pierre.langlois@gmx.com>
Date: Sun, 16 Aug 2020 16:28:54 +0100
Subject: [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
* gnu/packages/mp3.scm (taglib)[source]: Add patch.
* gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
gnu/local.mk | 1 +
gnu/packages/mp3.scm | 8 +++++--
.../taglib-fix-possible-ogg-packet-loss.patch | 24 +++++++++++++++++++
3 files changed, 31 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index db0f73d881..dc6df1af66 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1574,6 +1574,7 @@ dist_patch_DATA = \
%D%/packages/patches/t1lib-CVE-2011-0764.patch \
%D%/packages/patches/t1lib-CVE-2011-1552+.patch \
%D%/packages/patches/t4k-common-libpng16.patch \
+ %D%/packages/patches/taglib-fix-possible-ogg-packet-loss.patch \
%D%/packages/patches/tao-add-missing-headers.patch \
%D%/packages/patches/tao-fix-parser-types.patch \
%D%/packages/patches/tar-remove-wholesparse-check.patch \
diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm
index 92e3d5d5f8..b6d174f7d4 100644
--- a/gnu/packages/mp3.scm
+++ b/gnu/packages/mp3.scm
@@ -4,7 +4,7 @@
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
-;;; Copyright © 2017, 2019 Pierre Langlois <pierre.langlois@gmx.com>
+;;; Copyright © 2017, 2019, 2020 Pierre Langlois <pierre.langlois@gmx.com>
;;; Copyright © 2018, 2019, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2019 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2020 Michael Rohleder <mike@rohleder.de>
@@ -167,7 +167,11 @@ a highly stable and efficient implementation.")
version ".tar.gz"))
(sha256
(base32
- "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn"))))
+ "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn"))
+ ;; Fix https://github.com/taglib/taglib/issues/864, which will
+ ;; be included in the next 1.12 release.
+ (patches
+ (search-patches "taglib-fix-possible-ogg-packet-loss.patch"))))
(build-system cmake-build-system)
(arguments
'(#:tests? #f ; Tests are not ran with BUILD_SHARED_LIBS on.
diff --git a/gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch b/gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch
new file mode 100644
index 0000000000..665732888f
--- /dev/null
+++ b/gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch
@@ -0,0 +1,24 @@
+From 9336c82da3a04552168f208cd7a5fa4646701ea4 Mon Sep 17 00:00:00 2001
+From: Tsuda Kageyu <tsuda.kageyu@gmail.com>
+Date: Thu, 1 Dec 2016 11:32:01 +0900
+Subject: [PATCH] Fix possible Ogg packet losses.
+
+See https://github.com/taglib/taglib/issues/864 for details.
+
+---
+ taglib/ogg/oggfile.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/taglib/ogg/oggfile.cpp b/taglib/ogg/oggfile.cpp
+index 86b0b0764..c36e4d46c 100644
+--- a/taglib/ogg/oggfile.cpp
++++ b/taglib/ogg/oggfile.cpp
+@@ -253,7 +253,7 @@ void Ogg::File::writePacket(unsigned int i, const ByteVector &packet)
+ ByteVectorList packets = firstPage->packets();
+ packets[i - firstPage->firstPacketIndex()] = packet;
+
+- if(firstPage != lastPage && lastPage->packetCount() > 2) {
++ if(firstPage != lastPage && lastPage->packetCount() > 1) {
+ ByteVectorList lastPagePackets = lastPage->packets();
+ lastPagePackets.erase(lastPagePackets.begin());
+ packets.append(lastPagePackets);
--
2.28.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
2020-08-16 15:48 [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption Pierre Langlois
@ 2020-08-18 3:04 ` Brendan Tildesley
2020-08-18 9:21 ` Pierre Langlois
0 siblings, 1 reply; 6+ messages in thread
From: Brendan Tildesley @ 2020-08-18 3:04 UTC (permalink / raw)
To: 42890
[-- Attachment #1: Type: text/plain, Size: 496 bytes --]
I should apologise. I also prepared this same patch to submit over a
year or two ago but ended up neglecting it. I also discovered these two
CVE patches (attached) from another distribution that i was going to
add. Perhaps the best solution is to switch to git-reference and choose
a more recent commit that includes all these fixes. Your patch is in
master at
https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4
and the two I attached are also in master.
[-- Attachment #2: taglib-CVE-2017-12678.patch --]
[-- Type: text/x-patch, Size: 1340 bytes --]
From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001
From: "Stephen F. Booth" <me@sbooth.org>
Date: Sun, 23 Jul 2017 10:11:09 -0400
Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame
If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame
which causes problems in rebuildAggregateFrames() when it is assumed
that TDRC is a TextIdentificationFrame
---
taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp
index 759a9b7be..9347ab869 100644
--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp
+++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp
@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const
tag->frameList("TDAT").size() == 1)
{
TextIdentificationFrame *tdrc =
- static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+ dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front());
- if(tdrc->fieldList().size() == 1 &&
+ if(tdrc &&
+ tdrc->fieldList().size() == 1 &&
tdrc->fieldList().front().size() == 4 &&
tdat->data().size() >= 5)
{
[-- Attachment #3: taglib-CVE-2018-11439.patch --]
[-- Type: text/x-patch, Size: 1369 bytes --]
From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001
From: Scott Gayou <github.scott@gmail.com>
Date: Mon, 4 Jun 2018 11:34:36 -0400
Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)
CVE-2018-11439 is caused by a failure to check the minimum length
of a ogg flac header. This header is detailed in full at:
https://xiph.org/flac/ogg_mapping.html. Added more strict checking
for entire header.
---
taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
index 53d04508a..07ea9dccc 100644
--- a/taglib/ogg/flac/oggflacfile.cpp
+++ b/taglib/ogg/flac/oggflacfile.cpp
@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
if(!metadataHeader.startsWith("fLaC")) {
// FLAC 1.1.2+
+ // See https://xiph.org/flac/ogg_mapping.html for the header specification.
+ if(metadataHeader.size() < 13)
+ return;
+
+ if(metadataHeader[0] != 0x7f)
+ return;
+
if(metadataHeader.mid(1, 4) != "FLAC")
return;
- if(metadataHeader[5] != 1)
- return; // not version 1
+ if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
+ return; // not version 1.0
+
+ if(metadataHeader.mid(9, 4) != "fLaC")
+ return;
metadataHeader = metadataHeader.mid(13);
}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
2020-08-18 3:04 ` Brendan Tildesley
@ 2020-08-18 9:21 ` Pierre Langlois
2020-08-18 17:59 ` Pierre Langlois
0 siblings, 1 reply; 6+ messages in thread
From: Pierre Langlois @ 2020-08-18 9:21 UTC (permalink / raw)
To: Brendan Tildesley; +Cc: 42890
Hi Brendan,
Brendan Tildesley writes:
> I should apologise. I also prepared this same patch to submit over a
> year or two ago but ended up neglecting it. I also discovered these two
> CVE patches (attached) from another distribution that i was going to
> add. Perhaps the best solution is to switch to git-reference and choose
> a more recent commit that includes all these fixes. Your patch is in
> master at
> https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4
> and the two I attached are also in master.
No worries! Yeah I think it's a good to just use a git-reference in this
case, I'll try that and submit another patch, thanks for the suggestion!
Pierre
^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
2020-08-18 9:21 ` Pierre Langlois
@ 2020-08-18 17:59 ` Pierre Langlois
2020-09-04 9:32 ` Ludovic Courtès
0 siblings, 1 reply; 6+ messages in thread
From: Pierre Langlois @ 2020-08-18 17:59 UTC (permalink / raw)
To: Pierre Langlois; +Cc: 42890, mail
[-- Attachment #1: Type: text/plain, Size: 1060 bytes --]
Pierre Langlois writes:
> Hi Brendan,
>
> Brendan Tildesley writes:
>
>> I should apologise. I also prepared this same patch to submit over a
>> year or two ago but ended up neglecting it. I also discovered these two
>> CVE patches (attached) from another distribution that i was going to
>> add. Perhaps the best solution is to switch to git-reference and choose
>> a more recent commit that includes all these fixes. Your patch is in
>> master at
>> https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4
>> and the two I attached are also in master.
>
> No worries! Yeah I think it's a good to just use a git-reference in this
> case, I'll try that and submit another patch, thanks for the suggestion!
I wasn't so sure which recent commit to use, but then I saw there was a
1.12-beta-1 pre-release from September 2019 so I thought we'd use that.
Looking at some discussions upstream [0], it might still be a while
until we get a proper release though :-/
0: https://github.com/taglib/taglib/issues/864#issuecomment-631874581
[-- Attachment #2: 0001-gnu-taglib-Update-to-1.12-beta-1.patch --]
[-- Type: text/x-patch, Size: 2642 bytes --]
From 97a5d71bd50c72d2d7562a7d22baca04f4987657 Mon Sep 17 00:00:00 2001
From: Pierre Langlois <pierre.langlois@gmx.com>
Date: Tue, 18 Aug 2020 18:38:01 +0100
Subject: [PATCH] gnu: taglib: Update to 1.12-beta-1.
This switches to a yet unreleased version of taglib, to make sure long
standings issues and CVEs are covered until a proper release is made upstream.
Among these, we have:
- CVE-2017-12678
- CVE-2018-11439
- https://github.com/taglib/taglib/issues/864
* gnu/packges/mp3.scm (taglib): Update to 1.12-beta-1.
[source]: Switch to using git-fetch.
---
gnu/packages/mp3.scm | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm
index 92e3d5d5f8..7ee009df74 100644
--- a/gnu/packages/mp3.scm
+++ b/gnu/packages/mp3.scm
@@ -4,7 +4,7 @@
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
-;;; Copyright © 2017, 2019 Pierre Langlois <pierre.langlois@gmx.com>
+;;; Copyright © 2017, 2019, 2020 Pierre Langlois <pierre.langlois@gmx.com>
;;; Copyright © 2018, 2019, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2019 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2020 Michael Rohleder <mike@rohleder.de>
@@ -50,6 +50,7 @@
#:use-module (gnu packages video) ;ffmpeg
#:use-module (guix packages)
#:use-module (guix download)
+ #:use-module (guix git-download)
#:use-module (guix utils)
#:use-module (guix build-system gnu)
#:use-module (guix build-system python)
@@ -160,14 +161,16 @@ a highly stable and efficient implementation.")
(define-public taglib
(package
(name "taglib")
- (version "1.11.1")
+ (version "1.12-beta-1")
(source (origin
- (method url-fetch)
- (uri (string-append "http://taglib.github.io/releases/taglib-"
- version ".tar.gz"))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/taglib/taglib")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
(sha256
(base32
- "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn"))))
+ "1mp6w2ikniw8w6d5wr0h20j0ijg8jw7s9dli5a8k9znpznvxpym4"))))
(build-system cmake-build-system)
(arguments
'(#:tests? #f ; Tests are not ran with BUILD_SHARED_LIBS on.
--
2.28.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
2020-08-18 17:59 ` Pierre Langlois
@ 2020-09-04 9:32 ` Ludovic Courtès
2020-09-04 11:14 ` bug#42890: " Pierre Langlois
0 siblings, 1 reply; 6+ messages in thread
From: Ludovic Courtès @ 2020-09-04 9:32 UTC (permalink / raw)
To: Pierre Langlois; +Cc: 42890, mail
Hi!
Pierre Langlois <pierre.langlois@gmx.com> skribis:
>>From 97a5d71bd50c72d2d7562a7d22baca04f4987657 Mon Sep 17 00:00:00 2001
> From: Pierre Langlois <pierre.langlois@gmx.com>
> Date: Tue, 18 Aug 2020 18:38:01 +0100
> Subject: [PATCH] gnu: taglib: Update to 1.12-beta-1.
>
> This switches to a yet unreleased version of taglib, to make sure long
> standings issues and CVEs are covered until a proper release is made upstream.
>
> Among these, we have:
>
> - CVE-2017-12678
> - CVE-2018-11439
> - https://github.com/taglib/taglib/issues/864
>
> * gnu/packges/mp3.scm (taglib): Update to 1.12-beta-1.
> [source]: Switch to using git-fetch.
It’s a good idea to add “[security fixes]” or to list CVEs in the
subject line of the commit log.
Otherwise LGTM!
You can now use your new super commit powers to push it. :-)
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#42890: [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
2020-09-04 9:32 ` Ludovic Courtès
@ 2020-09-04 11:14 ` Pierre Langlois
0 siblings, 0 replies; 6+ messages in thread
From: Pierre Langlois @ 2020-09-04 11:14 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Pierre Langlois, 42890-done, mail
[-- Attachment #1: Type: text/plain, Size: 939 bytes --]
Ludovic Courtès writes:
> Hi!
>
> Pierre Langlois <pierre.langlois@gmx.com> skribis:
>
>>>From 97a5d71bd50c72d2d7562a7d22baca04f4987657 Mon Sep 17 00:00:00 2001
>> From: Pierre Langlois <pierre.langlois@gmx.com>
>> Date: Tue, 18 Aug 2020 18:38:01 +0100
>> Subject: [PATCH] gnu: taglib: Update to 1.12-beta-1.
>>
>> This switches to a yet unreleased version of taglib, to make sure long
>> standings issues and CVEs are covered until a proper release is made upstream.
>>
>> Among these, we have:
>>
>> - CVE-2017-12678
>> - CVE-2018-11439
>> - https://github.com/taglib/taglib/issues/864
>>
>> * gnu/packges/mp3.scm (taglib): Update to 1.12-beta-1.
>> [source]: Switch to using git-fetch.
>
> It’s a good idea to add “[security fixes]” or to list CVEs in the
> subject line of the commit log.
>
> Otherwise LGTM!
>
> You can now use your new super commit powers to push it. :-)
Whoohoo! done :-)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-09-04 11:15 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-08-16 15:48 [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption Pierre Langlois
2020-08-18 3:04 ` Brendan Tildesley
2020-08-18 9:21 ` Pierre Langlois
2020-08-18 17:59 ` Pierre Langlois
2020-09-04 9:32 ` Ludovic Courtès
2020-09-04 11:14 ` bug#42890: " Pierre Langlois
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.