diff options
author | Efraim Flashner <efraim@flashner.co.il> | 2019-04-04 22:15:04 +0300 |
---|---|---|
committer | Efraim Flashner <efraim@flashner.co.il> | 2019-04-04 22:20:33 +0300 |
commit | c531fad7a0b528be68c8bd1b5749a4d01c5bfdd1 (patch) | |
tree | 9620bfb61f90151d039140f8bcfe914772d33658 /gnu/packages | |
parent | 411c27e296ffe1a5b08b1e2f265b7edc401f688c (diff) | |
download | gnu-guix-c531fad7a0b528be68c8bd1b5749a4d01c5bfdd1.tar gnu-guix-c531fad7a0b528be68c8bd1b5749a4d01c5bfdd1.tar.gz |
gnu: flac: Fix CVE-2017-6888.
* gnu/packages/xiph.scm (flac)[replacement]: New field.
(flac/fixed): New variable.
* gnu/packages/patches/flac-CVE-2017-6888.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
Diffstat (limited to 'gnu/packages')
-rw-r--r-- | gnu/packages/patches/flac-CVE-2017-6888.patch | 29 | ||||
-rw-r--r-- | gnu/packages/xiph.scm | 11 |
2 files changed, 39 insertions, 1 deletions
diff --git a/gnu/packages/patches/flac-CVE-2017-6888.patch b/gnu/packages/patches/flac-CVE-2017-6888.patch new file mode 100644 index 0000000000..d2583201b4 --- /dev/null +++ b/gnu/packages/patches/flac-CVE-2017-6888.patch @@ -0,0 +1,29 @@ +https://git.xiph.org/?p=flac.git;a=patch;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67 + +From 4f47b63e9c971e6391590caf00a0f2a5ed612e67 Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo <erikd@mega-nerd.com> +Date: Sat, 8 Apr 2017 18:34:49 +1000 +Subject: [PATCH] stream_decoder.c: Fix a memory leak + +Leak reported by Secunia Research. +--- + src/libFLAC/stream_decoder.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c +index 14d5fe7f..a5527511 100644 +--- a/src/libFLAC/stream_decoder.c ++++ b/src/libFLAC/stream_decoder.c +@@ -1753,6 +1753,9 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre + } + memset (obj->comments[i].entry, 0, obj->comments[i].length) ; + if (!FLAC__bitreader_read_byte_block_aligned_no_crc(decoder->private_->input, obj->comments[i].entry, obj->comments[i].length)) { ++ /* Current i-th entry is bad, so we delete it. */ ++ free (obj->comments[i].entry) ; ++ obj->comments[i].entry = NULL ; + obj->num_comments = i; + goto skip; + } +-- +2.11.0 + diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm index 43b0d2723a..49d23bf6d5 100644 --- a/gnu/packages/xiph.scm +++ b/gnu/packages/xiph.scm @@ -5,7 +5,7 @@ ;;; Copyright © 2014 Sree Harsha Totakura <sreeharsha@totakura.in> ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org> -;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2015, 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2018 Leo Famulari <leo@famulari.name> @@ -235,6 +235,7 @@ It currently supports: (define flac (package (name "flac") + (replacement flac/fixed) (version "1.3.2") (source (origin (method url-fetch) @@ -256,6 +257,14 @@ meaning that audio is compressed in FLAC without any loss in quality.") "See COPYING in the distribution.")) ; and LGPL and GPL (home-page "https://xiph.org/flac/"))) +(define flac/fixed + (package + (inherit flac) + (source + (origin + (inherit (package-source flac)) + (patches (search-patches "flac-CVE-2017-6888.patch")))))) + (define libkate (package (name "libkate") |