diff options
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/flac-CVE-2017-6888.patch | 29 | ||||
-rw-r--r-- | gnu/packages/xiph.scm | 11 |
3 files changed, 40 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 1332efdcff..ac7531af03 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -771,6 +771,7 @@ dist_patch_DATA = \ %D%/packages/patches/findutils-localstatedir.patch \ %D%/packages/patches/findutils-makedev.patch \ %D%/packages/patches/findutils-test-xargs.patch \ + %D%/packages/patches/flac-CVE-2017-6888.patch \ %D%/packages/patches/flann-cmake-3.11.patch \ %D%/packages/patches/flint-ldconfig.patch \ %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch \ diff --git a/gnu/packages/patches/flac-CVE-2017-6888.patch b/gnu/packages/patches/flac-CVE-2017-6888.patch new file mode 100644 index 0000000000..d2583201b4 --- /dev/null +++ b/gnu/packages/patches/flac-CVE-2017-6888.patch @@ -0,0 +1,29 @@ +https://git.xiph.org/?p=flac.git;a=patch;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67 + +From 4f47b63e9c971e6391590caf00a0f2a5ed612e67 Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo <erikd@mega-nerd.com> +Date: Sat, 8 Apr 2017 18:34:49 +1000 +Subject: [PATCH] stream_decoder.c: Fix a memory leak + +Leak reported by Secunia Research. +--- + src/libFLAC/stream_decoder.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c +index 14d5fe7f..a5527511 100644 +--- a/src/libFLAC/stream_decoder.c ++++ b/src/libFLAC/stream_decoder.c +@@ -1753,6 +1753,9 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre + } + memset (obj->comments[i].entry, 0, obj->comments[i].length) ; + if (!FLAC__bitreader_read_byte_block_aligned_no_crc(decoder->private_->input, obj->comments[i].entry, obj->comments[i].length)) { ++ /* Current i-th entry is bad, so we delete it. */ ++ free (obj->comments[i].entry) ; ++ obj->comments[i].entry = NULL ; + obj->num_comments = i; + goto skip; + } +-- +2.11.0 + diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm index 43b0d2723a..49d23bf6d5 100644 --- a/gnu/packages/xiph.scm +++ b/gnu/packages/xiph.scm @@ -5,7 +5,7 @@ ;;; Copyright © 2014 Sree Harsha Totakura <sreeharsha@totakura.in> ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org> -;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2015, 2016, 2017, 2019 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2018 Leo Famulari <leo@famulari.name> @@ -235,6 +235,7 @@ It currently supports: (define flac (package (name "flac") + (replacement flac/fixed) (version "1.3.2") (source (origin (method url-fetch) @@ -256,6 +257,14 @@ meaning that audio is compressed in FLAC without any loss in quality.") "See COPYING in the distribution.")) ; and LGPL and GPL (home-page "https://xiph.org/flac/"))) +(define flac/fixed + (package + (inherit flac) + (source + (origin + (inherit (package-source flac)) + (patches (search-patches "flac-CVE-2017-6888.patch")))))) + (define libkate (package (name "libkate") |