From fe1b04df2f9dc2eb35b2bd70dd0651553384f97c Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Fri, 16 Mar 2018 19:27:43 +0100 Subject: gnu: libvorbis: Replace with 1.3.6 [fixes CVE-2018-5146]. * gnu/packages/xiph.scm (libvorbis)[replacement]: New field. (libvorbis-1.3.6): New public variable. --- gnu/packages/xiph.scm | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'gnu') diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm index a8e7833990..2e922d2a95 100644 --- a/gnu/packages/xiph.scm +++ b/gnu/packages/xiph.scm @@ -6,7 +6,7 @@ ;;; Copyright © 2014 Mark H Weaver ;;; Copyright © 2015 Paul van der Walt ;;; Copyright © 2015, 2016, 2017 Efraim Flashner -;;; Copyright © 2017 Marius Bakke +;;; Copyright © 2017, 2018 Marius Bakke ;;; Copyright © 2018 Tobias Geerinckx-Rice ;;; ;;; This file is part of GNU Guix. @@ -81,6 +81,7 @@ periodic timestamps for seeking.") (package (name "libvorbis") (version "1.3.5") + (replacement libvorbis-1.3.6) (source (origin (method url-fetch) (uri (string-append "http://downloads.xiph.org/releases/vorbis/" @@ -105,6 +106,18 @@ polyphonic) audio and music at fixed and variable bitrates from 16 to "See COPYING in the distribution.")) (home-page "https://xiph.org/vorbis/"))) +;; For CVE-2018-5146. +(define-public libvorbis-1.3.6 + (package/inherit libvorbis + (version "1.3.6") + (source (origin + (method url-fetch) + (uri (string-append "http://downloads.xiph.org/releases/vorbis/" + "libvorbis-" version ".tar.xz")) + (sha256 + (base32 + "05dlzjkdpv46zb837wysxqyn8l636x3dw8v8ymlrwz2fg1dbn05g")))))) + (define libtheora (package (name "libtheora") -- cgit v1.2.3