diff options
author | Wang Mingyu <wangmy@cn.fujitsu.com> | 2021-03-04 08:30:07 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-03-06 22:36:34 +0000 |
commit | dc999d351ec599e4c534281585152087ff16d345 (patch) | |
tree | e81604f83b675b99bd914a7c195ec7a3a51aa5df /meta/recipes-support | |
parent | f2e1ea8df71d9ac312bc9f7c341477c8fc7c3923 (diff) | |
download | openembedded-core-contrib-dc999d351ec599e4c534281585152087ff16d345.tar.gz |
taglib: upgrade 1.11.1 -> 1.12
CVE-2017-12678.patch
CVE-2018-11439.patch
removed since they are included in 1.12
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r-- | meta/recipes-support/taglib/taglib/CVE-2017-12678.patch | 40 | ||||
-rw-r--r-- | meta/recipes-support/taglib/taglib/CVE-2018-11439.patch | 51 | ||||
-rw-r--r-- | meta/recipes-support/taglib/taglib_1.12.bb (renamed from meta/recipes-support/taglib/taglib_1.11.1.bb) | 9 |
3 files changed, 3 insertions, 97 deletions
diff --git a/meta/recipes-support/taglib/taglib/CVE-2017-12678.patch b/meta/recipes-support/taglib/taglib/CVE-2017-12678.patch deleted file mode 100644 index 4bd9f2be17..0000000000 --- a/meta/recipes-support/taglib/taglib/CVE-2017-12678.patch +++ /dev/null @@ -1,40 +0,0 @@ -From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001 -From: "Stephen F. Booth" <me@sbooth.org> -Date: Sun, 23 Jul 2017 10:11:09 -0400 -Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame - -If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame -which causes problems in rebuildAggregateFrames() when it is assumed -that TDRC is a TextIdentificationFrame - -Upstream-Status: Backport -[https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6] - -CVE: CVE-2017-12678 - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp -index 759a9b7b..9347ab86 100644 ---- a/taglib/mpeg/id3v2/id3v2framefactory.cpp -+++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp -@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const - tag->frameList("TDAT").size() == 1) - { - TextIdentificationFrame *tdrc = -- static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front()); -+ dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front()); - UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front()); - -- if(tdrc->fieldList().size() == 1 && -+ if(tdrc && -+ tdrc->fieldList().size() == 1 && - tdrc->fieldList().front().size() == 4 && - tdat->data().size() >= 5) - { --- -2.13.5 - diff --git a/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch b/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch deleted file mode 100644 index cdd66e67f7..0000000000 --- a/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001 -From: Scott Gayou <github.scott@gmail.com> -Date: Mon, 4 Jun 2018 11:34:36 -0400 -Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868) - -This CVE is caused by a failure to check the minimum length -of a ogg flac header. This header is detailed in full at: -https://xiph.org/flac/ogg_mapping.html. Added more strict checking -for entire header. - -Upstream-Status: Backport -[https://github.com/taglib/taglib/pull/869/commits/272648ccfcccae30e002ccf34a22e075dd477278] - -CVE: CVE-2018-11439 - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp -index 53d0450..07ea9dc 100644 ---- a/taglib/ogg/flac/oggflacfile.cpp -+++ b/taglib/ogg/flac/oggflacfile.cpp -@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan() - - if(!metadataHeader.startsWith("fLaC")) { - // FLAC 1.1.2+ -+ // See https://xiph.org/flac/ogg_mapping.html for the header specification. -+ if(metadataHeader.size() < 13) -+ return; -+ -+ if(metadataHeader[0] != 0x7f) -+ return; -+ - if(metadataHeader.mid(1, 4) != "FLAC") - return; - -- if(metadataHeader[5] != 1) -- return; // not version 1 -+ if(metadataHeader[5] != 1 && metadataHeader[6] != 0) -+ return; // not version 1.0 -+ -+ if(metadataHeader.mid(9, 4) != "fLaC") -+ return; - - metadataHeader = metadataHeader.mid(13); - } --- -2.7.4 - diff --git a/meta/recipes-support/taglib/taglib_1.11.1.bb b/meta/recipes-support/taglib/taglib_1.12.bb index 165bccadc1..efa56253bb 100644 --- a/meta/recipes-support/taglib/taglib_1.11.1.bb +++ b/meta/recipes-support/taglib/taglib_1.12.bb @@ -9,13 +9,10 @@ LIC_FILES_CHKSUM = "file://COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c \ DEPENDS = "zlib" -SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz \ - file://CVE-2017-12678.patch \ - file://CVE-2018-11439.patch \ - " +SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz" -SRC_URI[md5sum] = "cee7be0ccfc892fa433d6c837df9522a" -SRC_URI[sha256sum] = "b6d1a5a610aae6ff39d93de5efd0fdc787aa9e9dc1e7026fa4c961b26563526b" +SRC_URI[md5sum] = "4313ed2671234e029b7af8f97c84e9af" +SRC_URI[sha256sum] = "7fccd07669a523b07a15bd24c8da1bbb92206cb19e9366c3692af3d79253b703" UPSTREAM_CHECK_URI = "http://github.com/taglib/taglib/releases/" |