Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package speex for openSUSE:Factory checked in at 2021-11-15 00:06:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/speex (Old) and /work/SRC/openSUSE:Factory/.speex.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "speex" Mon Nov 15 00:06:16 2021 rev:31 rq:930851 version:1.2 Changes: -------- --- /work/SRC/openSUSE:Factory/speex/speex.changes 2017-02-26 17:04:21.684450426 +0100 +++ /work/SRC/openSUSE:Factory/.speex.new.1890/speex.changes 2021-11-15 00:06:23.211604097 +0100 @@ -1,0 +2,6 @@ +Thu Nov 11 13:18:22 CET 2021 - ti...@suse.de + +- Fix zero division error in read_samples (CVE-2020-23903 bsc#1192580) + speex-CVE-2020-23903.patch + +------------------------------------------------------------------- New: ---- speex-CVE-2020-23903.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ speex.spec ++++++ --- /var/tmp/diff_new_pack.AKISPs/_old 2021-11-15 00:06:24.107604827 +0100 +++ /var/tmp/diff_new_pack.AKISPs/_new 2021-11-15 00:06:24.111604830 +0100 @@ -1,7 +1,7 @@ # # spec file for package speex # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -24,10 +24,11 @@ Summary: An Open Source, Patent Free Speech Codec License: BSD-3-Clause Group: System/Libraries -Url: http://www.speex.org/ +URL: http://www.speex.org/ Source0: http://downloads.xiph.org/releases/speex/%{name}-%{upstream_version}.tar.gz Source1: baselibs.conf Patch0: speex-no-build-date.patch +Patch1: speex-CVE-2020-23903.patch BuildRequires: pkg-config BuildRequires: pkgconfig(ogg) BuildRequires: pkgconfig(speexdsp) @@ -66,6 +67,7 @@ %prep %setup -q -n %{name}-%{upstream_version} %patch0 +%patch1 -p1 %build %configure \ ++++++ speex-CVE-2020-23903.patch ++++++ >From 870ff845b32f314aec0036641ffe18aba4916887 Mon Sep 17 00:00:00 2001 From: Tristan Matthews <tma...@videolan.org> Date: Mon, 13 Jul 2020 23:25:03 -0400 Subject: [PATCH] wav_io: guard against invalid channel numbers Fixes #13 --- src/wav_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wav_io.c b/src/wav_io.c index b518301..09d62eb 100644 --- a/src/wav_io.c +++ b/src/wav_io.c @@ -111,7 +111,7 @@ int read_wav_header(FILE *file, int *rate, int *channels, int *format, spx_int32 stmp = le_short(stmp); *channels = stmp; - if (stmp>2) + if (stmp>2 || stmp<1) { fprintf (stderr, "Only mono and (intensity) stereo supported\n"); return -1; -- GitLab
