Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libid3tag for openSUSE:Factory checked in at 2022-05-12 22:57:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libid3tag (Old) and /work/SRC/openSUSE:Factory/.libid3tag.new.1538 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libid3tag" Thu May 12 22:57:35 2022 rev:28 rq:976020 version:0.16.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libid3tag/libid3tag.changes 2022-04-10 19:05:31.590418515 +0200 +++ /work/SRC/openSUSE:Factory/.libid3tag.new.1538/libid3tag.changes 2022-05-12 22:57:40.596580605 +0200 @@ -1,0 +2,8 @@ +Mon May 9 17:01:41 UTC 2022 - Christophe Giboudeaux <christo...@krop.fr> + +- Update to 0.16.2 + * Fix null pointer dereference in id3_ucs4_length + (boo#1081962, CVE-2017-11550) +- Drop id3_ucs4_length-sanity-check.patch. Merged upstream. + +------------------------------------------------------------------- Old: ---- id3_ucs4_length-sanity-check.patch libid3tag-0.16.1.tar.gz New: ---- libid3tag-0.16.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libid3tag.spec ++++++ --- /var/tmp/diff_new_pack.UsP1NA/_old 2022-05-12 22:57:41.108581292 +0200 +++ /var/tmp/diff_new_pack.UsP1NA/_new 2022-05-12 22:57:41.112581298 +0200 @@ -16,9 +16,9 @@ # -%define lver 0_16_1 +%define lver 0_16_2 Name: libid3tag -Version: 0.16.1 +Version: 0.16.2 Release: 0 Summary: ID3 Tag Manipulation Library License: GPL-2.0-or-later @@ -26,11 +26,10 @@ URL: https://github.com/tenacityteam/libid3tag Source0: %{url}/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: baselibs.conf -Patch0: id3_ucs4_length-sanity-check.patch BuildRequires: c++_compiler BuildRequires: cmake BuildRequires: gperf -BuildRequires: pkg-config +BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) %description @@ -56,7 +55,6 @@ %prep %setup -q -%patch0 -p1 %build %cmake ++++++ libid3tag-0.16.1.tar.gz -> libid3tag-0.16.2.tar.gz ++++++ ++++ 6452 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libid3tag-0.16.1/CHANGES new/libid3tag-0.16.2/CHANGES --- old/libid3tag-0.16.1/CHANGES 2021-08-15 22:52:07.000000000 +0200 +++ new/libid3tag-0.16.2/CHANGES 2022-05-03 05:56:29.000000000 +0200 @@ -6,6 +6,9 @@ =============================================================================== +Version 0.16.2 + * Fix null pointer dereference in id3_ucs4_length (CVE-2017-11550) + Version 0.16.1 * Fix exported CMake config file * Fix pkgconfig file name to match Linux distro packages diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libid3tag-0.16.1/CMakeLists.txt new/libid3tag-0.16.2/CMakeLists.txt --- old/libid3tag-0.16.1/CMakeLists.txt 2021-08-15 22:52:07.000000000 +0200 +++ new/libid3tag-0.16.2/CMakeLists.txt 2022-05-03 05:56:29.000000000 +0200 @@ -1,5 +1,5 @@ cmake_minimum_required(VERSION 3.1.0) -project(id3tag VERSION 0.16.1) +project(id3tag VERSION 0.16.2) option(BUILD_SHARED_LIBS "Build dynamic library" ON) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libid3tag-0.16.1/compat.c new/libid3tag-0.16.2/compat.c --- old/libid3tag-0.16.1/compat.c 2021-08-15 22:52:07.000000000 +0200 +++ new/libid3tag-0.16.2/compat.c 2022-05-03 05:56:29.000000000 +0200 @@ -439,6 +439,9 @@ encoding = id3_parse_uint(&data, 1); string = id3_parse_string(&data, end - data, encoding, 0); + if (!string) + continue; + if (id3_ucs4_length(string) < 4) { free(string); continue; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libid3tag-0.16.1/ucs4.c new/libid3tag-0.16.2/ucs4.c --- old/libid3tag-0.16.1/ucs4.c 2021-08-15 22:52:07.000000000 +0200 +++ new/libid3tag-0.16.2/ucs4.c 2022-05-03 05:56:29.000000000 +0200 @@ -37,6 +37,9 @@ */ id3_length_t id3_ucs4_length(id3_ucs4_t const *ucs4) { + if (!ucs4) + return 0; + id3_ucs4_t const *ptr = ucs4; while (*ptr)