Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package libid3tag for openSUSE:Factory 
checked in at 2022-05-12 22:57:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libid3tag (Old)
 and      /work/SRC/openSUSE:Factory/.libid3tag.new.1538 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libid3tag"

Thu May 12 22:57:35 2022 rev:28 rq:976020 version:0.16.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/libid3tag/libid3tag.changes      2022-04-10 
19:05:31.590418515 +0200
+++ /work/SRC/openSUSE:Factory/.libid3tag.new.1538/libid3tag.changes    
2022-05-12 22:57:40.596580605 +0200
@@ -1,0 +2,8 @@
+Mon May  9 17:01:41 UTC 2022 - Christophe Giboudeaux <christo...@krop.fr>
+
+- Update to 0.16.2
+  * Fix null pointer dereference in id3_ucs4_length
+    (boo#1081962, CVE-2017-11550)
+- Drop id3_ucs4_length-sanity-check.patch. Merged upstream.
+
+-------------------------------------------------------------------

Old:
----
  id3_ucs4_length-sanity-check.patch
  libid3tag-0.16.1.tar.gz

New:
----
  libid3tag-0.16.2.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libid3tag.spec ++++++
--- /var/tmp/diff_new_pack.UsP1NA/_old  2022-05-12 22:57:41.108581292 +0200
+++ /var/tmp/diff_new_pack.UsP1NA/_new  2022-05-12 22:57:41.112581298 +0200
@@ -16,9 +16,9 @@
 #
 
 
-%define lver 0_16_1
+%define lver 0_16_2
 Name:           libid3tag
-Version:        0.16.1
+Version:        0.16.2
 Release:        0
 Summary:        ID3 Tag Manipulation Library
 License:        GPL-2.0-or-later
@@ -26,11 +26,10 @@
 URL:            https://github.com/tenacityteam/libid3tag
 Source0:        
%{url}/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        baselibs.conf
-Patch0:         id3_ucs4_length-sanity-check.patch
 BuildRequires:  c++_compiler
 BuildRequires:  cmake
 BuildRequires:  gperf
-BuildRequires:  pkg-config
+BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(zlib)
 
 %description
@@ -56,7 +55,6 @@
 
 %prep
 %setup -q
-%patch0 -p1
 
 %build
 %cmake

++++++ libid3tag-0.16.1.tar.gz -> libid3tag-0.16.2.tar.gz ++++++
++++ 6452 lines of diff (skipped)
++++    retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/libid3tag-0.16.1/CHANGES new/libid3tag-0.16.2/CHANGES
--- old/libid3tag-0.16.1/CHANGES        2021-08-15 22:52:07.000000000 +0200
+++ new/libid3tag-0.16.2/CHANGES        2022-05-03 05:56:29.000000000 +0200
@@ -6,6 +6,9 @@
 
 ===============================================================================
 
+Version 0.16.2
+  * Fix null pointer dereference in id3_ucs4_length (CVE-2017-11550)
+
 Version 0.16.1
   * Fix exported CMake config file
   * Fix pkgconfig file name to match Linux distro packages
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/libid3tag-0.16.1/CMakeLists.txt new/libid3tag-0.16.2/CMakeLists.txt
--- old/libid3tag-0.16.1/CMakeLists.txt 2021-08-15 22:52:07.000000000 +0200
+++ new/libid3tag-0.16.2/CMakeLists.txt 2022-05-03 05:56:29.000000000 +0200
@@ -1,5 +1,5 @@
 cmake_minimum_required(VERSION 3.1.0)
-project(id3tag VERSION 0.16.1)
+project(id3tag VERSION 0.16.2)
 
 option(BUILD_SHARED_LIBS "Build dynamic library" ON)
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/libid3tag-0.16.1/compat.c new/libid3tag-0.16.2/compat.c
--- old/libid3tag-0.16.1/compat.c       2021-08-15 22:52:07.000000000 +0200
+++ new/libid3tag-0.16.2/compat.c       2022-05-03 05:56:29.000000000 +0200
@@ -439,6 +439,9 @@
     encoding = id3_parse_uint(&data, 1);
     string   = id3_parse_string(&data, end - data, encoding, 0);
 
+       if (!string)
+               continue;
+
     if (id3_ucs4_length(string) < 4) {
       free(string);
       continue;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/libid3tag-0.16.1/ucs4.c new/libid3tag-0.16.2/ucs4.c
--- old/libid3tag-0.16.1/ucs4.c 2021-08-15 22:52:07.000000000 +0200
+++ new/libid3tag-0.16.2/ucs4.c 2022-05-03 05:56:29.000000000 +0200
@@ -37,6 +37,9 @@
  */
 id3_length_t id3_ucs4_length(id3_ucs4_t const *ucs4)
 {
+       if (!ucs4)
+               return 0;
+
   id3_ucs4_t const *ptr = ucs4;
 
   while (*ptr)

Reply via email to