Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package exiv2 for openSUSE:Factory checked
in at 2022-11-15 13:18:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/exiv2 (Old)
and /work/SRC/openSUSE:Factory/.exiv2.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "exiv2"
Tue Nov 15 13:18:29 2022 rev:67 rq:1035724 version:0.27.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/exiv2/exiv2.changes 2022-10-24
11:14:31.327373713 +0200
+++ /work/SRC/openSUSE:Factory/.exiv2.new.1597/exiv2.changes 2022-11-15
13:21:15.136747113 +0100
@@ -1,0 +2,6 @@
+Mon Nov 14 11:59:46 UTC 2022 - Dirk Müller <dmuel...@suse.com>
+
+- spec-cleaner run
+- add CVE-2022-3953.patch (CVE-2022-3953, bsc#1205391)
+
+-------------------------------------------------------------------
@@ -13 +19,3 @@
- bsc#1189335, CVE-2021-37623):
+ bsc#1189335, CVE-2021-37623,
+ bsc#1189337, CVE-2021-32815,
+ bsc#1189340, CVE-2021-34335):
New:
----
CVE-2022-3953.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ exiv2.spec ++++++
--- /var/tmp/diff_new_pack.tzDZLf/_old 2022-11-15 13:21:16.884756137 +0100
+++ /var/tmp/diff_new_pack.tzDZLf/_new 2022-11-15 13:21:16.888756158 +0100
@@ -16,22 +16,28 @@
#
-%{bcond_with docs}
-
+%bcond_with docs
Name: exiv2
Version: 0.27.5
Release: 0
Summary: Tool to access image Exif metadata
License: BSD-3-Clause AND GPL-2.0-or-later
Group: Productivity/Graphics/Other
-URL: http://www.exiv2.org/
+URL: https://exiv2.org/
Source0:
https://github.com/Exiv2/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
Source1: baselibs.conf
Patch0: exiv2-build-date.patch
+Patch1: CVE-2022-3953.patch
BuildRequires: cmake
BuildRequires: fdupes
BuildRequires: gcc-c++
BuildRequires: gettext-devel
+BuildRequires: libcurl-devel
+BuildRequires: libexpat-devel
+BuildRequires: libxslt
+BuildRequires: python3-base
+BuildRequires: zlib-devel
+Recommends: %{name}-lang = %{version}
%if %{with docs}
BuildRequires: doxygen
# doxygen likes to have this
@@ -41,12 +47,6 @@
%else
Obsoletes: libexiv2-doc < %{version}-%{release}
%endif
-BuildRequires: libcurl-devel
-BuildRequires: libexpat-devel
-BuildRequires: libxslt
-BuildRequires: python3-base
-BuildRequires: zlib-devel
-Recommends: %{name}-lang = %{version}
# there is a test failure on ARM & PPC
# upstream issue: https://github.com/Exiv2/exiv2/issues/933
%ifarch x86_64
@@ -146,7 +146,7 @@
%if %{with tests}
%check
pushd build
-make tests
+%make_build tests
popd
for t in \
++++++ CVE-2022-3953.patch ++++++
>From 771ead87321ae6e39e5c9f6f0855c58cde6648f1 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackho...@github.com>
Date: Wed, 26 Oct 2022 22:07:11 +0100
Subject: [PATCH] Credit to OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52731 Stop looping when
eof is hit.
---
src/quicktimevideo.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
Index: exiv2-0.27.5/src/quicktimevideo.cpp
===================================================================
--- exiv2-0.27.5.orig/src/quicktimevideo.cpp
+++ exiv2-0.27.5/src/quicktimevideo.cpp
@@ -1304,11 +1304,11 @@ namespace Exiv2 {
DataBuf buf(4+1);
io_->read(buf.pData_, 4);
io_->read(buf.pData_, 4);
- uint64_t noOfEntries;
+ uint32_t noOfEntries;
noOfEntries = returnUnsignedBufValue(buf);
- for(unsigned long i = 1; i <= noOfEntries; i++)
+ for(uint32_t i = 0; i < noOfEntries && continueTraversing_; i++)
decodeBlock();
} // QuickTimeVideo::multipleEntriesDecoder
