Hello community, here is the log from the commit of package libquicktime for openSUSE:Factory checked in at 2017-02-19 00:57:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libquicktime (Old) and /work/SRC/openSUSE:Factory/.libquicktime.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libquicktime" Changes: -------- --- /work/SRC/openSUSE:Factory/libquicktime/libquicktime.changes 2016-08-03 11:38:38.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libquicktime.new/libquicktime.changes 2017-02-19 00:57:54.349923172 +0100 @@ -1,0 +2,9 @@ +Tue Feb 14 11:11:34 UTC 2017 - kstreit...@suse.com + +- add libquicktime-1.2.4-integer_overflow.patch to fix integer + overflow in the quicktime_read_pascal function in libquicktime + 1.2.4 and earlier that allows remote attackers to cause a denial + of service or possibly have other unspecified impact via a crafted + hdlr MP4 atom [bsc#1022805] CVE-2016-2399 + +------------------------------------------------------------------- New: ---- libquicktime-1.2.4-integer_overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libquicktime.spec ++++++ --- /var/tmp/diff_new_pack.OGrlWL/_old 2017-02-19 00:57:54.789861404 +0100 +++ /var/tmp/diff_new_pack.OGrlWL/_new 2017-02-19 00:57:54.789861404 +0100 @@ -1,7 +1,7 @@ # # spec file for package libquicktime # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -37,6 +37,8 @@ Source2: baselibs.conf Patch0: libquicktime-ffmpeg3.patch Patch1: libquicktime-faad2.patch +# PATCH-FIX-UPSTREAM bsc#1022805 CVE-2016-2399 kstreit...@suse.com -- fix integer overflow in the quicktime_read_pascal function +Patch2: libquicktime-1.2.4-integer_overflow.patch BuildRequires: alsa-devel BuildRequires: autoconf BuildRequires: automake @@ -108,6 +110,7 @@ %setup -q -n %{name} %patch0 -p1 %patch1 -p1 +%patch2 -p1 sed -i 's/-DGTK_DISABLE_DEPRECATED//g' configure.ac ++++++ libquicktime-1.2.4-integer_overflow.patch ++++++ Index: libquicktime-1.2.4/src/util.c =================================================================== --- libquicktime-1.2.4.orig/src/util.c +++ libquicktime-1.2.4/src/util.c @@ -340,7 +340,7 @@ int64_t quicktime_byte_position(quicktim void quicktime_read_pascal(quicktime_t *file, char *data) { - char len = quicktime_read_char(file); + unsigned char len = quicktime_read_char(file); quicktime_read_data(file, (uint8_t*)data, len); data[(int)len] = 0; }