commit libquicktime for openSUSE:Factory

root Sat, 18 Feb 2017 15:58:03 -0800

Hello community,

here is the log from the commit of package libquicktime for openSUSE:Factory 
checked in at 2017-02-19 00:57:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libquicktime (Old)
 and      /work/SRC/openSUSE:Factory/.libquicktime.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "libquicktime"

Changes:
--------
--- /work/SRC/openSUSE:Factory/libquicktime/libquicktime.changes        
2016-08-03 11:38:38.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.libquicktime.new/libquicktime.changes   
2017-02-19 00:57:54.349923172 +0100
@@ -1,0 +2,9 @@
+Tue Feb 14 11:11:34 UTC 2017 - kstreit...@suse.com
+
+- add libquicktime-1.2.4-integer_overflow.patch to fix integer
+  overflow in the quicktime_read_pascal function in libquicktime
+  1.2.4 and earlier that allows remote attackers to cause a denial
+  of service or possibly have other unspecified impact via a crafted
+  hdlr MP4 atom [bsc#1022805] CVE-2016-2399 
+
+-------------------------------------------------------------------

New:
----
  libquicktime-1.2.4-integer_overflow.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libquicktime.spec ++++++
--- /var/tmp/diff_new_pack.OGrlWL/_old  2017-02-19 00:57:54.789861404 +0100
+++ /var/tmp/diff_new_pack.OGrlWL/_new  2017-02-19 00:57:54.789861404 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package libquicktime
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -37,6 +37,8 @@
 Source2:        baselibs.conf
 Patch0:         libquicktime-ffmpeg3.patch
 Patch1:         libquicktime-faad2.patch
+# PATCH-FIX-UPSTREAM bsc#1022805 CVE-2016-2399 kstreit...@suse.com -- fix 
integer overflow in the quicktime_read_pascal function
+Patch2:         libquicktime-1.2.4-integer_overflow.patch
 BuildRequires:  alsa-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -108,6 +110,7 @@
 %setup -q -n %{name}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 sed -i 's/-DGTK_DISABLE_DEPRECATED//g' configure.ac
 

++++++ libquicktime-1.2.4-integer_overflow.patch ++++++
Index: libquicktime-1.2.4/src/util.c
===================================================================
--- libquicktime-1.2.4.orig/src/util.c
+++ libquicktime-1.2.4/src/util.c
@@ -340,7 +340,7 @@ int64_t quicktime_byte_position(quicktim
 
 void quicktime_read_pascal(quicktime_t *file, char *data)
 {
-       char len = quicktime_read_char(file);
+       unsigned char len = quicktime_read_char(file);
        quicktime_read_data(file, (uint8_t*)data, len);
        data[(int)len] = 0;
 }

commit libquicktime for openSUSE:Factory

Reply via email to