Hello community, here is the log from the commit of package sox for openSUSE:Factory checked in at 2017-12-20 10:39:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sox (Old) and /work/SRC/openSUSE:Factory/.sox.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sox" Wed Dec 20 10:39:56 2017 rev:42 rq:558316 version:14.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/sox/sox.changes 2017-08-29 11:44:33.144333365 +0200 +++ /work/SRC/openSUSE:Factory/.sox.new/sox.changes 2017-12-20 10:39:58.046542677 +0100 @@ -1,0 +2,6 @@ +Tue Dec 19 07:12:58 UTC 2017 - meiss...@suse.com + +- sox-doublefree.patch: initialize comment, it might + get returned back with OK. (bsc#1064576 CVE-2017-15642) + +------------------------------------------------------------------- New: ---- sox-doublefree.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sox.spec ++++++ --- /var/tmp/diff_new_pack.rxTzpb/_old 2017-12-20 10:39:58.786488957 +0100 +++ /var/tmp/diff_new_pack.rxTzpb/_new 2017-12-20 10:39:58.790488666 +0100 @@ -62,6 +62,7 @@ Url: http://sox.sourceforge.net Source0: http://downloads.sourceforge.net/project/sox/sox/%{version}/%{name}-%{version}.tar.bz2 Source1: %{name}.changes +Patch0: sox-doublefree.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -93,6 +94,7 @@ %prep %setup -q +%patch0 -p1 modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{SOURCE1}")" DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\"" TIME="\"$(date -d "${modified}" "+%%R")\"" ++++++ sox-doublefree.patch ++++++ --- sox-14.4.2/src/aiff.c.xx 2017-12-19 08:11:20.195415511 +0100 +++ sox-14.4.2/src/aiff.c 2017-12-19 08:11:40.335389318 +0100 @@ -504,6 +504,7 @@ unsigned int totalReadLength = 0; unsigned int commentIndex; + *text = NULL; lsx_readdw(ft, &chunksize); lsx_readw(ft, &numComments); totalReadLength += 2; /* chunksize doesn't count */
