Looks like the newest heap based overflow vulnerability is also patched with this.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7805 POC: http://www.nemux.org/2015/10/13/libsndfile-1-0-25-heap-overflow/ Thanks. I hope I didn't bother you too much, (and erik the developer). I will test thanks. On Tue, Nov 24, 2015 at 11:16:21PM +0100, Jan Stary wrote: > This updates audio/libsndfile to the new release. > > * CVE-2014-9756 fixed upstream, drop the patch > * share/doc/libsndfile/pkgconfig.html removed > * man1/sndfile-salvage.1 added > > Also, upstream has accepted a complete rewrite of the manpages > into mdoc(7). Thanks to schwarze and jmc for the guidance. > (This happend about a year ago, a release only came out now.) > > Tested on amd64, i386 and armv7. > Please re-test everywhere. > > OK? > > Jan > > > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/audio/libsndfile/Makefile,v > retrieving revision 1.28 > diff -u -p -u -p -r1.28 Makefile > --- Makefile 5 Nov 2015 12:49:00 -0000 1.28 > +++ Makefile 24 Nov 2015 21:46:52 -0000 > @@ -2,12 +2,11 @@ > > COMMENT= library to handle various audio file formats > > -DISTNAME= libsndfile-1.0.25 > -REVISION= 2 > +DISTNAME= libsndfile-1.0.26 > CATEGORIES= audio > HOMEPAGE= http://www.mega-nerd.com/libsndfile/ > MAINTAINER= Jan Stary <h...@stare.cz> > -SHARED_LIBS += sndfile 3.3 # .1.25 > +SHARED_LIBS += sndfile 3.4 # .1.26 > > # LGPLv2.1 > PERMIT_PACKAGE_CDROM= Yes > Index: distinfo > =================================================================== > RCS file: /cvs/ports/audio/libsndfile/distinfo,v > retrieving revision 1.14 > diff -u -p -u -p -r1.14 distinfo > --- distinfo 18 Jan 2015 03:12:44 -0000 1.14 > +++ distinfo 24 Nov 2015 21:46:52 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (libsndfile-1.0.25.tar.gz) = > WQFtvTJqvn4jZt7Vw0TIU4Kb6/0XAu8moH72YtaqSII= > -SIZE (libsndfile-1.0.25.tar.gz) = 1060692 > +SHA256 (libsndfile-1.0.26.tar.gz) = > zWUg7HY9GkVXOIXssfjk5CUFrBIYAmhIKkSyhISiUJI= > +SIZE (libsndfile-1.0.26.tar.gz) = 1080727 > Index: patches/patch-src_file_io_c > =================================================================== > RCS file: patches/patch-src_file_io_c > diff -N patches/patch-src_file_io_c > --- patches/patch-src_file_io_c 5 Nov 2015 12:49:00 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,17 +0,0 @@ > -$OpenBSD: patch-src_file_io_c,v 1.1 2015/11/05 12:49:00 jasper Exp $ > - > -Security fix for CVE-2014-9756 > -https://github.com/erikd/libsndfile/commit/725c7dbb95bfaf8b4bb7b04820e3a00cceea9ce6 > - > ---- src/file_io.c.orig Wed Jan 19 11:12:28 2011 > -+++ src/file_io.c Thu Nov 5 13:39:26 2015 > -@@ -358,6 +358,9 @@ psf_fwrite (const void *ptr, sf_count_t bytes, sf_coun > - { sf_count_t total = 0 ; > - ssize_t count ; > - > -+ if (bytes == 0 || items == 0) > -+ return 0 ; > -+ > - if (psf->virtual_io) > - return psf->vio.write (ptr, bytes*items, psf->vio_user_data) / > bytes ; > - > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/audio/libsndfile/pkg/PLIST,v > retrieving revision 1.11 > diff -u -p -u -p -r1.11 PLIST > --- pkg/PLIST 16 Mar 2015 18:07:36 -0000 1.11 > +++ pkg/PLIST 24 Nov 2015 21:46:52 -0000 > @@ -25,6 +25,7 @@ lib/pkgconfig/sndfile.pc > @man man/man1/sndfile-metadata-get.1 > @man man/man1/sndfile-metadata-set.1 > @man man/man1/sndfile-play.1 > +@man man/man1/sndfile-salvage.1 > share/doc/libsndfile/ > share/doc/libsndfile/FAQ.html > share/doc/libsndfile/api.html > @@ -38,7 +39,6 @@ share/doc/libsndfile/libsndfile.jpg > share/doc/libsndfile/lists.html > share/doc/libsndfile/new_file_type.HOWTO > share/doc/libsndfile/octave.html > -share/doc/libsndfile/pkgconfig.html > share/doc/libsndfile/sndfile_info.html > share/doc/libsndfile/tutorial.html > share/doc/libsndfile/win32.html >
