Bug 216847

Summary: audio/wavpack: update to 5.1.0, fix 4 CVE's
Product: Ports & Packages Reporter: Piotr Kubaj <pkubaj>
Component: Individual Port(s)Assignee: Thomas Zander <riggs>
Status: Closed FIXED    
Severity: Affects Only Me CC: multimedia, pkubaj, riggs
Priority: --- Keywords: needs-qa, patch
Version: LatestFlags: riggs: maintainer-feedback+
riggs: merge-quarterly+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
vuxml patch
none
patch pkubaj: maintainer-approval? (multimedia)

Description Piotr Kubaj freebsd_committer 2017-02-06 14:55:34 UTC
Created attachment 179678 [details]
vuxml patch

There's a report about 4 fuzz failures in audio/wavpack:
http://www.openwall.com/lists/oss-security/2017/01/23/4

Version 5.1.0 patches all those failures. The attached patches build fine on Poudriere with 10.3-RELEASE.
Comment 1 Piotr Kubaj freebsd_committer 2017-02-06 14:56:03 UTC
Created attachment 179679 [details]
patch
Comment 2 commit-hook freebsd_committer 2017-02-18 14:51:58 UTC
A commit references this bug:

Author: riggs
Date: Sat Feb 18 14:51:26 UTC 2017
New revision: 434356
URL: https://svnweb.freebsd.org/changeset/ports/434356

Log:
  Update to upstream release 5.1.0; fix several invalid memory reads

  PR:		216847
  Submitted by:	pkubaj@anongoth.pl
  Reviewed by:	riggs
  MFH:		2017Q1
  Security:	CVE-2016-10169
  		CVE-2016-10170
  		CVE-2016-10171
  		CVE-2016-10172

Changes:
  head/audio/wavpack/Makefile
  head/audio/wavpack/distinfo
  head/audio/wavpack/files/patch-configure
  head/audio/wavpack/files/patch-src_wavpack__local.h
  head/audio/wavpack/pkg-plist
Comment 3 commit-hook freebsd_committer 2017-02-18 15:01:07 UTC
A commit references this bug:

Author: riggs
Date: Sat Feb 18 15:00:24 UTC 2017
New revision: 434357
URL: https://svnweb.freebsd.org/changeset/ports/434357

Log:
  Document multiple vulnerabilities in audio/wavpack

  PR:		216847
  Submitted by:	pkubaj@anongoth.pl

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer 2017-02-18 15:24:29 UTC
A commit references this bug:

Author: riggs
Date: Sat Feb 18 15:23:55 UTC 2017
New revision: 434359
URL: https://svnweb.freebsd.org/changeset/ports/434359

Log:
  Chase wavpack update: bump PORTREVISION on ports linking to it by default

  PR:		216847
  Reported by:	pkubaj@anongoth.pl
  MFH:		2017Q1

Changes:
  head/archivers/unarchiver/Makefile
  head/audio/aqualung/Makefile
  head/audio/deadbeef/Makefile
  head/audio/decibel-audio-player/Makefile
  head/audio/mixxx/Makefile
  head/audio/siren/Makefile
  head/audio/xmms-wavpack/Makefile
  head/multimedia/audacious-plugins/Makefile
  head/multimedia/audacious-plugins-gtk3/Makefile
  head/multimedia/gstreamer-plugins/Makefile
  head/multimedia/gstreamer1-plugins/Makefile
  head/multimedia/qmmp/Makefile
  head/multimedia/qmmp-qt5/Makefile
  head/multimedia/quodlibet/Makefile
Comment 5 commit-hook freebsd_committer 2017-02-19 08:22:50 UTC
A commit references this bug:

Author: riggs
Date: Sun Feb 19 08:22:20 UTC 2017
New revision: 434397
URL: https://svnweb.freebsd.org/changeset/ports/434397

Log:
  MFH: r434356

  Update to upstream release 5.1.0; fix several invalid memory reads

  PR:		216847
  Submitted by:	pkubaj@anongoth.pl
  Reviewed by:	riggs
  Security:	CVE-2016-10169
  		CVE-2016-10170
  		CVE-2016-10171
  		CVE-2016-10172

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/audio/wavpack/Makefile
  branches/2017Q1/audio/wavpack/distinfo
  branches/2017Q1/audio/wavpack/files/patch-configure
  branches/2017Q1/audio/wavpack/files/patch-src_wavpack__local.h
  branches/2017Q1/audio/wavpack/pkg-plist
Comment 6 commit-hook freebsd_committer 2017-02-19 08:33:00 UTC
A commit references this bug:

Author: riggs
Date: Sun Feb 19 08:32:53 UTC 2017
New revision: 434398
URL: https://svnweb.freebsd.org/changeset/ports/434398

Log:
  MFH: r434359

  Chase wavpack update: bump PORTREVISION on ports linking to it by default

  PR:		216847
  Reported by:	pkubaj@anongoth.pl

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/archivers/unarchiver/Makefile
  branches/2017Q1/audio/aqualung/Makefile
  branches/2017Q1/audio/deadbeef/Makefile
  branches/2017Q1/audio/decibel-audio-player/Makefile
  branches/2017Q1/audio/mixxx/Makefile
  branches/2017Q1/audio/siren/Makefile
  branches/2017Q1/audio/xmms-wavpack/Makefile
  branches/2017Q1/multimedia/audacious-plugins/Makefile
  branches/2017Q1/multimedia/audacious-plugins-gtk3/Makefile
  branches/2017Q1/multimedia/gstreamer-plugins/Makefile
  branches/2017Q1/multimedia/gstreamer1-plugins/Makefile
  branches/2017Q1/multimedia/qmmp/Makefile
  branches/2017Q1/multimedia/qmmp-qt5/Makefile
  branches/2017Q1/multimedia/quodlibet/Makefile
Comment 7 Thomas Zander freebsd_committer 2017-02-19 08:36:52 UTC
Committed with additional changes to make support for optimised assembler routines work. Thanks!