Bug 216847 - audio/wavpack: update to 5.1.0, fix 4 CVE's
Summary: audio/wavpack: update to 5.1.0, fix 4 CVE's
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Thomas Zander
URL:
Keywords: needs-qa, patch
Depends on:
Blocks:
 
Reported: 2017-02-06 14:55 UTC by Piotr Kubaj
Modified: 2017-02-19 08:36 UTC (History)
3 users (show)

See Also:
riggs: maintainer-feedback+
riggs: merge-quarterly+


Attachments
vuxml patch (1.47 KB, patch)
2017-02-06 14:55 UTC, Piotr Kubaj
no flags Details | Diff
patch (2.49 KB, patch)
2017-02-06 14:56 UTC, Piotr Kubaj
pkubaj: maintainer-approval? (multimedia)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Piotr Kubaj freebsd_committer 2017-02-06 14:55:34 UTC
Created attachment 179678 [details]
vuxml patch

There's a report about 4 fuzz failures in audio/wavpack:
http://www.openwall.com/lists/oss-security/2017/01/23/4

Version 5.1.0 patches all those failures. The attached patches build fine on Poudriere with 10.3-RELEASE.
Comment 1 Piotr Kubaj freebsd_committer 2017-02-06 14:56:03 UTC
Created attachment 179679 [details]
patch
Comment 2 commit-hook freebsd_committer 2017-02-18 14:51:58 UTC
A commit references this bug:

Author: riggs
Date: Sat Feb 18 14:51:26 UTC 2017
New revision: 434356
URL: https://svnweb.freebsd.org/changeset/ports/434356

Log:
  Update to upstream release 5.1.0; fix several invalid memory reads

  PR:		216847
  Submitted by:	pkubaj@anongoth.pl
  Reviewed by:	riggs
  MFH:		2017Q1
  Security:	CVE-2016-10169
  		CVE-2016-10170
  		CVE-2016-10171
  		CVE-2016-10172

Changes:
  head/audio/wavpack/Makefile
  head/audio/wavpack/distinfo
  head/audio/wavpack/files/patch-configure
  head/audio/wavpack/files/patch-src_wavpack__local.h
  head/audio/wavpack/pkg-plist
Comment 3 commit-hook freebsd_committer 2017-02-18 15:01:07 UTC
A commit references this bug:

Author: riggs
Date: Sat Feb 18 15:00:24 UTC 2017
New revision: 434357
URL: https://svnweb.freebsd.org/changeset/ports/434357

Log:
  Document multiple vulnerabilities in audio/wavpack

  PR:		216847
  Submitted by:	pkubaj@anongoth.pl

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer 2017-02-18 15:24:29 UTC
A commit references this bug:

Author: riggs
Date: Sat Feb 18 15:23:55 UTC 2017
New revision: 434359
URL: https://svnweb.freebsd.org/changeset/ports/434359

Log:
  Chase wavpack update: bump PORTREVISION on ports linking to it by default

  PR:		216847
  Reported by:	pkubaj@anongoth.pl
  MFH:		2017Q1

Changes:
  head/archivers/unarchiver/Makefile
  head/audio/aqualung/Makefile
  head/audio/deadbeef/Makefile
  head/audio/decibel-audio-player/Makefile
  head/audio/mixxx/Makefile
  head/audio/siren/Makefile
  head/audio/xmms-wavpack/Makefile
  head/multimedia/audacious-plugins/Makefile
  head/multimedia/audacious-plugins-gtk3/Makefile
  head/multimedia/gstreamer-plugins/Makefile
  head/multimedia/gstreamer1-plugins/Makefile
  head/multimedia/qmmp/Makefile
  head/multimedia/qmmp-qt5/Makefile
  head/multimedia/quodlibet/Makefile
Comment 5 commit-hook freebsd_committer 2017-02-19 08:22:50 UTC
A commit references this bug:

Author: riggs
Date: Sun Feb 19 08:22:20 UTC 2017
New revision: 434397
URL: https://svnweb.freebsd.org/changeset/ports/434397

Log:
  MFH: r434356

  Update to upstream release 5.1.0; fix several invalid memory reads

  PR:		216847
  Submitted by:	pkubaj@anongoth.pl
  Reviewed by:	riggs
  Security:	CVE-2016-10169
  		CVE-2016-10170
  		CVE-2016-10171
  		CVE-2016-10172

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/audio/wavpack/Makefile
  branches/2017Q1/audio/wavpack/distinfo
  branches/2017Q1/audio/wavpack/files/patch-configure
  branches/2017Q1/audio/wavpack/files/patch-src_wavpack__local.h
  branches/2017Q1/audio/wavpack/pkg-plist
Comment 6 commit-hook freebsd_committer 2017-02-19 08:33:00 UTC
A commit references this bug:

Author: riggs
Date: Sun Feb 19 08:32:53 UTC 2017
New revision: 434398
URL: https://svnweb.freebsd.org/changeset/ports/434398

Log:
  MFH: r434359

  Chase wavpack update: bump PORTREVISION on ports linking to it by default

  PR:		216847
  Reported by:	pkubaj@anongoth.pl

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/archivers/unarchiver/Makefile
  branches/2017Q1/audio/aqualung/Makefile
  branches/2017Q1/audio/deadbeef/Makefile
  branches/2017Q1/audio/decibel-audio-player/Makefile
  branches/2017Q1/audio/mixxx/Makefile
  branches/2017Q1/audio/siren/Makefile
  branches/2017Q1/audio/xmms-wavpack/Makefile
  branches/2017Q1/multimedia/audacious-plugins/Makefile
  branches/2017Q1/multimedia/audacious-plugins-gtk3/Makefile
  branches/2017Q1/multimedia/gstreamer-plugins/Makefile
  branches/2017Q1/multimedia/gstreamer1-plugins/Makefile
  branches/2017Q1/multimedia/qmmp/Makefile
  branches/2017Q1/multimedia/qmmp-qt5/Makefile
  branches/2017Q1/multimedia/quodlibet/Makefile
Comment 7 Thomas Zander freebsd_committer 2017-02-19 08:36:52 UTC
Committed with additional changes to make support for optimised assembler routines work. Thanks!