Bug 216847 - audio/wavpack: update to 5.1.0, fix 4 CVE's
Summary: audio/wavpack: update to 5.1.0, fix 4 CVE's
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Thomas Zander
URL:
Keywords: needs-qa, patch
Depends on:
Blocks:
 
Reported: 2017-02-06 14:55 UTC by Piotr Kubaj
Modified: 2017-02-19 08:36 UTC (History)
3 users (show)

See Also:
riggs: maintainer-feedback+
riggs: merge-quarterly+

Attachments
vuxml patch (1.47 KB, patch)
2017-02-06 14:55 UTC, Piotr Kubaj 		no flags Details | Diff
patch (2.49 KB, patch)
2017-02-06 14:56 UTC, Piotr Kubaj 		pkubaj: maintainer-approval? (multimedia)
 Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Piotr Kubaj freebsd_committer freebsd_triage 2017-02-06 14:55:34 UTC 
Created attachment 179678 [details]
vuxml patch

There's a report about 4 fuzz failures in audio/wavpack:
http://www.openwall.com/lists/oss-security/2017/01/23/4

Version 5.1.0 patches all those failures. The attached patches build fine on Poudriere with 10.3-RELEASE.
Comment 1 Piotr Kubaj freebsd_committer freebsd_triage 2017-02-06 14:56:03 UTC 
Created attachment 179679 [details]
patch
Comment 2 commit-hook freebsd_committer freebsd_triage 2017-02-18 14:51:58 UTC 
A commit references this bug:

Author: riggs
Date: Sat Feb 18 14:51:26 UTC 2017
New revision: 434356
URL: https://svnweb.freebsd.org/changeset/ports/434356

Log:
  Update to upstream release 5.1.0; fix several invalid memory reads

  PR:		216847
  Submitted by:	pkubaj@anongoth.pl
  Reviewed by:	riggs
  MFH:		2017Q1
  Security:	CVE-2016-10169
  		CVE-2016-10170
  		CVE-2016-10171
  		CVE-2016-10172

Changes:
  head/audio/wavpack/Makefile
  head/audio/wavpack/distinfo
  head/audio/wavpack/files/patch-configure
  head/audio/wavpack/files/patch-src_wavpack__local.h
  head/audio/wavpack/pkg-plist
Comment 3 commit-hook freebsd_committer freebsd_triage 2017-02-18 15:01:07 UTC 
A commit references this bug:

Author: riggs
Date: Sat Feb 18 15:00:24 UTC 2017
New revision: 434357
URL: https://svnweb.freebsd.org/changeset/ports/434357

Log:
  Document multiple vulnerabilities in audio/wavpack

  PR:		216847
  Submitted by:	pkubaj@anongoth.pl

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer freebsd_triage 2017-02-18 15:24:29 UTC 
A commit references this bug:

Author: riggs
Date: Sat Feb 18 15:23:55 UTC 2017
New revision: 434359
URL: https://svnweb.freebsd.org/changeset/ports/434359

Log:
  Chase wavpack update: bump PORTREVISION on ports linking to it by default

  PR:		216847
  Reported by:	pkubaj@anongoth.pl
  MFH:		2017Q1

Changes:
  head/archivers/unarchiver/Makefile
  head/audio/aqualung/Makefile
  head/audio/deadbeef/Makefile
  head/audio/decibel-audio-player/Makefile
  head/audio/mixxx/Makefile
  head/audio/siren/Makefile
  head/audio/xmms-wavpack/Makefile
  head/multimedia/audacious-plugins/Makefile
  head/multimedia/audacious-plugins-gtk3/Makefile
  head/multimedia/gstreamer-plugins/Makefile
  head/multimedia/gstreamer1-plugins/Makefile
  head/multimedia/qmmp/Makefile
  head/multimedia/qmmp-qt5/Makefile
  head/multimedia/quodlibet/Makefile
Comment 5 commit-hook freebsd_committer freebsd_triage 2017-02-19 08:22:50 UTC 
A commit references this bug:

Author: riggs
Date: Sun Feb 19 08:22:20 UTC 2017
New revision: 434397
URL: https://svnweb.freebsd.org/changeset/ports/434397

Log:
  MFH: r434356

  Update to upstream release 5.1.0; fix several invalid memory reads

  PR:		216847
  Submitted by:	pkubaj@anongoth.pl
  Reviewed by:	riggs
  Security:	CVE-2016-10169
  		CVE-2016-10170
  		CVE-2016-10171
  		CVE-2016-10172

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/audio/wavpack/Makefile
  branches/2017Q1/audio/wavpack/distinfo
  branches/2017Q1/audio/wavpack/files/patch-configure
  branches/2017Q1/audio/wavpack/files/patch-src_wavpack__local.h
  branches/2017Q1/audio/wavpack/pkg-plist
Comment 6 commit-hook freebsd_committer freebsd_triage 2017-02-19 08:33:00 UTC 
A commit references this bug:

Author: riggs
Date: Sun Feb 19 08:32:53 UTC 2017
New revision: 434398
URL: https://svnweb.freebsd.org/changeset/ports/434398

Log:
  MFH: r434359

  Chase wavpack update: bump PORTREVISION on ports linking to it by default

  PR:		216847
  Reported by:	pkubaj@anongoth.pl

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/archivers/unarchiver/Makefile
  branches/2017Q1/audio/aqualung/Makefile
  branches/2017Q1/audio/deadbeef/Makefile
  branches/2017Q1/audio/decibel-audio-player/Makefile
  branches/2017Q1/audio/mixxx/Makefile
  branches/2017Q1/audio/siren/Makefile
  branches/2017Q1/audio/xmms-wavpack/Makefile
  branches/2017Q1/multimedia/audacious-plugins/Makefile
  branches/2017Q1/multimedia/audacious-plugins-gtk3/Makefile
  branches/2017Q1/multimedia/gstreamer-plugins/Makefile
  branches/2017Q1/multimedia/gstreamer1-plugins/Makefile
  branches/2017Q1/multimedia/qmmp/Makefile
  branches/2017Q1/multimedia/qmmp-qt5/Makefile
  branches/2017Q1/multimedia/quodlibet/Makefile
Comment 7 Thomas Zander freebsd_committer freebsd_triage 2017-02-19 08:36:52 UTC 
Committed with additional changes to make support for optimised assembler routines work. Thanks!