[arch-commits] Commit in libcdaudio/trunk (3 files)

Jan de Groot jgc at archlinux.org
Tue Aug 17 06:23:03 EDT 2010


    Date: Tuesday, August 17, 2010 @ 06:23:02
  Author: jgc
Revision: 87596

upgpkg: libcdaudio 0.99.12-5
Add patches for FS#20475. Use patches from Debian. Switch to 0.99.12, p2 has no relevant fixes for our supported platforms

Added:
  libcdaudio/trunk/01-cddb-bufferoverflow.patch
  libcdaudio/trunk/02-cddb-bufferoverflow.patch
Modified:
  libcdaudio/trunk/PKGBUILD

------------------------------+
 01-cddb-bufferoverflow.patch |   15 +++++++++++++++
 02-cddb-bufferoverflow.patch |   15 +++++++++++++++
 PKGBUILD                     |   21 +++++++++++++--------
 3 files changed, 43 insertions(+), 8 deletions(-)

Added: 01-cddb-bufferoverflow.patch
===================================================================
--- 01-cddb-bufferoverflow.patch	                        (rev 0)
+++ 01-cddb-bufferoverflow.patch	2010-08-17 10:23:02 UTC (rev 87596)
@@ -0,0 +1,15 @@
+Author: Moritz Muehlenhoff <jmm at inutil.org>
+Description: CAN-2005-0706: Bufferoverflow in CDDB lookup parsing
+
+diff -Naurp libcdaudio.orig/src/cddb.c libcdaudio/src/cddb.c
+--- libcdaudio.orig/src/cddb.c	2009-08-02 10:30:05.000000000 +0000
++++ libcdaudio/src/cddb.c	2009-08-02 10:34:57.000000000 +0000
+@@ -1052,7 +1052,7 @@ cddb_query(int cd_desc, int sock,
+     }
+ 	   
+     query->query_matches = 0;
+-    while(!cddb_read_line(sock, inbuffer, 256)) {
++    while(query->query_matches < MAX_INEXACT_MATCHES && !cddb_read_line(sock, inbuffer, 256)) {
+       slashed = 0;
+       if(strchr(inbuffer, '/') != NULL && parse_disc_artist) {
+ 	index = 0;

Added: 02-cddb-bufferoverflow.patch
===================================================================
--- 02-cddb-bufferoverflow.patch	                        (rev 0)
+++ 02-cddb-bufferoverflow.patch	2010-08-17 10:23:02 UTC (rev 87596)
@@ -0,0 +1,15 @@
+Author: Moritz Muehlenhoff <jmm at inutil.org>
+Description: CVE-2008-5030
+
+diff -Naurp libcdaudio.orig/src/cddb.c libcdaudio/src/cddb.c
+--- libcdaudio.orig/src/cddb.c	2008-09-07 23:53:16.000000000 +0000
++++ libcdaudio/src/cddb.c	2008-11-12 21:32:21.000000000 +0000
+@@ -1679,7 +1679,7 @@ cddb_read_disc_data(int cd_desc, struct 
+       free(file);
+ 	 
+       while(!feof(cddb_data)) {
+-	fgets(inbuffer, 512, cddb_data);			   
++	fgets(inbuffer, 256, cddb_data);
+ 	cddb_process_line(inbuffer, data);
+       }
+ 	 

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2010-08-17 07:50:02 UTC (rev 87595)
+++ PKGBUILD	2010-08-17 10:23:02 UTC (rev 87596)
@@ -4,24 +4,29 @@
 
 pkgname=libcdaudio
 pkgver=0.99.12
-pkgrel=4
+pkgrel=5
 pkgdesc="Library for controlling Audio CDs and interacting with CDDB"
 arch=('i686' 'x86_64')
 url="http://libcdaudio.sourceforge.net/"
 license=('GPL')
 depends=('glibc')
 options=('!libtool')
-source=(http://downloads.sourceforge.net/sourceforge/libcdaudio/$pkgname-${pkgver}p2.tar.gz)
-md5sums=('15de3830b751818a54a42899bd3ae72c')
+source=(http://downloads.sourceforge.net/sourceforge/libcdaudio/${pkgname}-${pkgver}.tar.gz
+        01-cddb-bufferoverflow.patch
+        02-cddb-bufferoverflow.patch)
+md5sums=('63b49cf14d53eed31e7a87cca17a3963'
+         'f78c881b92cd7d25472daa90af284e18'
+         'e36755c125d2710dc8619bb401e37444')
 
 build() {
-  cd $srcdir/$pkgname-${pkgver}p2
+  cd "${srcdir}/${pkgname}-${pkgver}"
+  patch -Np1 -i "${srcdir}/01-cddb-bufferoverflow.patch"
+  patch -Np1 -i "${srcdir}/02-cddb-bufferoverflow.patch"
   ./configure --prefix=/usr
-  make || return 1
+  make
 }
 
 package() {
-  cd $srcdir/$pkgname-${pkgver}p2
-  make DESTDIR=$pkgdir install
+  cd "${srcdir}/${pkgname}-${pkgver}"
+  make DESTDIR="${pkgdir}" install
 }
-



More information about the arch-commits mailing list