head 1.2; access; symbols pkgsrc-2020Q4:1.1.0.14 pkgsrc-2020Q4-base:1.1 pkgsrc-2020Q3:1.1.0.12 pkgsrc-2020Q3-base:1.1 pkgsrc-2020Q2:1.1.0.10 pkgsrc-2020Q2-base:1.1 pkgsrc-2020Q1:1.1.0.6 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.8 pkgsrc-2019Q4-base:1.1 pkgsrc-2019Q3:1.1.0.4 pkgsrc-2019Q3-base:1.1 pkgsrc-2019Q2:1.1.0.2; locks; strict; comment @# @; 1.2 date 2021.02.24.12.31.57; author wiz; state dead; branches; next 1.1; commitid hQyKk6QSLYWwEXIC; 1.1 date 2019.07.18.09.36.37; author nia; state Exp; branches 1.1.2.1; next ; commitid kYTPMTTnw7m3yvvB; 1.1.2.1 date 2019.07.18.09.36.37; author bsiegert; state dead; branches; next 1.1.2.2; commitid s5O8UigYnHHGRwvB; 1.1.2.2 date 2019.07.18.13.33.53; author bsiegert; state Exp; branches; next ; commitid s5O8UigYnHHGRwvB; desc @@ 1.2 log @taglib: update to 1.12. TagLib 1.12 (Feb 16, 2021) ========================== * Added support for WinRT. * Added support for Linux on POWER. * Added support for classical music tags of iTunes 12.5. * Added support for file descriptor to FileStream. * Added support for 'cmID', 'purl', 'egid' MP4 atoms. * Added support for 'GRP1' ID3v2 frame. * Added support for extensible WAV subformat. * Enabled FileRef to detect file types based on the stream content. * Dropped support for Windows 9x and NT 4.0 or older. * Check for mandatory header objects in ASF files. * More tolerant handling of RIFF padding, WAV files, broken MPEG streams. * Improved calculation of Ogg, Opus, Speex, WAV, MP4 bitrates. * Improved Windows compatibility by storing FLAC picture after comments. * Fixed numerical genres in ID3v2.3.0 'TCON' frames. * Fixed consistency of API removing MP4 items when empty values are set. * Fixed consistency of API preferring COMM frames with no description. * Fixed OOB read on invalid Ogg FLAC files (CVE-2018-11439). * Fixed handling of empty MPEG files. * Fixed parsing MP4 mdhd timescale. * Fixed reading MP4 atoms with zero length. * Fixed reading FLAC files with zero-sized seektables. * Fixed handling of lowercase field names in Vorbis Comments. * Fixed handling of 'rate' atoms in MP4 files. * Fixed handling of invalid UTF-8 sequences. * Fixed possible file corruptions when saving Ogg files. * Fixed handling of non-audio blocks, sampling rates, DSD audio in WavPack files. * TableOfContentsFrame::toString() improved. * UserTextIdentificationFrame::toString() improved. * Marked FileRef::create() deprecated. * Marked MPEG::File::save() with boolean parameters deprecated, provide overloads with enum parameters. * Several smaller bug fixes and performance improvements. @ text @$NetBSD: patch-CVE-2018-11439,v 1.1 2019/07/18 09:36:37 nia Exp $ Fix CVE-2018-11439 - OOB read when loading invalid ogg flac file. Upstream commit: https://github.com/taglib/taglib/commit/2c4ae870ec086f2ddd21a47861a3709c36faac45 --- taglib/ogg/flac/oggflacfile.cpp.orig 2016-10-24 03:03:23.000000000 +0000 +++ taglib/ogg/flac/oggflacfile.cpp @@@@ -216,11 +216,21 @@@@ void Ogg::FLAC::File::scan() if(!metadataHeader.startsWith("fLaC")) { // FLAC 1.1.2+ + // See https://xiph.org/flac/ogg_mapping.html for the header specification. + if(metadataHeader.size() < 13) + return; + + if(metadataHeader[0] != 0x7f) + return; + if(metadataHeader.mid(1, 4) != "FLAC") return; - if(metadataHeader[5] != 1) - return; // not version 1 + if(metadataHeader[5] != 1 && metadataHeader[6] != 0) + return; // not version 1.0 + + if(metadataHeader.mid(9, 4) != "fLaC") + return; metadataHeader = metadataHeader.mid(13); } @ 1.1 log @taglib: Add patches from upstream's git for the following CVEs: CVE-2017-12678 - denial-of-service CVE-2018-11439 - information-disclosure Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2018-11439 was added on branch pkgsrc-2019Q2 on 2019-07-18 13:33:53 +0000 @ text @d1 33 @ 1.1.2.2 log @Pullup ticket #6005 - requested by nia audio/taglib: security fix Revisions pulled up: - audio/taglib/Makefile 1.40 - audio/taglib/distinfo 1.22 - audio/taglib/patches/patch-CVE-2017-12678 1.1 - audio/taglib/patches/patch-CVE-2018-11439 1.1 --- Module Name: pkgsrc Committed By: nia Date: Thu Jul 18 09:36:37 UTC 2019 Modified Files: pkgsrc/audio/taglib: Makefile distinfo Added Files: pkgsrc/audio/taglib/patches: patch-CVE-2017-12678 patch-CVE-2018-11439 Log Message: taglib: Add patches from upstream's git for the following CVEs: CVE-2017-12678 - denial-of-service CVE-2018-11439 - information-disclosure Bump PKGREVISION. @ text @a0 33 $NetBSD: patch-CVE-2018-11439,v 1.1 2019/07/18 09:36:37 nia Exp $ Fix CVE-2018-11439 - OOB read when loading invalid ogg flac file. Upstream commit: https://github.com/taglib/taglib/commit/2c4ae870ec086f2ddd21a47861a3709c36faac45 --- taglib/ogg/flac/oggflacfile.cpp.orig 2016-10-24 03:03:23.000000000 +0000 +++ taglib/ogg/flac/oggflacfile.cpp @@@@ -216,11 +216,21 @@@@ void Ogg::FLAC::File::scan() if(!metadataHeader.startsWith("fLaC")) { // FLAC 1.1.2+ + // See https://xiph.org/flac/ogg_mapping.html for the header specification. + if(metadataHeader.size() < 13) + return; + + if(metadataHeader[0] != 0x7f) + return; + if(metadataHeader.mid(1, 4) != "FLAC") return; - if(metadataHeader[5] != 1) - return; // not version 1 + if(metadataHeader[5] != 1 && metadataHeader[6] != 0) + return; // not version 1.0 + + if(metadataHeader.mid(9, 4) != "fLaC") + return; metadataHeader = metadataHeader.mid(13); } @