diff --git a/.gitignore b/.gitignore index da55a60..4e1b67f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -/opusfile-0.*.tar.gz +SOURCES/opusfile-0.12.tar.gz diff --git a/.opusfile.metadata b/.opusfile.metadata new file mode 100644 index 0000000..03d36b3 --- /dev/null +++ b/.opusfile.metadata @@ -0,0 +1 @@ +3e86971fef28292f982a32730632b1d531059ed5 SOURCES/opusfile-0.12.tar.gz diff --git a/SOURCES/CVE-2022-47021.patch b/SOURCES/CVE-2022-47021.patch new file mode 100644 index 0000000..b41ef35 --- /dev/null +++ b/SOURCES/CVE-2022-47021.patch @@ -0,0 +1,40 @@ +From 0a4cd796df5b030cb866f3f4a5e41a4b92caddf5 Mon Sep 17 00:00:00 2001 +From: Ralph Giles +Date: Tue, 6 Sep 2022 19:04:31 -0700 +Subject: [PATCH] Propagate allocation failure from ogg_sync_buffer. + +Instead of segfault, report OP_EFAULT if ogg_sync_buffer returns +a null pointer. This allows more graceful recovery by the caller +in the unlikely event of a fallible ogg_malloc call. + +We do check the return value elsewhere in the code, so the new +checks make the code more consistent. + +Thanks to https://github.com/xiph/opusfile/issues/36 for reporting. + +Signed-off-by: Timothy B. Terriberry +Signed-off-by: Mark Harris +--- + src/opusfile.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/opusfile.c b/src/opusfile.c +index ca219b2..3c3c81e 100644 +--- a/src/opusfile.c ++++ b/src/opusfile.c +@@ -148,6 +148,7 @@ static int op_get_data(OggOpusFile *_of,int _nbytes){ + int nbytes; + OP_ASSERT(_nbytes>0); + buffer=(unsigned char *)ogg_sync_buffer(&_of->oy,_nbytes); ++ if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT; + nbytes=(int)(*_of->callbacks.read)(_of->stream,buffer,_nbytes); + OP_ASSERT(nbytes<=_nbytes); + if(OP_LIKELY(nbytes>0))ogg_sync_wrote(&_of->oy,nbytes); +@@ -1527,6 +1528,7 @@ static int op_open1(OggOpusFile *_of, + if(_initial_bytes>0){ + char *buffer; + buffer=ogg_sync_buffer(&_of->oy,(long)_initial_bytes); ++ if(OP_UNLIKELY(buffer==NULL))return OP_EFAULT; + memcpy(buffer,_initial_data,_initial_bytes*sizeof(*buffer)); + ogg_sync_wrote(&_of->oy,(long)_initial_bytes); + } diff --git a/opusfile.spec b/SPECS/opusfile.spec similarity index 71% rename from opusfile.spec rename to SPECS/opusfile.spec index 5c03e83..855a0e9 100644 --- a/opusfile.spec +++ b/SPECS/opusfile.spec @@ -1,16 +1,24 @@ Name: opusfile Version: 0.12 -Release: 6%{?dist} +%global soname_version 0 +Release: 15%{?dist} Summary: A high-level API for decoding and seeking within .opus files -License: BSD +License: BSD-3-Clause URL: https://www.opus-codec.org/ Source0: https://downloads.xiph.org/releases/opus/%{name}-%{version}.tar.gz +# Propagate allocation failure from ogg_sync_buffer. +# https://github.com/xiph/opusfile/commit/0a4cd796df5b030cb866f3f4a5e41a4b92caddf5 +# +# Fixes CVE-2022-47021. +# A potential bug of NPD +# https://github.com/xiph/opusfile/issues/36 +Patch1: https://github.com/xiph/opusfile/commit/0a4cd796df5b030cb866f3f4a5e41a4b92caddf5.patch#/CVE-2022-47021.patch BuildRequires: make BuildRequires: gcc -BuildRequires: libogg-devel -BuildRequires: openssl-devel -BuildRequires: opus-devel +BuildRequires: pkgconfig(ogg) +BuildRequires: pkgconfig(openssl) +BuildRequires: pkgconfig(opus) %description libopusfile provides a high-level API for decoding and seeking @@ -27,13 +35,14 @@ decoded with a single output format, even if the channel count changes). %package devel Summary: Development package for %{name} Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: pkgconfig +# The public API headers include ogg/ogg.h. +Requires: pkgconfig(ogg) %description devel Files for development with %{name}. %prep -%setup -q +%autosetup -p1 %build %configure --disable-static @@ -46,13 +55,11 @@ Files for development with %{name}. #Remove libtool archives. find %{buildroot} -type f -name "*.la" -delete -%ldconfig_scriptlets - %files %license COPYING %doc AUTHORS -%{_libdir}/libopusfile.so.* -%{_libdir}/libopusurl.so.* +%{_libdir}/libopusfile.so.%{soname_version}{,.*} +%{_libdir}/libopusurl.so.%{soname_version}{,.*} %files devel %doc %{_docdir}/%{name} @@ -63,6 +70,37 @@ find %{buildroot} -type f -name "*.la" -delete %{_libdir}/libopusurl.so %changelog +* Sat Dec 28 2024 Arkady L. Shane - 0.12-15 +- Rebuilt for MSVSphere 10 + +* Sat Sep 21 2024 Benjamin A. Beasley - 0.12-15 +- Identify the license as BSD-3-Clause +- Make opusfile-devel depend on libogg-devel + +* Mon Sep 02 2024 Miroslav Suchý - 0.12-14 +- convert license to SPDX + +* Thu Jul 18 2024 Fedora Release Engineering - 0.12-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Thu Jan 25 2024 Fedora Release Engineering - 0.12-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 0.12-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Jul 20 2023 Fedora Release Engineering - 0.12-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed Feb 01 2023 Peter Robinson - 0.12-9 +- Add upstream fix for CVE-2022-47021 + +* Thu Jan 19 2023 Fedora Release Engineering - 0.12-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Jul 22 2022 Fedora Release Engineering - 0.12-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Thu Jan 20 2022 Fedora Release Engineering - 0.12-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild diff --git a/sources b/sources deleted file mode 100644 index bc2db33..0000000 --- a/sources +++ /dev/null @@ -1 +0,0 @@ -SHA512 (opusfile-0.12.tar.gz) = e25e6968a3183ac0628ce1000840fd6f9f636e92ba984d6a72b76fb2a98ec632d2de4c66a8e4c05ef30655c2a4a13ab35f89606fa7d79a54cfa8506543ca57af