pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/multimedia/vlc Fix for CVE-2007-3316 format-string vul...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/b62378dbcb4e
branches:  trunk
changeset: 530304:b62378dbcb4e
user:      lkundrak <lkundrak%pkgsrc.org@localhost>
date:      Fri Jun 22 14:13:16 2007 +0000

description:
Fix for CVE-2007-3316 format-string vulnerability described by
VideoLAN-SA-0702 upstream advisory.  Backported from 0.8.6c.

diffstat:

 multimedia/vlc/Makefile         |   4 ++--
 multimedia/vlc/distinfo         |   6 +++++-
 multimedia/vlc/patches/patch-ak |  27 +++++++++++++++++++++++++++
 multimedia/vlc/patches/patch-al |  16 ++++++++++++++++
 multimedia/vlc/patches/patch-am |  16 ++++++++++++++++
 multimedia/vlc/patches/patch-an |  22 ++++++++++++++++++++++
 6 files changed, 88 insertions(+), 3 deletions(-)

diffs (128 lines):

diff -r baa464f77df9 -r b62378dbcb4e multimedia/vlc/Makefile
--- a/multimedia/vlc/Makefile   Fri Jun 22 13:14:22 2007 +0000
+++ b/multimedia/vlc/Makefile   Fri Jun 22 14:13:16 2007 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.44 2007/02/22 19:26:51 wiz Exp $
+# $NetBSD: Makefile,v 1.45 2007/06/22 14:13:16 lkundrak Exp $
 #
 
 DISTNAME=              vlc-${VLC_VER}
-PKGREVISION=           5
+PKGREVISION=           6
 CATEGORIES=            multimedia
 MASTER_SITES=          http://download.videolan.org/pub/videolan/vlc/${VLC_VER}/
 EXTRACT_SUFX=          .tar.bz2
diff -r baa464f77df9 -r b62378dbcb4e multimedia/vlc/distinfo
--- a/multimedia/vlc/distinfo   Fri Jun 22 13:14:22 2007 +0000
+++ b/multimedia/vlc/distinfo   Fri Jun 22 14:13:16 2007 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.10 2007/02/22 16:36:10 drochner Exp $
+$NetBSD: distinfo,v 1.11 2007/06/22 14:13:16 lkundrak Exp $
 
 SHA1 (vlc-0.8.5.tar.bz2) = 2f0a26a336a5211f32c7bcc653dfd0b27f1fb26b
 RMD160 (vlc-0.8.5.tar.bz2) = d24140a5b4bf771754028090e103bb5c171e4fd8
@@ -10,3 +10,7 @@
 SHA1 (patch-ah) = 5a355a70b7b39c0a33db7cc37e3944f903686d3f
 SHA1 (patch-ai) = 655df187ab529eb30753531dafbf4b68f7a85785
 SHA1 (patch-aj) = ff16b192696f7a8517b2bf343697cb81c6041015
+SHA1 (patch-ak) = 62e4c366c6ad39fdadf3e9484f1ee46a2f5680ab
+SHA1 (patch-al) = d363baa7a1d4150b2b12376652650295e546f0fe
+SHA1 (patch-am) = 7d212c47879c718a7685fe94660c9fa71a02f4c3
+SHA1 (patch-an) = 6388e50ad6b7c4cc6860759d514ca691b996ee45
diff -r baa464f77df9 -r b62378dbcb4e multimedia/vlc/patches/patch-ak
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/vlc/patches/patch-ak   Fri Jun 22 14:13:16 2007 +0000
@@ -0,0 +1,27 @@
+$NetBSD: patch-ak,v 1.1 2007/06/22 14:13:16 lkundrak Exp $
+
+Fix for CVE-2007-3316 format-string vulnerability in CDDA module described
+by VideoLAN-SA-0702 advisory.  Backported from 0.8.6c.
+
+--- modules/access/cdda.c.orig 2007-06-22 16:00:43.000000000 +0200
++++ modules/access/cdda.c
+@@ -630,7 +630,9 @@ static int GetTracks( access_t *p_access
+                     {
+                         vlc_input_item_AddInfo( &p_item->input,
+                                             _(VLC_META_INFO_CAT),
+-                                            _(VLC_META_TITLE),
++                                            _(VLC_META_TITLE), "%s", 
++                                             cddb_track_get_title( t ) );
++
+                                             cddb_track_get_title( t ) );
+                         if( p_item->input.psz_name )
+                             free( p_item->input.psz_name );
+@@ -641,7 +643,7 @@ static int GetTracks( access_t *p_access
+                     if( psz_result )
+                     {
+                         vlc_input_item_AddInfo( &p_item->input,
+-                                            _(VLC_META_INFO_CAT),
++                                            _(VLC_META_INFO_CAT), "%s",
+                                             _(VLC_META_ARTIST), psz_result );
+                     }
+                 }
diff -r baa464f77df9 -r b62378dbcb4e multimedia/vlc/patches/patch-al
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/vlc/patches/patch-al   Fri Jun 22 14:13:16 2007 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-al,v 1.1 2007/06/22 14:13:16 lkundrak Exp $
+
+Fix for CVE-2007-3316 format-string vulnerability in Vorbis module described
+by VideoLAN-SA-0702 advisory.  Backported from 0.8.6c.
+
+--- modules/codec/vorbis.c.orig        2007-06-22 16:03:12.000000000 +0200
++++ modules/codec/vorbis.c
+@@ -614,7 +614,7 @@ static void ParseVorbisComments( decoder
+             *psz_value = '\0';
+             psz_value++;
+             input_Control( p_input, INPUT_ADD_INFO, _("Vorbis comment"),
+-                           psz_name, psz_value );
++                           psz_name, "%s", psz_value );
+             if( strcasestr( psz_name, "artist" ) )
+             {
+                 vlc_input_item_AddInfo( p_input->input.p_item,
diff -r baa464f77df9 -r b62378dbcb4e multimedia/vlc/patches/patch-am
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/vlc/patches/patch-am   Fri Jun 22 14:13:16 2007 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-am,v 1.1 2007/06/22 14:13:16 lkundrak Exp $
+
+Fix for CVE-2007-3316 format-string vulnerability in Theora module described
+by VideoLAN-SA-0702 advisory.  Backported from 0.8.6c.
+
+--- modules/codec/theora.c.orig        2007-06-22 16:04:59.000000000 +0200
++++ modules/codec/theora.c
+@@ -510,7 +510,7 @@ static void ParseTheoraComments( decoder
+             *psz_value = '\0';
+             psz_value++;
+             input_Control( p_input, INPUT_ADD_INFO, _("Theora comment"),
+-                           psz_name, psz_value );
++                           psz_name, "%s", psz_value );
+         }
+         free( psz_comment );
+         i++;
diff -r baa464f77df9 -r b62378dbcb4e multimedia/vlc/patches/patch-an
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/vlc/patches/patch-an   Fri Jun 22 14:13:16 2007 +0000
@@ -0,0 +1,22 @@
+$NetBSD: patch-an,v 1.1 2007/06/22 14:13:17 lkundrak Exp $
+
+Fix for CVE-2007-3316 format-string vulnerability in SAP module described
+by VideoLAN-SA-0702 advisory.  Backported from 0.8.6c.
+
+--- modules/services_discovery/sap.c.orig      2007-06-22 16:06:09.000000000 +0200
++++ modules/services_discovery/sap.c
+@@ -818,12 +818,12 @@ sap_announce_t *CreateAnnounce( services
+     if( psz_value != NULL )
+     {
+         vlc_input_item_AddInfo( &p_item->input, _("Session"),
+-                                _("Tool"), psz_value );
++                                _("Tool"), "%s", psz_value );
+     }
+     if( strcmp( p_sdp->psz_username, "-" ) )
+     {
+         vlc_input_item_AddInfo( &p_item->input, _("Session"),
+-                                _("User"), p_sdp->psz_username );
++                                _("User"), "%s", p_sdp->psz_username );
+     }
+ 
+     psz_value = GetAttribute( p_sap->p_sdp, "x-plgroup" );



Home | Main Index | Thread Index | Old Index