[pkgsrc/pkgsrc-2008Q1]: pkgsrc/audio/vorbis-tools pullup ticket #2353 - reque...

[rtr <rtr%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/6bd616c8d0bf
branches:  pkgsrc-2008Q1
changeset: 540300:6bd616c8d0bf
user:      rtr <rtr%pkgsrc.org@localhost>
date:      Wed Apr 30 09:23:27 2008 +0000

description:
pullup ticket #2353 - requested by wiz
vorbis-tools: resolves security issue

revisions pulled up:
- pkgsrc/audio/vorbis-tools/Makefile            1.50
- pkgsrc/audio/vorbis-tools/distinfo            1.21
- pkgsrc/audio/vorbis-tools/patches/patch-ad    1.3

   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Tue Apr 29 05:51:10 UTC 2008

   Modified Files:
        pkgsrc/audio/vorbis-tools: Makefile distinfo
   Added Files:
        pkgsrc/audio/vorbis-tools/patches: patch-ad

   Log Message:
   Add upstream patch fixing
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686
   Bump PKGREVISION.

diffstat:

 audio/vorbis-tools/Makefile         |   3 ++-
 audio/vorbis-tools/distinfo         |   3 ++-
 audio/vorbis-tools/patches/patch-ad |  17 +++++++++++++++++
 3 files changed, 21 insertions(+), 2 deletions(-)

diffs (47 lines):

diff -r 433b20226c57 -r 6bd616c8d0bf audio/vorbis-tools/Makefile
--- a/audio/vorbis-tools/Makefile       Mon Apr 28 10:44:07 2008 +0000
+++ b/audio/vorbis-tools/Makefile       Wed Apr 30 09:23:27 2008 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.49 2008/03/14 18:55:54 wiz Exp $
+# $NetBSD: Makefile,v 1.49.2.1 2008/04/30 09:23:27 rtr Exp $
 
 DISTNAME=      vorbis-tools-1.2.0
+PKGREVISION=   1
 CATEGORIES=    audio
 MASTER_SITES=  http://downloads.xiph.org/releases/vorbis/
 
diff -r 433b20226c57 -r 6bd616c8d0bf audio/vorbis-tools/distinfo
--- a/audio/vorbis-tools/distinfo       Mon Apr 28 10:44:07 2008 +0000
+++ b/audio/vorbis-tools/distinfo       Wed Apr 30 09:23:27 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2008/03/14 18:55:54 wiz Exp $
+$NetBSD: distinfo,v 1.20.2.1 2008/04/30 09:23:27 rtr Exp $
 
 SHA1 (vorbis-tools-1.2.0.tar.gz) = c5c5ee4637ab8c9fc953d203663b7264432f874a
 RMD160 (vorbis-tools-1.2.0.tar.gz) = 8cb6925c6e4e69373b6c91ff20d7ed8d75153b7c
@@ -6,3 +6,4 @@
 SHA1 (patch-aa) = a9fe36760479678df09f840671c515e0d9f37796
 SHA1 (patch-ab) = b706ae0bc9e13c5ccff689aa1451efc782e340e9
 SHA1 (patch-ac) = 53065c4db39f7e975712c2cba51ff5542cf5a77f
+SHA1 (patch-ad) = 6fe04631cd098fc64bf0914f1fd4ef654c0089b0
diff -r 433b20226c57 -r 6bd616c8d0bf audio/vorbis-tools/patches/patch-ad
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/vorbis-tools/patches/patch-ad       Wed Apr 30 09:23:27 2008 +0000
@@ -0,0 +1,17 @@
+$NetBSD: patch-ad,v 1.2.2.1 2008/04/30 09:23:27 rtr Exp $
+
+https://trac.xiph.org/attachment/ticket/1347/vorbis-tools-1.2.0-sec.patch
+for
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686
+
+--- ogg123/speex_format.c.orig 2008-03-03 06:37:26.000000000 +0100
++++ ogg123/speex_format.c
+@@ -475,7 +475,7 @@ void *process_header(ogg_packet *op, int
+            cb->printf_error(callback_arg, ERROR, _("Cannot read header"));
+      return NULL;
+    }
+-   if ((*header)->mode >= SPEEX_NB_MODES) {
++   if ((*header)->mode >= SPEEX_NB_MODES || (*header)->mode < 0) {
+      cb->printf_error(callback_arg, ERROR, 
+                     _("Mode number %d does not (any longer) exist in this version"),
+             (*header)->mode);