[pkgsrc/pkgsrc-2008Q4]: pkgsrc/audio/libsndfile Pullup ticket #2717 - request...

[tron <tron%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/30fc1cc89c5b
branches:  pkgsrc-2008Q4
changeset: 552360:30fc1cc89c5b
user:      tron <tron%pkgsrc.org@localhost>
date:      Wed Mar 04 23:17:09 2009 +0000

description:
Pullup ticket #2717 - requested by tnn
libsndfile: security patch

Add patch to fix the vulnerability reported in CVE-2009-0186.

diffstat:

 audio/libsndfile/Makefile         |   4 ++--
 audio/libsndfile/distinfo         |   3 ++-
 audio/libsndfile/patches/patch-ai |  18 ++++++++++++++++++
 3 files changed, 22 insertions(+), 3 deletions(-)

diffs (50 lines):

diff -r 7bf66472c7ce -r 30fc1cc89c5b audio/libsndfile/Makefile
--- a/audio/libsndfile/Makefile Wed Mar 04 23:12:19 2009 +0000
+++ b/audio/libsndfile/Makefile Wed Mar 04 23:17:09 2009 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.46 2008/07/24 22:39:30 obache Exp $
+# $NetBSD: Makefile,v 1.46.6.1 2009/03/04 23:17:09 tron Exp $
 
 DISTNAME=      libsndfile-1.0.17
-PKGREVISION=   4
+PKGREVISION=   5
 CATEGORIES=    audio
 MASTER_SITES=  http://www.mega-nerd.com/libsndfile/
 
diff -r 7bf66472c7ce -r 30fc1cc89c5b audio/libsndfile/distinfo
--- a/audio/libsndfile/distinfo Wed Mar 04 23:12:19 2009 +0000
+++ b/audio/libsndfile/distinfo Wed Mar 04 23:17:09 2009 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.24 2008/04/07 15:36:19 bjs Exp $
+$NetBSD: distinfo,v 1.24.10.1 2009/03/04 23:17:09 tron Exp $
 
 SHA1 (libsndfile-1.0.17+flac-1.1.3.patch.bz2) = 10e0d19dfc8cf2a6bf499e0fa0d1ab17dca4c519
 RMD160 (libsndfile-1.0.17+flac-1.1.3.patch.bz2) = fc6e6f03069c1ad8ee43f600f6ac2aa6e97bb1f5
@@ -14,4 +14,5 @@
 SHA1 (patch-af) = 9ac0dd446a2f24c2d39e20063489a3b778fcda36
 SHA1 (patch-ag) = 10d0fcda9377fc6afa2dce9e4782f49889a4f4a3
 SHA1 (patch-ah) = 8c936316ca1191f8893579a562ff705c8dde6f92
+SHA1 (patch-ai) = 9557b5c1a5fdef2321879251df937045e4215b8c
 SHA1 (patch-ba) = 92ec08d4e021f121d2255760d601625df71e3805
diff -r 7bf66472c7ce -r 30fc1cc89c5b audio/libsndfile/patches/patch-ai
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/libsndfile/patches/patch-ai Wed Mar 04 23:17:09 2009 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-ai,v 1.1.2.1 2009/03/04 23:17:09 tron Exp $
+
+Fix for CVE-2009-0186.
+
+--- src/caf.c.orig     2006-08-31 11:22:07.000000000 +0200
++++ src/caf.c
+@@ -282,6 +282,11 @@ caf_read_header (SF_PRIVATE *psf)
+                       "  Frames / packet  : %u\n  Channels / frame : %u\n  Bits / channel   : %u\n",
+                       desc.fmt_id, desc.fmt_flags, desc.pkt_bytes, desc.pkt_frames, desc.channels_per_frame, desc.bits_per_chan) ;
+ 
++      if (desc.channels_per_frame > 200)
++      {       psf_log_printf (psf, "**** Bad channels per frame value %u.\n", desc.channels_per_frame) ;
++              return SFE_MALFORMED_FILE ;
++              } ;
++
+       if (chunk_size > SIGNED_SIZEOF (DESC_CHUNK))
+               psf_binheader_readf (psf, "j", (int) (chunk_size - sizeof (DESC_CHUNK))) ;
+