From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 10 04:08:25 2018 Received: (at submit) by debbugs.gnu.org; 10 Jan 2018 09:08:25 +0000 Received: from localhost ([127.0.0.1]:50265 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZCMu-0006Qd-Uj for submit@debbugs.gnu.org; Wed, 10 Jan 2018 04:08:24 -0500 Received: from eggs.gnu.org ([208.118.235.92]:54764) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZCMr-0006QJ-7F for submit@debbugs.gnu.org; Wed, 10 Jan 2018 04:08:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eZCMh-0006e0-Ho for submit@debbugs.gnu.org; Wed, 10 Jan 2018 04:08:12 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:35173) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eZCMh-0006dq-Dd for submit@debbugs.gnu.org; Wed, 10 Jan 2018 04:08:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45716) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eZCMf-00013I-Ot for guix-patches@gnu.org; Wed, 10 Jan 2018 04:08:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eZCMc-0006cN-TR for guix-patches@gnu.org; Wed, 10 Jan 2018 04:08:05 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:56351) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eZCMc-0006bv-8L for guix-patches@gnu.org; Wed, 10 Jan 2018 04:08:02 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 5BD0620230; Wed, 10 Jan 2018 04:08:01 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Wed, 10 Jan 2018 04:08:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=T3CUxNrCP3+F4srL50mS9od6NKPw7U2k9kHsOQ pRrj4=; b=E68+ulUrn+/6E7rX58XceUADDwWdV2MgrDHMYLpfG2ZZCcvyI3NZQB z0CEF1vfYSeybcbxTHP1D9SJRJJxip9l71vRuWHbliO8XAXNTt8yCXkLLDaLt9ZQ yqEw3Zub1xykhGFups2g+vdzXbmtEvtZ3bAYKMurJGMICWIPt3V1U= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=T3CUxNrCP3+F4srL5 0mS9od6NKPw7U2k9kHsOQpRrj4=; b=Ihl6yaP9jvCRk3qzWagt8lhkUkVYQBK+v OROEhvGa5JVWkdGbjF9OsXudevrAZcL92S2M6/ZdXkLXpXAp7pbLMK2FdTnbuotw pQaYmbl+NGHi1lomE3uPU880nmsP+KPfCexC8MEuCMOI2eGY9pkTL/lEmZTS4Zlm Xpl0INHMHxZkMulYRi7eemiDmY7MpAh32gqHj75b/WBH0gxKP68dg0fTdo1H+fuQ gvxNtFo+7wM4XFwzWJ18Rzw3wmBXjX0eJSpNDhlAw8yMOfRFWfA0S2waMKGCZ2qN WchwZ4qYo45JvWQwdN97u0LrQJfqDSPWiPxz6bii3pFrSO6l2BNYg== X-ME-Sender: Received: from jasmine.lan (unknown [162.208.95.194]) by mail.messagingengine.com (Postfix) with ESMTPA id D7E4424771 for ; Wed, 10 Jan 2018 04:08:00 -0500 (EST) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: libvorbis: Fix CVE-2017-{14632,14633}. Date: Wed, 10 Jan 2018 01:07:39 -0800 Message-Id: <9a94afdf5d9bcc8a61f31acdf346bbab1f44307f.1515575258.git.leo@famulari.name> X-Mailer: git-send-email 2.15.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) * gnu/packages/patches/libvorbis-CVE-2017-14632.patch, gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/xiph.scm (libvorbis)[replacement]: New field. (libvorbis/fixed): New variable. --- gnu/local.mk | 2 + .../patches/libvorbis-CVE-2017-14632.patch | 63 ++++++++++++++++++++++ .../patches/libvorbis-CVE-2017-14633.patch | 43 +++++++++++++++ gnu/packages/xiph.scm | 9 ++++ 4 files changed, 117 insertions(+) create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14632.patch create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14633.patch diff --git a/gnu/local.mk b/gnu/local.mk index 44868d4bb..4b451c7a9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -851,6 +851,8 @@ dist_patch_DATA = \ %D%/packages/patches/libusb-0.1-disable-tests.patch \ %D%/packages/patches/libusb-for-axoloti.patch \ %D%/packages/patches/libvdpau-va-gl-unbundle.patch \ + %D%/packages/patches/libvorbis-CVE-2017-14632.patch \ + %D%/packages/patches/libvorbis-CVE-2017-14633.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \ %D%/packages/patches/libxcb-python-3.5-compat.patch \ %D%/packages/patches/libxml2-CVE-2016-4658.patch \ diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14632.patch b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch new file mode 100644 index 000000000..99debf210 --- /dev/null +++ b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch @@ -0,0 +1,63 @@ +Fix CVE-2017-14632: + +https://gitlab.xiph.org/xiph/vorbis/issues/2328 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632 + +Patch copied from upstream source repository: + +https://gitlab.xiph.org/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d327f + +From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= +Date: Wed, 15 Nov 2017 18:22:59 +0100 +Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb + if not initialized + +If the number of channels is not within the allowed range +we call oggback_writeclear altough it's not initialized yet. + +This fixes + + =23371== Invalid free() / delete / delete[] / realloc() + ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530) + ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2) + ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652) + ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) + ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x10D82A: open_output_file (sox.c:1556) + ==23371== by 0x10D82A: process (sox.c:1753) + ==23371== by 0x10D82A: main (sox.c:3012) + ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd + ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298) + ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785) + ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) + ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x10D82A: open_output_file (sox.c:1556) + ==23371== by 0x10D82A: process (sox.c:1753) + ==23371== by 0x10D82A: main (sox.c:3012) + +as seen when using the testcase from CVE-2017-11333 with +008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was +there before. +--- + lib/info.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/info.c b/lib/info.c +index 7bc4ea4..8d0b2ed 100644 +--- a/lib/info.c ++++ b/lib/info.c +@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v, + private_state *b=v->backend_state; + + if(!b||vi->channels<=0||vi->channels>256){ ++ b = NULL; + ret=OV_EFAULT; + goto err_out; + } +-- +2.15.1 + diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14633.patch b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch new file mode 100644 index 000000000..ec6bf5265 --- /dev/null +++ b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch @@ -0,0 +1,43 @@ +Fix CVE-2017-14633: + +https://gitlab.xiph.org/xiph/vorbis/issues/2329 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633 + +Patch copied from upstream source repository: + +https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993 + +From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= +Date: Tue, 31 Oct 2017 18:32:46 +0100 +Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels + +Otherwise + + for(i=0;ichannels;i++){ + /* the encoder setup assumes that all the modes used by any + specific bitrate tweaking use the same floor */ + int submap=info->chmuxlist[i]; + +overreads later in mapping0_forward since chmuxlist is a fixed array of +256 elements max. +--- + lib/info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/info.c b/lib/info.c +index fe759ed..7bc4ea4 100644 +--- a/lib/info.c ++++ b/lib/info.c +@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v, + oggpack_buffer opb; + private_state *b=v->backend_state; + +- if(!b||vi->channels<=0){ ++ if(!b||vi->channels<=0||vi->channels>256){ + ret=OV_EFAULT; + goto err_out; + } +-- +2.15.1 + diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm index 9277f57ad..e9ab06de4 100644 --- a/gnu/packages/xiph.scm +++ b/gnu/packages/xiph.scm @@ -79,6 +79,7 @@ periodic timestamps for seeking.") (define libvorbis (package (name "libvorbis") + (replacement libvorbis/fixed) (version "1.3.5") (source (origin (method url-fetch) @@ -102,6 +103,14 @@ polyphonic) audio and music at fixed and variable bitrates from 16 to "See COPYING in the distribution.")) (home-page "http://xiph.org/vorbis/"))) +(define libvorbis/fixed + (package + (inherit libvorbis) + (source (origin + (inherit (package-source libvorbis)) + (patches (search-patches "libvorbis-CVE-2017-14633.patch" + "libvorbis-CVE-2017-14632.patch")))))) + (define libtheora (package (name "libtheora") -- 2.15.1 From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 11 16:24:19 2018 Received: (at control) by debbugs.gnu.org; 11 Jan 2018 21:24:19 +0000 Received: from localhost ([127.0.0.1]:52539 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZkKg-0000UU-Tk for submit@debbugs.gnu.org; Thu, 11 Jan 2018 16:24:19 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:35370) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZkKg-0000UO-6i for control@debbugs.gnu.org; Thu, 11 Jan 2018 16:24:18 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id A97F410959 for ; Thu, 11 Jan 2018 22:24:17 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WHNJCjuryhTr for ; Thu, 11 Jan 2018 22:24:17 +0100 (CET) Received: from ribbon (unknown [IPv6:2a01:e0a:1d:7270:af76:b9b:ca24:c465]) by hera.aquilenet.fr (Postfix) with ESMTPSA id EA50A1021F for ; Thu, 11 Jan 2018 22:24:16 +0100 (CET) Date: Thu, 11 Jan 2018 22:24:15 +0100 Message-Id: <87lgh4nl6o.fsf@gnu.org> To: control@debbugs.gnu.org From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: control message for bug #30061 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) tags 30061 security From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 11 16:25:40 2018 Received: (at 30061) by debbugs.gnu.org; 11 Jan 2018 21:25:40 +0000 Received: from localhost ([127.0.0.1]:52543 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZkM0-0000Wi-87 for submit@debbugs.gnu.org; Thu, 11 Jan 2018 16:25:40 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:35376) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZkLw-0000WY-GG for 30061@debbugs.gnu.org; Thu, 11 Jan 2018 16:25:39 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 0DC6510959; Thu, 11 Jan 2018 22:25:36 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49lSqVfwmCUT; Thu, 11 Jan 2018 22:25:35 +0100 (CET) Received: from ribbon (unknown [IPv6:2a01:e0a:1d:7270:af76:b9b:ca24:c465]) by hera.aquilenet.fr (Postfix) with ESMTPSA id C91BA1021F; Thu, 11 Jan 2018 22:25:34 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: [bug#30061] [PATCH] gnu: libvorbis: Fix CVE-2017-{14632,14633}. References: <9a94afdf5d9bcc8a61f31acdf346bbab1f44307f.1515575258.git.leo@famulari.name> Date: Thu, 11 Jan 2018 22:25:33 +0100 In-Reply-To: <9a94afdf5d9bcc8a61f31acdf346bbab1f44307f.1515575258.git.leo@famulari.name> (Leo Famulari's message of "Wed, 10 Jan 2018 01:07:39 -0800") Message-ID: <87h8rsnl4i.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 30061 Cc: 30061@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Hi, Leo Famulari skribis: > * gnu/packages/patches/libvorbis-CVE-2017-14632.patch, > gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files. > * gnu/local.mk (dist_patch_DATA): Add them. > * gnu/packages/xiph.scm (libvorbis)[replacement]: New field. > (libvorbis/fixed): New variable. LGTM. On =E2=80=98core-updates=E2=80=99, should we perform a rebuild instead of g= rafting? Thank you! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 11 17:33:30 2018 Received: (at 30061-done) by debbugs.gnu.org; 11 Jan 2018 22:33:30 +0000 Received: from localhost ([127.0.0.1]:52642 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZlPe-0005zL-GK for submit@debbugs.gnu.org; Thu, 11 Jan 2018 17:33:30 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:36923) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZlPa-0005zB-KN for 30061-done@debbugs.gnu.org; Thu, 11 Jan 2018 17:33:29 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 15C0F20B97; Thu, 11 Jan 2018 17:33:26 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Thu, 11 Jan 2018 17:33:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=fKqECr/UP996vkMB2tSagW7/fi8sKb3F3bt/vMDe6+g=; b=TUD1H KRi3V2VCrWAJRsD21KCqWZaZ+Dx1kY1CYRX4Y1eBxIRh4gjNi1e4fL92xAYqGxI/ B6d0VzeRLI+Z9ITE27trcCkBSiu87LAWftdYgEGnPczCgTjpMpOh/9ow0agBcIyY FkTW5QPAutR9bpCK9aMSKV67TwdpnSqPexVr4E= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=fKqECr/UP996vkMB2tSagW7/fi8sK b3F3bt/vMDe6+g=; b=IQtqhoGCYFAbSbFjND0hXWMGxUoJtIVtPnJjtNydPB+h9 DnSNGzlyJKtJoLvZrv1555NsLQr0o6yBiEW5XOCYaOSvXBWwJ5k7fSF+tqBMtB3R dG6ufuywr/ehhjFnVSERZJ9bFoP0/H3WBvJR2W2lfWwcgILtHNdNMk10T82Q+t+Q /A5c6QUYSG9uNnbnjo3N9I8Th/SqdeMrYEo4qS/9j12kHTttv+c1z4XjTJOKzEU+ QY36Wyy63S6iPUCjRLSQexLcLCe6/r9f1i46MTQaJi8v+8ZsVvA7kCo425yzKV5Y 7TG4G+ww/NVPrH127TyxkmIqQzgbWoa+IO4FPSElw== X-ME-Sender: Received: from localhost (unknown [162.208.95.194]) by mail.messagingengine.com (Postfix) with ESMTPA id 760027E335; Thu, 11 Jan 2018 17:33:25 -0500 (EST) Date: Thu, 11 Jan 2018 14:33:22 -0800 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: [bug#30061] [PATCH] gnu: libvorbis: Fix CVE-2017-{14632,14633}. Message-ID: <20180111223322.GA12238@jasmine.lan> References: <9a94afdf5d9bcc8a61f31acdf346bbab1f44307f.1515575258.git.leo@famulari.name> <87h8rsnl4i.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="k1lZvvs/B4yU6o8G" Content-Disposition: inline In-Reply-To: <87h8rsnl4i.fsf@gnu.org> User-Agent: Mutt/1.9.2 (2017-12-15) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30061-done Cc: 30061-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 11, 2018 at 10:25:33PM +0100, Ludovic Court=C3=A8s wrote: > Hi, >=20 > Leo Famulari skribis: >=20 > > * gnu/packages/patches/libvorbis-CVE-2017-14632.patch, > > gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files. > > * gnu/local.mk (dist_patch_DATA): Add them. > > * gnu/packages/xiph.scm (libvorbis)[replacement]: New field. > > (libvorbis/fixed): New variable. >=20 > LGTM. Pushed as 138c08899ba73049de8afd2b74a8cf6845a1d9e1 > On =E2=80=98core-updates=E2=80=99, should we perform a rebuild instead of= grafting? Yes, I merged master into core-updates and ungrafted libvorbis in e6ebc7b13225f0eddc404b7d8e136120b962181e --k1lZvvs/B4yU6o8G Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpX5jIACgkQJkb6MLrK fwjXeA//QpH4EHthoNVDzlsLhf+xSUKWTh5zTRkRR5hQZPlikKEqJB9gDrMVv71Z 06HY2f9Yz2W8b+vxsBPFo6tYeiVOyUZ3LrK3CbejYNo82LO84NGGJZteakwIL7cz MftHSZgEPmZSD82KVqfDPL/As3+BsKBmi/U6FE1DnKEdBLtsERgq7ErCD5GdLpnb 94l1uFLONTQymO4FOwafaGbOGCPBUdk1rcnx2mTZgmuo6RgkcblRq719rPk/RXIC aIab0ovTaM4A3hATXn20yfPVaPylb1xZpU/Pu0Q6P67gX5Ln1X8J9TfaVi60+Oz/ VUF2Hy0OvmVukvmHS4KnhO92ixIDQOgpMnC1pMEhyEVTZMr7B6Ni1eKWav9EAhUz iDUL9li/jHnqbKQWFW/3zs2lqC0jgSn+1yUxGOTKRWLj7sxC0L7Bdcp+DGH86sU/ kDaMFZ6iFY+HfcXKh/5WcOYJjm4p5Su1QeKKwQpdkJLmIuYUSkmf8pwXYkzZ5486 hR7KOjMimEXH5jOHrQsCAO3EgS83l3K+M6tWx9yORmZvuMDKi6I9+wJ3bh+GKAVF pHRvSMfP2psrEvuHy15Ecmnsui1HyiohFfE7aJGSPpUqNm9UTKG0PVhv3tK4UwL9 OpW05WDJxqJfo1u9dF4+P1Amm2+M7MkYjShym9lkBvnSKliHn5I= =thrW -----END PGP SIGNATURE----- --k1lZvvs/B4yU6o8G-- From unknown Fri Jun 20 20:12:14 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 09 Feb 2018 12:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator