From unknown Tue Aug 19 05:13:42 2025
X-Loop: help-debbugs@gnu.org
Subject: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
Resent-From: Pierre Langlois <pierre.langlois@gmx.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 16 Aug 2020 15:49:02 +0000
Resent-Message-ID: <handler.42890.B.15975929196936@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 42890
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 42890@debbugs.gnu.org
X-Debbugs-Original-To: Guix-patches <guix-patches@gnu.org>
Received: via spool by submit@debbugs.gnu.org id=B.15975929196936
          (code B ref -1); Sun, 16 Aug 2020 15:49:02 +0000
Received: (at submit) by debbugs.gnu.org; 16 Aug 2020 15:48:39 +0000
Received: from localhost ([127.0.0.1]:58231 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1k7Ktd-0001nj-CT
	for submit@debbugs.gnu.org; Sun, 16 Aug 2020 11:48:39 -0400
Received: from lists.gnu.org ([209.51.188.17]:34750)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pierre.langlois@gmx.com>) id 1k7KtX-0001nX-N6
 for submit@debbugs.gnu.org; Sun, 16 Aug 2020 11:48:32 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:59686)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pierre.langlois@gmx.com>)
 id 1k7KtX-0000Ey-Eg
 for guix-patches@gnu.org; Sun, 16 Aug 2020 11:48:27 -0400
Received: from mout.gmx.net ([212.227.17.22]:43743)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pierre.langlois@gmx.com>)
 id 1k7KtR-0004zU-Oo
 for guix-patches@gnu.org; Sun, 16 Aug 2020 11:48:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1597592899;
 bh=Ny9CIiiOB+0TSVyUdkYEHEJbl5X7+XvUI9EWhGcckNQ=;
 h=X-UI-Sender-Class:From:To:Subject:Date;
 b=WbHcnGEpYtuqz0aoHQl+NCiJEJL0Q1pRV5++mSjZ595cWcDN8vocGaTq+gWLh+ssu
 EcVOFMf+eXzIHZU/KR5Kqtf65HCKtXmAl/DqzTaG681WnRLn30rt/qQNLnCRyl88VA
 maHqy3sQfHOFDS5H5b20uI1zNUJ7bglSv3MASNP4=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from labiere ([82.69.64.142]) by mail.gmx.com (mrgmx105
 [212.227.17.174]) with ESMTPSA (Nemesis) id 1N7zBb-1klIPI2poR-0151QP for
 <guix-patches@gnu.org>; Sun, 16 Aug 2020 17:48:19 +0200
User-agent: mu4e 1.4.13; emacs 26.3
From: Pierre Langlois <pierre.langlois@gmx.com>
Date: Sun, 16 Aug 2020 16:48:19 +0100
Message-ID: <87r1s6oam4.fsf@gmx.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Provags-ID: V03:K1:IOgvtrf8DQlBujPVHi7iEtuPF+1Z2G64iBzAFSIFePKr6HLpeVV
 ezpXQBcPrSmJpuHmOkCP4ZifmCpM6qCnDWiUr5WhQnmaAn+PMQ0LnYns/QY3G2KwQGfFhFy
 A9pZ7rswf5jD7pwLfZFMa3Z8kfWqOb2E31rRnabrLRPDIS/tsOT/hKh4cmqGkLhtGHWqEOu
 8CO0sBQDHvAkf2B0c8MAQ==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:l0vCvZqhSiI=:nnI7N7Gh+V2z0jOfnQ0h7G
 AyNhycfbGOAqnf/mmW/17sv+t+wUZWftMvZ2Ys1M1nJ3LYKxqgF0XWoDuuM3dx6hE95wZ+obq
 gQDt1HzyYraFAhUUccs3B1rXd+J9p3Y+XVi8yJQlm+zIWUu1WIahJRJfOLF8g6cbtNicsGtRU
 biC1Jry/+yD2HIIhRXNMiv4tLUsdX5lJ7DFl0VtC1gZWwTcr75djGrBmWrGVh7VL/3dvrApHz
 tAhH5D/70rF1zK9C081f3nLPN/WhFvCs2ZlAjMoLl6L3NSIomLrIII4q68M/WbEEYHNQCS0+v
 c9rI8DHL8yH79wwlqN4R1pf3y4UccJ5i/6iyMV/dVx3kWS1DzWFg1KAD9AXxlE0rrl7pNc3UB
 JmEeFZ5qhbtRf5J5R0XDsmU+mfC5kqFF5nNQfPoUN6jht3ss6dOX4alUe7BguZ8SYizRvWOjf
 vif2BNzkHSK5RiN++ot7h7pYcimd7feNVfRiuXQbkAJ4mZJSKDUI1qfTt/KEVI/45jiY671Vd
 5FDRZ+DDQlCz9jmodGr5zCwnAjuCBlRzgpkOyo2B1gnZ+3XLkaysevHi3o0wgQxZZZho3zAD/
 YQQY614w1/ScxteiMy/LP1oHFoLTKyZZBqeczY4b90a038IMMPfTPu0vHTusOsjWuPl+c/pry
 QUbxiao6tb3ieaaOxpsYPAc9eUBUze7DjqRKo4vjb+CB9uhsLIpIV+fiE8ki9RRrpf0q9fTv+
 KsWAocBRBswLnPFPb5nYlL+o8xPZ5h0GI9BHKo9cHJBBX5fLMUMAXb/ESn/ZZ5Urh+BQM5T3U
 CUpI4ZyBUGxssnMnWFNT94bh+iZu7o+nDePbkw1igx/RxvQdxwyVwbP1elEJI4wGgvYb4w8kU
 Vpc2iYhUVzF8Mg+WIYkyw6lesAKiXfpoVH7GiGNFP+wHVkHR8TsZ0oEQnys2pZLiD3ZCdnZt8
 Wa6+wWRvmlgNrb76T7DY4w67XTS1Tb2xUnfbC+8xrZyUsBovuGogyWwenuVIR1AH06GeD+TN4
 5gJY+jQ1tpvhQCAUTHn1nUUcclXJGUHARiKP1utvgq5xKA6iwxR/NwPx5juRltf62ZIPBe0nu
 Eb7vLtbxbEEiFb1d6RRiu6uzkMGlYHpZp0+gkqiPcZF5/3uHOd/gKUeyIm8AhY1w9cwKF4q/8
 F3nokeF25PUsexvP3yXDB5z4mevEABFkypTK0q0D2hp1anqu2rvAaFiNLEnozT/Qp5fOzjDle
 FhTtsuG7kGmjgJHSlq2owv4wxIwmCpFZMY7FoIw==
Received-SPF: pass client-ip=212.227.17.22;
 envelope-from=pierre.langlois@gmx.com; helo=mout.gmx.net
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/16 10:12:09
X-ACL-Warn: Detected OS   = Linux 2.2.x-3.x [generic]
X-Spam_score_int: -35
X-Spam_score: -3.6
X-Spam_bar: ---
X-Spam_report: (-3.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7,
 RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

--=-=-=
Content-Type: text/plain

Hello Guix!

As I was looking into updating clementine, I noticed it would refuse to
build with the system's taglib saying it may have a bug that corrupts
OGG files. I haven't personally encountered this bug, but I think we
should patch it anyway to be safe. It should be included in the next
release but it's unclear when this is going happen :-/

See https://github.com/taglib/taglib/issues/864 for more details. It
seems other distributions such as Archlinux also apply this fix.

Thanks!
Pierre


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: attachment;
 filename=0001-gnu-taglib-Include-patch-to-prevent-OGG-corruption.patch
Content-Transfer-Encoding: quoted-printable

>From fb029863097e216111b40c410167ea7e36c3bf3d Mon Sep 17 00:00:00 2001
From: Pierre Langlois <pierre.langlois@gmx.com>
Date: Sun, 16 Aug 2020 16:28:54 +0100
Subject: [PATCH] gnu: taglib: Include patch to prevent OGG corruption.

* gnu/packages/mp3.scm (taglib)[source]: Add patch.
* gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/mp3.scm                          |  8 +++++--
 .../taglib-fix-possible-ogg-packet-loss.patch | 24 +++++++++++++++++++
 3 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/taglib-fix-possible-ogg-packet-los=
s.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index db0f73d881..dc6df1af66 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1574,6 +1574,7 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/t1lib-CVE-2011-0764.patch		\
   %D%/packages/patches/t1lib-CVE-2011-1552+.patch		\
   %D%/packages/patches/t4k-common-libpng16.patch		\
+  %D%/packages/patches/taglib-fix-possible-ogg-packet-loss.patch	\
   %D%/packages/patches/tao-add-missing-headers.patch		\
   %D%/packages/patches/tao-fix-parser-types.patch		\
   %D%/packages/patches/tar-remove-wholesparse-check.patch	\
diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm
index 92e3d5d5f8..b6d174f7d4 100644
--- a/gnu/packages/mp3.scm
+++ b/gnu/packages/mp3.scm
@@ -4,7 +4,7 @@
 ;;; Copyright =C2=A9 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright =C2=A9 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright =C2=A9 2017 Thomas Danckaert <post@thomasdanckaert.be>
-;;; Copyright =C2=A9 2017, 2019 Pierre Langlois <pierre.langlois@gmx.com>
+;;; Copyright =C2=A9 2017, 2019, 2020 Pierre Langlois <pierre.langlois@gmx=
.com>
 ;;; Copyright =C2=A9 2018, 2019, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright =C2=A9 2019 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright =C2=A9 2020 Michael Rohleder <mike@rohleder.de>
@@ -167,7 +167,11 @@ a highly stable and efficient implementation.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn"))))
+                "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn"))
+              ;; Fix https://github.com/taglib/taglib/issues/864, which wi=
ll
+              ;; be included in the next 1.12 release.
+              (patches
+               (search-patches "taglib-fix-possible-ogg-packet-loss.patch"=
))))
     (build-system cmake-build-system)
     (arguments
       '(#:tests? #f ; Tests are not ran with BUILD_SHARED_LIBS on.
diff --git a/gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch=
 b/gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch
new file mode 100644
index 0000000000..665732888f
--- /dev/null
+++ b/gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch
@@ -0,0 +1,24 @@
+From 9336c82da3a04552168f208cd7a5fa4646701ea4 Mon Sep 17 00:00:00 2001
+From: Tsuda Kageyu <tsuda.kageyu@gmail.com>
+Date: Thu, 1 Dec 2016 11:32:01 +0900
+Subject: [PATCH] Fix possible Ogg packet losses.
+
+See https://github.com/taglib/taglib/issues/864 for details.
+
+---
+ taglib/ogg/oggfile.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/taglib/ogg/oggfile.cpp b/taglib/ogg/oggfile.cpp
+index 86b0b0764..c36e4d46c 100644
+--- a/taglib/ogg/oggfile.cpp
++++ b/taglib/ogg/oggfile.cpp
+@@ -253,7 +253,7 @@ void Ogg::File::writePacket(unsigned int i, const Byte=
Vector &packet)
+   ByteVectorList packets =3D firstPage->packets();
+   packets[i - firstPage->firstPacketIndex()] =3D packet;
+=20
+-  if(firstPage !=3D lastPage && lastPage->packetCount() > 2) {
++  if(firstPage !=3D lastPage && lastPage->packetCount() > 1) {
+     ByteVectorList lastPagePackets =3D lastPage->packets();
+     lastPagePackets.erase(lastPagePackets.begin());
+     packets.append(lastPagePackets);
--=20
2.28.0


--=-=-=--




From unknown Tue Aug 19 05:13:42 2025
X-Loop: help-debbugs@gnu.org
Subject: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
References: <87r1s6oam4.fsf@gmx.com>
In-Reply-To: <87r1s6oam4.fsf@gmx.com>
Resent-From: Brendan Tildesley <mail@brendan.scot>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 18 Aug 2020 03:05:02 +0000
Resent-Message-ID: <handler.42890.B42890.159771987827121@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 42890
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 42890@debbugs.gnu.org
Received: via spool by 42890-submit@debbugs.gnu.org id=B42890.159771987827121
          (code B ref 42890); Tue, 18 Aug 2020 03:05:02 +0000
Received: (at 42890) by debbugs.gnu.org; 18 Aug 2020 03:04:38 +0000
Received: from localhost ([127.0.0.1]:33666 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1k7rvS-00073N-4K
	for submit@debbugs.gnu.org; Mon, 17 Aug 2020 23:04:38 -0400
Received: from mout-p-103.mailbox.org ([80.241.56.161]:44860)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@brendan.scot>) id 1k7rvN-000735-35
 for 42890@debbugs.gnu.org; Mon, 17 Aug 2020 23:04:36 -0400
Received: from smtp2.mailbox.org (smtp2.mailbox.org
 [IPv6:2001:67c:2050:105:465:1:2:0])
 (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
 (No client certificate requested)
 by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4BVwk265rlzKmCt
 for <42890@debbugs.gnu.org>; Tue, 18 Aug 2020 05:04:26 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brendan.scot;
 s=MBO0001; t=1597719864;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type;
 bh=pa9F3e4rstA/3QCceRKuLv5/+Skzq4C1a3cMkBaElZI=;
 b=Ntgn4B2XIgB9cVWbXWFASeG3a+cCSam8T9kkDfIxaAQZMz9Q5h/CyjLLmhXe2qaBpjWlru
 g+8OD2/vOXQBS2mR4L+5OIVlRYrUjXTAX7PnTgT6oF2IyAdGRxv5Nm8W2Bdl9uG07pGSDB
 bW1MiJAAVPyCBC+uxJOTPMPsvyvU42mknRncSbNaBU7wVLqU3tG5oqw1+YUKqrrUlY5mgc
 ek63pfiSRFfULfUw/WTJQ6oYh0YbBC7o6qaGWQlbpQHkSSJ0gMtogXUC1vxDGZt0Lp7wPA
 +K+0H5mC3gBQr2ezcvMKl8JREINF2yw3UG85fUc2AwU9wSh6Dr/KxHvwxNACMg==
Received: from smtp2.mailbox.org ([80.241.60.241])
 by spamfilter03.heinlein-hosting.de (spamfilter03.heinlein-hosting.de
 [80.241.56.117]) (amavisd-new, port 10030)
 with ESMTP id tEtzMozvkBNu for <42890@debbugs.gnu.org>;
 Tue, 18 Aug 2020 05:04:22 +0200 (CEST)
From: Brendan Tildesley <mail@brendan.scot>
Message-ID: <98bfcbfa-4142-2985-864f-c146ac8d1f92@brendan.scot>
Date: Tue, 18 Aug 2020 13:04:17 +1000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------310F91BD6F2C7385FAA8FABF"
Content-Language: en-US
X-MBO-SPAM-Probability: 
X-Rspamd-Score: -6.54 / 15.00 / 15.00
X-Rspamd-Queue-Id: 56D85175A
X-Rspamd-UID: e4ac92
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is a multi-part message in MIME format.
--------------310F91BD6F2C7385FAA8FABF
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

I should apologise. I also prepared this same patch to submit over a 
year or two ago but ended up neglecting it. I also discovered these two 
CVE patches (attached)  from another distribution that i was going to 
add. Perhaps the best solution is to switch to git-reference and choose 
a more recent commit that includes all these fixes. Your patch is in 
master at 
https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4 
and the two I attached are also in master.



--------------310F91BD6F2C7385FAA8FABF
Content-Type: text/x-patch; charset=UTF-8;
 name="taglib-CVE-2017-12678.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="taglib-CVE-2017-12678.patch"

>From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001
From: "Stephen F. Booth" <me@sbooth.org>
Date: Sun, 23 Jul 2017 10:11:09 -0400
Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame

If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame
which causes problems in rebuildAggregateFrames() when it is assumed
that TDRC is a TextIdentificationFrame
---
 taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp
index 759a9b7be..9347ab869 100644
--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp
+++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp
@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const
      tag->frameList("TDAT").size() == 1)
   {
     TextIdentificationFrame *tdrc =
-      static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+      dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
     UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front());
 
-    if(tdrc->fieldList().size() == 1 &&
+    if(tdrc &&
+       tdrc->fieldList().size() == 1 &&
        tdrc->fieldList().front().size() == 4 &&
        tdat->data().size() >= 5)
     {

--------------310F91BD6F2C7385FAA8FABF
Content-Type: text/x-patch; charset=UTF-8;
 name="taglib-CVE-2018-11439.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="taglib-CVE-2018-11439.patch"

>From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001
From: Scott Gayou <github.scott@gmail.com>
Date: Mon, 4 Jun 2018 11:34:36 -0400
Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)

CVE-2018-11439 is caused by a failure to check the minimum length
of a ogg flac header. This header is detailed in full at:
https://xiph.org/flac/ogg_mapping.html. Added more strict checking
for entire header.
---
 taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
index 53d04508a..07ea9dccc 100644
--- a/taglib/ogg/flac/oggflacfile.cpp
+++ b/taglib/ogg/flac/oggflacfile.cpp
@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
 
   if(!metadataHeader.startsWith("fLaC"))  {
     // FLAC 1.1.2+
+    // See https://xiph.org/flac/ogg_mapping.html for the header specification.
+    if(metadataHeader.size() < 13)
+      return;
+
+    if(metadataHeader[0] != 0x7f)
+      return;
+
     if(metadataHeader.mid(1, 4) != "FLAC")
       return;
 
-    if(metadataHeader[5] != 1)
-      return; // not version 1
+    if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
+      return; // not version 1.0
+
+    if(metadataHeader.mid(9, 4) != "fLaC")
+      return;
 
     metadataHeader = metadataHeader.mid(13);
   }

--------------310F91BD6F2C7385FAA8FABF--




From unknown Tue Aug 19 05:13:42 2025
X-Loop: help-debbugs@gnu.org
Subject: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
Resent-From: Pierre Langlois <pierre.langlois@gmx.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 18 Aug 2020 09:22:01 +0000
Resent-Message-ID: <handler.42890.B.15977425036730@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 42890
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Brendan Tildesley <mail@brendan.scot>
Cc: 42890@debbugs.gnu.org
X-Debbugs-Original-Cc: 42890@debbugs.gnu.org, guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.15977425036730
          (code B ref -1); Tue, 18 Aug 2020 09:22:01 +0000
Received: (at submit) by debbugs.gnu.org; 18 Aug 2020 09:21:43 +0000
Received: from localhost ([127.0.0.1]:34007 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1k7xoN-0001kU-ED
	for submit@debbugs.gnu.org; Tue, 18 Aug 2020 05:21:43 -0400
Received: from lists.gnu.org ([209.51.188.17]:57684)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pierre.langlois@gmx.com>) id 1k7xoJ-0001kK-Ac
 for submit@debbugs.gnu.org; Tue, 18 Aug 2020 05:21:41 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:58754)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pierre.langlois@gmx.com>)
 id 1k7xoJ-0004TJ-56
 for guix-patches@gnu.org; Tue, 18 Aug 2020 05:21:39 -0400
Received: from mout.gmx.net ([212.227.17.21]:58659)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pierre.langlois@gmx.com>)
 id 1k7xoH-0000o3-1U
 for guix-patches@gnu.org; Tue, 18 Aug 2020 05:21:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1597742487;
 bh=bfaFndGtRUxd2vQas08fG7ZAVzzroZVjoHlaovhGNjU=;
 h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date;
 b=SfwQ4Rjp6jkk77LCFJZQbiitVdPK0Ero8ywJ0oHK4bXs4ie74dG33HjJMCDxe5JZa
 UbxQO8wiNPFgKBJVNuugJVl14ftT9aJzpCVbq2nToTyA1gzgLhAUgUAMRoMJkrIQzB
 OyNi9DzFQMNZ109T/BjeBWmPWaR9SsQx6X0V/Wdc=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from e119807-lin ([82.69.64.142]) by mail.gmx.com (mrgmx104
 [212.227.17.174]) with ESMTPSA (Nemesis) id 1MvbBu-1kzEsi34z8-00siG9; Tue, 18
 Aug 2020 11:21:27 +0200
References: <87r1s6oam4.fsf@gmx.com>
 <98bfcbfa-4142-2985-864f-c146ac8d1f92@brendan.scot>
User-agent: mu4e 1.4.12; emacs 26.3
From: Pierre Langlois <pierre.langlois@gmx.com>
In-reply-to: <98bfcbfa-4142-2985-864f-c146ac8d1f92@brendan.scot>
Date: Tue, 18 Aug 2020 10:21:25 +0100
Message-ID: <87blj82tt6.fsf@gmx.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Provags-ID: V03:K1:VY5aAfZooAqwCb7rTk0cdexcofut46R8fkDXmtOuMrMC4IPNsib
 ImQE3VemyYwHOC1EvUND1GcHd3oA5qFn3/tpoxQgx0m8TfR6bhePNsJmkxfgWcUlyO/4cd5
 K6LYUZKLXLpUBo4cEeU0DzxVvo9U2xMvb0vZBcxK38sV0kBvG9z5/HfsfRxyA+uTUEwEZBf
 ZVhL79+gIWC6pu92Qv1Ag==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:Bzb+4hN9EaE=:fAPL1hbTGNDPYjGz6u9vuw
 AtZaq+AINNdMaPf/HUOaCWHRcCRk9h+3oI07X8Ez5s50kOKh7IXMhHjJI//YRL9lNwvGD8H7j
 XioU0m8BONeeoeeQP4uxyTIoZ8uPNw4HNf/+I5ABLU60fMBUxumDhLoP80RI2cusVHvNn9iIY
 r7ZdgJKU87wna4eLuslkx5ePrIml/iWmpvTCYv86vmHS9aTWevwHy6ZCFeAO9Pe8HsIAIh60a
 jgEPFkpWURzdonN5PM0CJVb0YmhbP45EAAY757s/eZJA2LAE5B1pFh+jxo3V5j41+ttiiEuCd
 9TQeCH8ktUpoMlmsL63igVjwdiPq/9NGj4FtaE/m6i1ujM6scgvxnTr1FiJvr7qidM7MQY/HV
 0P3i0DJ7s7im9CwcIPDTtgJGwRfqnJSGG2csnR4jGvZdLXqD9vwleuXm4nJ0qbHLBTKOf/Zyd
 jktxzm9lutkeS7EGm7CF7EJoJM3rOUabuJrxgBPLtHCBZFwk60LuruP9DNkoGKpC6mhQewYwZ
 ZKyDkJA+GqIt7cRfjW1EKKUyG35M5KGj0VCm8pE8boalHBbxvSA5ahjX+MU4bA1b2EVFMoFu5
 53yxP18aIZgHFqaxdcYkCm/A0otdp1teFCkI9ZF6Dd5WsswWc5IF9oRiebSqKO6Wtrkd9D3Ft
 d492Zy3XGfwfE1fkvy1bWp1fVQKa8GfyjZYoL+NoL3A9S3A1nZJrdI7Mgu97+W3A2dH3EU1Or
 Oasv+KZOlomYjpOKz0HC//xGRSZd+futAJTHfSgOz5vlohb0Fi21DtklsowkqppqsOGuaXqer
 FZT7PtjZ8atN5anIa5i+PqYyhDtPpEaa7WjAIAfuovfthWXHywcdLeQv6yC8OYA78BKmlg/35
 HEZJsJq8j52UPfCBAAdHuXUpcLPHImu14ajgRPV1d3CMIrmfylho0od69hNwQL3CWAOscmUkq
 lmwG+2VFwmlTQtLu7O/H9lMDdRg6z5tpzioBxvmq8hieTVUuBSnUPhLa9JjtUlT5vABKuBibt
 TJ5qZIX36ACgvN9ADHoOoKywdDnCTtcofQJnarmU3eBAjNynozDeBn7/roGBG4qkDm2tE5xha
 Ll592kBZW9KiO/7b79UP8oOeSf9SoElbgTOMpNCzSA7d9psyVJY3w8Q8bdKE7jIzPsGZJd+WI
 T/zuBLGtKbbMfIYFPwB6Cgh5bTD1rlx4XcBbCP/hY17C6r2cm4Gv6+k1/CJIp9Qn/dTzBSAOp
 g0ZEmJTQ24EhJ8scwekCIyV4MEZvXJI+40pc54w==
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=212.227.17.21;
 envelope-from=pierre.langlois@gmx.com; helo=mout.gmx.net
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/18 05:21:34
X-ACL-Warn: Detected OS   = Linux 2.2.x-3.x [generic]
X-Spam_score_int: -35
X-Spam_score: -3.6
X-Spam_bar: ---
X-Spam_report: (-3.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7,
 RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

Hi Brendan,

Brendan Tildesley writes:

> I should apologise. I also prepared this same patch to submit over a
> year or two ago but ended up neglecting it. I also discovered these two
> CVE patches (attached)  from another distribution that i was going to
> add. Perhaps the best solution is to switch to git-reference and choose
> a more recent commit that includes all these fixes. Your patch is in
> master at
> https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa46=
46701ea4
> and the two I attached are also in master.

No worries! Yeah I think it's a good to just use a git-reference in this
case, I'll try that and submit another patch, thanks for the suggestion!

Pierre






From unknown Tue Aug 19 05:13:42 2025
X-Loop: help-debbugs@gnu.org
Subject: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
Resent-From: Pierre Langlois <pierre.langlois@gmx.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 18 Aug 2020 18:00:02 +0000
Resent-Message-ID: <handler.42890.B.159777356415601@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 42890
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Pierre Langlois <pierre.langlois@gmx.com>
Cc: 42890@debbugs.gnu.org, mail@brendan.scot
X-Debbugs-Original-Cc: 42890@debbugs.gnu.org, Brendan Tildesley <mail@brendan.scot>, guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.159777356415601
          (code B ref -1); Tue, 18 Aug 2020 18:00:02 +0000
Received: (at submit) by debbugs.gnu.org; 18 Aug 2020 17:59:24 +0000
Received: from localhost ([127.0.0.1]:36891 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1k85tH-00043S-Tt
	for submit@debbugs.gnu.org; Tue, 18 Aug 2020 13:59:24 -0400
Received: from lists.gnu.org ([209.51.188.17]:34658)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pierre.langlois@gmx.com>) id 1k85tA-000438-UW
 for submit@debbugs.gnu.org; Tue, 18 Aug 2020 13:59:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37604)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pierre.langlois@gmx.com>)
 id 1k85tA-0000lX-Ll
 for guix-patches@gnu.org; Tue, 18 Aug 2020 13:59:12 -0400
Received: from mout.gmx.net ([212.227.15.15]:43859)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pierre.langlois@gmx.com>)
 id 1k85t8-0001xm-Du
 for guix-patches@gnu.org; Tue, 18 Aug 2020 13:59:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1597773541;
 bh=/6asiQaJ/N7hbp0dYw4fUhWGH32CbUeERo1zB5OrhIw=;
 h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date;
 b=cKCviK/Z1jBIPvXmFchk9qrPk+Kc573AUGNXvg8zp2U+msZSJ6MiImvEHBJCmpvdV
 8ZWZVQXxJWZwoQ4DqOoIlw7l5205fzGtHf5W8KgEDRGoPC/mpszs4MuftJpEM0sHws
 tzFoGtFbJwJPo52dqzqDG9EvVYhJLUM/0UhycrkE=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from labiere ([82.69.64.142]) by mail.gmx.com (mrgmx004
 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MXGrE-1k9pcZ2326-00Yj9R; Tue, 18
 Aug 2020 19:59:01 +0200
References: <87r1s6oam4.fsf@gmx.com>
 <98bfcbfa-4142-2985-864f-c146ac8d1f92@brendan.scot> <87blj82tt6.fsf@gmx.com>
User-agent: mu4e 1.4.13; emacs 26.3
From: Pierre Langlois <pierre.langlois@gmx.com>
In-reply-to: <87blj82tt6.fsf@gmx.com>
Date: Tue, 18 Aug 2020 18:59:00 +0100
Message-ID: <87pn7ndee3.fsf@gmx.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Provags-ID: V03:K1:tF2Kab6701CT1e+8nzHVXwBgaxmpvE9BMKwPwFqhaHWQZq60y+S
 reRUY1yHk8miZv3ZY4HZx/pPF+0P5phu8kqtOGT0VMkcXZLI4qyXGzPKqjAFK9YKw6Z8qPy
 4evDsPxihyQL7O47NIIOB7nszMCWsqPDdbgNNEDoK1HBBuPp6Z6PtMr/kzwLDGLvRKdAGzh
 vKw0wiavODftW1DG3f2Cw==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:k0LBwixxlmQ=:9AXBdHS2DFudxirArrqNxc
 /VTiQIu1dBhN+c5OoXF5lLmHGo4nf61WQXpR6ii9MEn8YCejbwfkduppQju/Kd40xSAjPHrP9
 llZtIkajaKftlycMF7CaBRBpuBwRPvFv+m3dtMLRHgVXKU8Uvnyh8BZxrlZjTd6nnInGsyryS
 f/rL1sAy3O7IsnYMbGw6grFR2j+clHeDhwKp4lpxdJxv8J5f0mvSFhp5lqUq4Hcbv0Smrdw5s
 Hwgq91G8nWo/8Na0W6gZNH9HYbhRzIBEs3F7IfehaEO0DkwUUcMvcDvYDqfP5O/SCVijYq1F8
 7aRPR9lj4NEFqtBa/ZVkcnBEHk3Js+uzQmTBq4sMcM1/NrJ2dDrO+aOulLHpZ4EXhkoFAUF7i
 z5fTeRqanBY/lv4BIrAKuH1cmjLkFW9jGvMPjjULNhX8J2HkykilgZYWjKW7Pw078pC/DEaP8
 6WjU+Zv8OdZpnvzdLhqUGYeSbcRIF00sf/lDHTJJSVKS2G3mae9pvMGYMUhEpm5RKK6NM1dsI
 an2j2fYlYUFI89dLb3MBN8VM0BTZHDySJ1gKpL1/4QXTWdLmXZ/PMJhUzWx3XvCiRDUaxOMcW
 ycwGMk11odEz0Y8EhppKaWIQ38xjMx5SjKQDO00qB0jCu6OD0JQZ7ueRHCBtLyRsxiIpxzuGQ
 yp5rz9sm4/zPSoKOn4p/EJhEQQJCN8Q5q/indE45keglIaeFAWNbFYXvLdEqY996y5XABw7OM
 N9UnNJqQ5HZGBgyWx7Pw9D5F9IRjazhJ2e4RPYP7eMuFMGiR4u0pYZbgh9tlqJdAse+8HitWp
 9YrkCLxx9410/y/ncT1DIR80/WmD92aXet0Tt+JFnf/QMIb+URLjqw3KdPos5oyKufo0ASFUT
 kRjWEkJ7aZH4aeDrUDavUCiAwPXG5hkux77yaVu9e59bi9dBXbPuh/bSGYLE6ZknxSjEavfA1
 zWJoc0K16FDvwajBjVYA+Ydr1xC50EZ02fy7FSYgvBL4vun5E1NMyjC3c0M2yhXciaqawP7BC
 5LpNSUCB/+SMR5lEQ3IknD06Bbi0Nm+HjlFsVcI3RB1RRuXZMBtfqxGsdSmBfpMNIdL++HrZ7
 f9lDl2BTve26mJetis5Pj2rUj3DpmnUr3RgCh9ePV3pw6Ec9PrPL/h32MqgxTiiXzLEs4RmYB
 Y5DXuFwifyeo+Jf0d0zzPzIhJh21VXfGyFNATk9SIztZARAyx3tQt/+WOqg4LMUegQf+467I/
 mDevK7sryzBezgm6KDvWB3iNZJT1+iByy+AzRpA==
Received-SPF: pass client-ip=212.227.15.15;
 envelope-from=pierre.langlois@gmx.com; helo=mout.gmx.net
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/18 13:24:47
X-ACL-Warn: Detected OS   = Linux 2.2.x-3.x [generic]
X-Spam_score_int: -35
X-Spam_score: -3.6
X-Spam_bar: ---
X-Spam_report: (-3.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7,
 RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

--=-=-=
Content-Type: text/plain


Pierre Langlois writes:

> Hi Brendan,
>
> Brendan Tildesley writes:
>
>> I should apologise. I also prepared this same patch to submit over a
>> year or two ago but ended up neglecting it. I also discovered these two
>> CVE patches (attached)  from another distribution that i was going to
>> add. Perhaps the best solution is to switch to git-reference and choose
>> a more recent commit that includes all these fixes. Your patch is in
>> master at
>> https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4
>> and the two I attached are also in master.
>
> No worries! Yeah I think it's a good to just use a git-reference in this
> case, I'll try that and submit another patch, thanks for the suggestion!

I wasn't so sure which recent commit to use, but then I saw there was a
1.12-beta-1 pre-release from September 2019 so I thought we'd use that.
Looking at some discussions upstream [0], it might still be a while
until we get a proper release though :-/

0: https://github.com/taglib/taglib/issues/864#issuecomment-631874581


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: attachment;
 filename=0001-gnu-taglib-Update-to-1.12-beta-1.patch
Content-Transfer-Encoding: quoted-printable

>From 97a5d71bd50c72d2d7562a7d22baca04f4987657 Mon Sep 17 00:00:00 2001
From: Pierre Langlois <pierre.langlois@gmx.com>
Date: Tue, 18 Aug 2020 18:38:01 +0100
Subject: [PATCH] gnu: taglib: Update to 1.12-beta-1.

This switches to a yet unreleased version of taglib, to make sure long
standings issues and CVEs are covered until a proper release is made upstre=
am.

Among these, we have:

- CVE-2017-12678
- CVE-2018-11439
- https://github.com/taglib/taglib/issues/864

* gnu/packges/mp3.scm (taglib): Update to 1.12-beta-1.
[source]: Switch to using git-fetch.
---
 gnu/packages/mp3.scm | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm
index 92e3d5d5f8..7ee009df74 100644
--- a/gnu/packages/mp3.scm
+++ b/gnu/packages/mp3.scm
@@ -4,7 +4,7 @@
 ;;; Copyright =C2=A9 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright =C2=A9 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright =C2=A9 2017 Thomas Danckaert <post@thomasdanckaert.be>
-;;; Copyright =C2=A9 2017, 2019 Pierre Langlois <pierre.langlois@gmx.com>
+;;; Copyright =C2=A9 2017, 2019, 2020 Pierre Langlois <pierre.langlois@gmx=
.com>
 ;;; Copyright =C2=A9 2018, 2019, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright =C2=A9 2019 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright =C2=A9 2020 Michael Rohleder <mike@rohleder.de>
@@ -50,6 +50,7 @@
   #:use-module (gnu packages video)               ;ffmpeg
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix git-download)
   #:use-module (guix utils)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system python)
@@ -160,14 +161,16 @@ a highly stable and efficient implementation.")
 (define-public taglib
   (package
     (name "taglib")
-    (version "1.11.1")
+    (version "1.12-beta-1")
     (source (origin
-              (method url-fetch)
-              (uri (string-append "http://taglib.github.io/releases/taglib=
-"
-                                  version ".tar.gz"))
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://github.com/taglib/taglib")
+                    (commit (string-append "v" version))))
+              (file-name (git-file-name name version))
               (sha256
                (base32
-                "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn"))))
+                "1mp6w2ikniw8w6d5wr0h20j0ijg8jw7s9dli5a8k9znpznvxpym4"))))
     (build-system cmake-build-system)
     (arguments
       '(#:tests? #f ; Tests are not ran with BUILD_SHARED_LIBS on.
--=20
2.28.0


--=-=-=--




From unknown Tue Aug 19 05:13:42 2025
X-Loop: help-debbugs@gnu.org
Subject: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Fri, 04 Sep 2020 09:33:02 +0000
Resent-Message-ID: <handler.42890.B42890.15992119444222@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 42890
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Pierre Langlois <pierre.langlois@gmx.com>
Cc: 42890@debbugs.gnu.org, mail@brendan.scot
Received: via spool by 42890-submit@debbugs.gnu.org id=B42890.15992119444222
          (code B ref 42890); Fri, 04 Sep 2020 09:33:02 +0000
Received: (at 42890) by debbugs.gnu.org; 4 Sep 2020 09:32:24 +0000
Received: from localhost ([127.0.0.1]:37458 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kE852-000161-2A
	for submit@debbugs.gnu.org; Fri, 04 Sep 2020 05:32:24 -0400
Received: from eggs.gnu.org ([209.51.188.92]:60796)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1kE850-00015o-4H
 for 42890@debbugs.gnu.org; Fri, 04 Sep 2020 05:32:22 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:58013)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1kE84t-0005pb-Hn; Fri, 04 Sep 2020 05:32:15 -0400
Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=46510 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1kE84r-0004hv-IN; Fri, 04 Sep 2020 05:32:14 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
References: <87r1s6oam4.fsf@gmx.com>
 <98bfcbfa-4142-2985-864f-c146ac8d1f92@brendan.scot>
 <87blj82tt6.fsf@gmx.com> <87pn7ndee3.fsf@gmx.com>
Date: Fri, 04 Sep 2020 11:32:09 +0200
In-Reply-To: <87pn7ndee3.fsf@gmx.com> (Pierre Langlois's message of "Tue, 18
 Aug 2020 18:59:00 +0100")
Message-ID: <874kodvqee.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi!

Pierre Langlois <pierre.langlois@gmx.com> skribis:

>>>From 97a5d71bd50c72d2d7562a7d22baca04f4987657 Mon Sep 17 00:00:00 2001
> From: Pierre Langlois <pierre.langlois@gmx.com>
> Date: Tue, 18 Aug 2020 18:38:01 +0100
> Subject: [PATCH] gnu: taglib: Update to 1.12-beta-1.
>
> This switches to a yet unreleased version of taglib, to make sure long
> standings issues and CVEs are covered until a proper release is made upst=
ream.
>
> Among these, we have:
>
> - CVE-2017-12678
> - CVE-2018-11439
> - https://github.com/taglib/taglib/issues/864
>
> * gnu/packges/mp3.scm (taglib): Update to 1.12-beta-1.
> [source]: Switch to using git-fetch.

It=E2=80=99s a good idea to add =E2=80=9C[security fixes]=E2=80=9D or to li=
st CVEs in the
subject line of the commit log.

Otherwise LGTM!

You can now use your new super commit powers to push it.  :-)

Thanks,
Ludo=E2=80=99.




From unknown Tue Aug 19 05:13:42 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: Pierre Langlois <pierre.langlois@gmx.com>
Subject: bug#42890: closed (Re: [bug#42890] [PATCH] gnu: taglib: Include
 patch to prevent OGG corruption.)
Message-ID: <handler.42890.D42890.159921807314842.notifdone@debbugs.gnu.org>
References: <878sdpu73h.fsf@gmx.com> <87r1s6oam4.fsf@gmx.com>
X-Gnu-PR-Message: they-closed 42890
X-Gnu-PR-Package: guix-patches
X-Gnu-PR-Keywords: patch
Reply-To: 42890@debbugs.gnu.org
Date: Fri, 04 Sep 2020 11:15:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1599218102-14904-1"

This is a multi-part message in MIME format...

------------=_1599218102-14904-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#42890: [PATCH] gnu: taglib: Include patch to prevent OGG corruption.

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 42890@debbugs.gnu.org.

--=20
42890: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D42890
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1599218102-14904-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 42890-done) by debbugs.gnu.org; 4 Sep 2020 11:14:33 +0000
Received: from localhost ([127.0.0.1]:37589 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1kE9fs-0003rJ-Nf
	for submit@debbugs.gnu.org; Fri, 04 Sep 2020 07:14:32 -0400
Received: from mout.gmx.net ([212.227.17.20]:54595)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pierre.langlois@gmx.com>) id 1kE9fq-0003qx-Gr
 for 42890-done@debbugs.gnu.org; Fri, 04 Sep 2020 07:14:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1599218063;
 bh=VShMe9Vh7iot5UG+haY+8MW2Kwv0Y8GBkWNEtNqPv4E=;
 h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date;
 b=H5P1vzTGBhE3i0bNQPTRRL3/NlgquPGefZwVWHLda/a0+8ZYhDGianMRQium8SWdz
 RBwletM9hg/u42hY0nMDA3KvB1em4f05b26OuucWDNbhzV+CTqIJmR6UBLUFocryO3
 JjlI7US44YyWz7lH3wJLreK2dgtW9rEK9g4P5nI8=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from labiere ([82.69.64.142]) by mail.gmx.com (mrgmx105
 [212.227.17.174]) with ESMTPSA (Nemesis) id 1N3bSt-1keS202v8V-010cwQ; Fri, 04
 Sep 2020 13:14:23 +0200
References: <87r1s6oam4.fsf@gmx.com>
 <98bfcbfa-4142-2985-864f-c146ac8d1f92@brendan.scot>
 <87blj82tt6.fsf@gmx.com> <87pn7ndee3.fsf@gmx.com> <874kodvqee.fsf@gnu.org>
User-agent: mu4e 1.4.13; emacs 27.1
From: Pierre Langlois <pierre.langlois@gmx.com>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Subject: Re: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG
 corruption.
In-reply-to: <874kodvqee.fsf@gnu.org>
Date: Fri, 04 Sep 2020 12:14:26 +0100
Message-ID: <878sdpu73h.fsf@gmx.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Provags-ID: V03:K1:yJ95YTQGQyeGulRkLm4NGWHbjQ7VUuuC4m2Pg/XTgAy2/054cVL
 KzPazIcpg/tE0smIDJZasMLx6N6jEnonCGhwH9U+McYJuAiKXxw55AraG/uYEmFIoLXAo3s
 VaWDzdH6VJMLrBfKQkJA4BdpjhDI9u7Rt6xDi7mAveLya9679Df0aE3JaL8Etec6Qmtck7Y
 0bfzZIFpU/+wNZSzyrxgw==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:QTNGR6Ypowo=:t/WPI4K3uEaGgDY9HM/LZn
 O1BKM2f8glzbTGljnb1Y2i+RzqsdxAI0EbLemwyyTuSHFRM+9Yh+eLqN/FRwO7B5ErwK8CHEy
 D5W6PS7lUtK+imY8cEYEA/lZw4qs6IKdKQdD7TyO2g0pgOxdDjshaiRdaJS2ef/8Y60m7s+96
 HTHN6BZ/JMSfaFUiRnxJPBf/rj5aeKJJOupZZQkwEG51uKA4+gvbyVn5Fos/X8zdHifdlGpYK
 D8xOd5MRUJLKvzUjLpIrSUXw9/ac7qzhHK/p7Xgu/dq/49+1r2QslysEPDFlEHbxggz2jZz1o
 NtgRSujdZAIXnUA3ej4OQI9h+LTCRns1Pmxi+U4bjTw8vCHgsdAwUvzg21ZzT4wPPuXJbKEG/
 X9wedj/ywFQI2iz/wGPBnrTUTIe40JRXBnrfeu0Bw1t+eKpRAKyVDpqXulwqdu143W1QFQJtT
 ZuMdp1FYnYnRmQIZEI+YXVse9J33GOwHDFO1i5aJ7yUM30DSO5CAapVTGQQI7XIbcZbtJNNu1
 Q8M8vX53Tzs0lRXHl1t4iTch/WNcgupjTzaIcYaPfDm2StrJunaSolRm9tQ5zlYlr0YpLArSD
 FwHbqqI9HBFypGXEADuET8yiOyJ7rm+GXGJl8sV5hgd51HfIfLQL1sBgCWZa8E2xsQ/1kVEn6
 CL5iTV6WKa6G21UukewBkFqaQrvAq6QJX8fL+LYwBoWhisLKVTCyGLqZUWMlhCczuLf8ivrza
 CbYCmddLFOHlG5fUu4vJB/YuMHALcpqUzRdjmzie0k1go+Z/CVA7dorIFtcbwY7rBi4C4vr3T
 yG5qwEy+/ShBX6MFKpIEjV1Yu79+O7ghyFY5y0maNMzETgoXS3TIR9AW1cqLV/JwA+5J0W/bQ
 oSf3Ik1FdyPFC3A7JYc+B08Xyd0mSyjqaHycWGdVEp2uDya6kA26e8TdXmLFd/sEE5VkPNM4A
 1grftR4OQMGGpdARa4qr8aJe2X41XnomUiQDFdp1rn3sRusPH3uCjZ8CxL1n1N2EE8Kc/ToFI
 JPlqouB9cOJprSmJdcd5e1xrl+v/edV87GZxFcWMgpjuv+lKcugpl2xr4SU0gUVc3aq1xTx14
 IQsyom91Dq+NnlrdTiA8sONrlC6ffMKVnboVjiGhFyQCnBsrphvs6MIgdaz0Si/7z0zS224hf
 qgIYx0R/ly9KhFzodNh/ZtMK3PG6OXsuYasY3bSBYTs0aovgHGYgf4oF7P+4Xj3wNQFutokLa
 UckfY4ny32bi0h0STu4WgzKW6UjfsfOtXSzGfJA==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 42890-done
Cc: Pierre Langlois <pierre.langlois@gmx.com>, 42890-done@debbugs.gnu.org,
 mail@brendan.scot
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Ludovic Court=C3=A8s writes:

> Hi!
>
> Pierre Langlois <pierre.langlois@gmx.com> skribis:
>
>>>>From 97a5d71bd50c72d2d7562a7d22baca04f4987657 Mon Sep 17 00:00:00 2001
>> From: Pierre Langlois <pierre.langlois@gmx.com>
>> Date: Tue, 18 Aug 2020 18:38:01 +0100
>> Subject: [PATCH] gnu: taglib: Update to 1.12-beta-1.
>>
>> This switches to a yet unreleased version of taglib, to make sure long
>> standings issues and CVEs are covered until a proper release is made ups=
tream.
>>
>> Among these, we have:
>>
>> - CVE-2017-12678
>> - CVE-2018-11439
>> - https://github.com/taglib/taglib/issues/864
>>
>> * gnu/packges/mp3.scm (taglib): Update to 1.12-beta-1.
>> [source]: Switch to using git-fetch.
>
> It=E2=80=99s a good idea to add =E2=80=9C[security fixes]=E2=80=9D or to =
list CVEs in the
> subject line of the commit log.
>
> Otherwise LGTM!
>
> You can now use your new super commit powers to push it.  :-)

Whoohoo! done :-)

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAl9SIZMACgkQqPyeRH9P
fVRrtAf/VkNLsQ1bMSMJaCeX+9EKSfNwwh/ZERUeHeMp71y2OrX3DJNZ3VhWlHRB
VqEZe4j6UocrhwEJlfwrzBgGXOucmd16rVJNE0niUmP9/SI8VhpNtxyjYtWHJNTh
6OMuYppikllu3Gk7yPDHc12qjLKKch3abTpdo67yT6ft4MXcNeFVSb4p89NEta4y
nowGGkM+czoxwFVf6DolAdZkD513a9pqVA2XOWPEo7uHb2RWCBBLEw7jGPhy3GM+
SoWuIBkxwycJJodnbTiIec6C82Z/ezyhPGg0gJpGBXsS8nWqSUBy25uYC7zRjDkj
WRTDq71UN3fr4JjKkn0UsPfjobfNFg==
=FO5s
-----END PGP SIGNATURE-----
--=-=-=--


------------=_1599218102-14904-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 16 Aug 2020 15:48:39 +0000
Received: from localhost ([127.0.0.1]:58231 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1k7Ktd-0001nj-CT
	for submit@debbugs.gnu.org; Sun, 16 Aug 2020 11:48:39 -0400
Received: from lists.gnu.org ([209.51.188.17]:34750)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pierre.langlois@gmx.com>) id 1k7KtX-0001nX-N6
 for submit@debbugs.gnu.org; Sun, 16 Aug 2020 11:48:32 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:59686)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pierre.langlois@gmx.com>)
 id 1k7KtX-0000Ey-Eg
 for guix-patches@gnu.org; Sun, 16 Aug 2020 11:48:27 -0400
Received: from mout.gmx.net ([212.227.17.22]:43743)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <pierre.langlois@gmx.com>)
 id 1k7KtR-0004zU-Oo
 for guix-patches@gnu.org; Sun, 16 Aug 2020 11:48:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1597592899;
 bh=Ny9CIiiOB+0TSVyUdkYEHEJbl5X7+XvUI9EWhGcckNQ=;
 h=X-UI-Sender-Class:From:To:Subject:Date;
 b=WbHcnGEpYtuqz0aoHQl+NCiJEJL0Q1pRV5++mSjZ595cWcDN8vocGaTq+gWLh+ssu
 EcVOFMf+eXzIHZU/KR5Kqtf65HCKtXmAl/DqzTaG681WnRLn30rt/qQNLnCRyl88VA
 maHqy3sQfHOFDS5H5b20uI1zNUJ7bglSv3MASNP4=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from labiere ([82.69.64.142]) by mail.gmx.com (mrgmx105
 [212.227.17.174]) with ESMTPSA (Nemesis) id 1N7zBb-1klIPI2poR-0151QP for
 <guix-patches@gnu.org>; Sun, 16 Aug 2020 17:48:19 +0200
User-agent: mu4e 1.4.13; emacs 26.3
From: Pierre Langlois <pierre.langlois@gmx.com>
To: Guix-patches <guix-patches@gnu.org>
Subject: [PATCH] gnu: taglib: Include patch to prevent OGG corruption.
Date: Sun, 16 Aug 2020 16:48:19 +0100
Message-ID: <87r1s6oam4.fsf@gmx.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Provags-ID: V03:K1:IOgvtrf8DQlBujPVHi7iEtuPF+1Z2G64iBzAFSIFePKr6HLpeVV
 ezpXQBcPrSmJpuHmOkCP4ZifmCpM6qCnDWiUr5WhQnmaAn+PMQ0LnYns/QY3G2KwQGfFhFy
 A9pZ7rswf5jD7pwLfZFMa3Z8kfWqOb2E31rRnabrLRPDIS/tsOT/hKh4cmqGkLhtGHWqEOu
 8CO0sBQDHvAkf2B0c8MAQ==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:l0vCvZqhSiI=:nnI7N7Gh+V2z0jOfnQ0h7G
 AyNhycfbGOAqnf/mmW/17sv+t+wUZWftMvZ2Ys1M1nJ3LYKxqgF0XWoDuuM3dx6hE95wZ+obq
 gQDt1HzyYraFAhUUccs3B1rXd+J9p3Y+XVi8yJQlm+zIWUu1WIahJRJfOLF8g6cbtNicsGtRU
 biC1Jry/+yD2HIIhRXNMiv4tLUsdX5lJ7DFl0VtC1gZWwTcr75djGrBmWrGVh7VL/3dvrApHz
 tAhH5D/70rF1zK9C081f3nLPN/WhFvCs2ZlAjMoLl6L3NSIomLrIII4q68M/WbEEYHNQCS0+v
 c9rI8DHL8yH79wwlqN4R1pf3y4UccJ5i/6iyMV/dVx3kWS1DzWFg1KAD9AXxlE0rrl7pNc3UB
 JmEeFZ5qhbtRf5J5R0XDsmU+mfC5kqFF5nNQfPoUN6jht3ss6dOX4alUe7BguZ8SYizRvWOjf
 vif2BNzkHSK5RiN++ot7h7pYcimd7feNVfRiuXQbkAJ4mZJSKDUI1qfTt/KEVI/45jiY671Vd
 5FDRZ+DDQlCz9jmodGr5zCwnAjuCBlRzgpkOyo2B1gnZ+3XLkaysevHi3o0wgQxZZZho3zAD/
 YQQY614w1/ScxteiMy/LP1oHFoLTKyZZBqeczY4b90a038IMMPfTPu0vHTusOsjWuPl+c/pry
 QUbxiao6tb3ieaaOxpsYPAc9eUBUze7DjqRKo4vjb+CB9uhsLIpIV+fiE8ki9RRrpf0q9fTv+
 KsWAocBRBswLnPFPb5nYlL+o8xPZ5h0GI9BHKo9cHJBBX5fLMUMAXb/ESn/ZZ5Urh+BQM5T3U
 CUpI4ZyBUGxssnMnWFNT94bh+iZu7o+nDePbkw1igx/RxvQdxwyVwbP1elEJI4wGgvYb4w8kU
 Vpc2iYhUVzF8Mg+WIYkyw6lesAKiXfpoVH7GiGNFP+wHVkHR8TsZ0oEQnys2pZLiD3ZCdnZt8
 Wa6+wWRvmlgNrb76T7DY4w67XTS1Tb2xUnfbC+8xrZyUsBovuGogyWwenuVIR1AH06GeD+TN4
 5gJY+jQ1tpvhQCAUTHn1nUUcclXJGUHARiKP1utvgq5xKA6iwxR/NwPx5juRltf62ZIPBe0nu
 Eb7vLtbxbEEiFb1d6RRiu6uzkMGlYHpZp0+gkqiPcZF5/3uHOd/gKUeyIm8AhY1w9cwKF4q/8
 F3nokeF25PUsexvP3yXDB5z4mevEABFkypTK0q0D2hp1anqu2rvAaFiNLEnozT/Qp5fOzjDle
 FhTtsuG7kGmjgJHSlq2owv4wxIwmCpFZMY7FoIw==
Received-SPF: pass client-ip=212.227.17.22;
 envelope-from=pierre.langlois@gmx.com; helo=mout.gmx.net
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/16 10:12:09
X-ACL-Warn: Detected OS   = Linux 2.2.x-3.x [generic]
X-Spam_score_int: -35
X-Spam_score: -3.6
X-Spam_bar: ---
X-Spam_report: (-3.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7,
 RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

--=-=-=
Content-Type: text/plain

Hello Guix!

As I was looking into updating clementine, I noticed it would refuse to
build with the system's taglib saying it may have a bug that corrupts
OGG files. I haven't personally encountered this bug, but I think we
should patch it anyway to be safe. It should be included in the next
release but it's unclear when this is going happen :-/

See https://github.com/taglib/taglib/issues/864 for more details. It
seems other distributions such as Archlinux also apply this fix.

Thanks!
Pierre


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: attachment;
 filename=0001-gnu-taglib-Include-patch-to-prevent-OGG-corruption.patch
Content-Transfer-Encoding: quoted-printable

>From fb029863097e216111b40c410167ea7e36c3bf3d Mon Sep 17 00:00:00 2001
From: Pierre Langlois <pierre.langlois@gmx.com>
Date: Sun, 16 Aug 2020 16:28:54 +0100
Subject: [PATCH] gnu: taglib: Include patch to prevent OGG corruption.

* gnu/packages/mp3.scm (taglib)[source]: Add patch.
* gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/mp3.scm                          |  8 +++++--
 .../taglib-fix-possible-ogg-packet-loss.patch | 24 +++++++++++++++++++
 3 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/taglib-fix-possible-ogg-packet-los=
s.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index db0f73d881..dc6df1af66 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1574,6 +1574,7 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/t1lib-CVE-2011-0764.patch		\
   %D%/packages/patches/t1lib-CVE-2011-1552+.patch		\
   %D%/packages/patches/t4k-common-libpng16.patch		\
+  %D%/packages/patches/taglib-fix-possible-ogg-packet-loss.patch	\
   %D%/packages/patches/tao-add-missing-headers.patch		\
   %D%/packages/patches/tao-fix-parser-types.patch		\
   %D%/packages/patches/tar-remove-wholesparse-check.patch	\
diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm
index 92e3d5d5f8..b6d174f7d4 100644
--- a/gnu/packages/mp3.scm
+++ b/gnu/packages/mp3.scm
@@ -4,7 +4,7 @@
 ;;; Copyright =C2=A9 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright =C2=A9 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright =C2=A9 2017 Thomas Danckaert <post@thomasdanckaert.be>
-;;; Copyright =C2=A9 2017, 2019 Pierre Langlois <pierre.langlois@gmx.com>
+;;; Copyright =C2=A9 2017, 2019, 2020 Pierre Langlois <pierre.langlois@gmx=
.com>
 ;;; Copyright =C2=A9 2018, 2019, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright =C2=A9 2019 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright =C2=A9 2020 Michael Rohleder <mike@rohleder.de>
@@ -167,7 +167,11 @@ a highly stable and efficient implementation.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn"))))
+                "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn"))
+              ;; Fix https://github.com/taglib/taglib/issues/864, which wi=
ll
+              ;; be included in the next 1.12 release.
+              (patches
+               (search-patches "taglib-fix-possible-ogg-packet-loss.patch"=
))))
     (build-system cmake-build-system)
     (arguments
       '(#:tests? #f ; Tests are not ran with BUILD_SHARED_LIBS on.
diff --git a/gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch=
 b/gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch
new file mode 100644
index 0000000000..665732888f
--- /dev/null
+++ b/gnu/packages/patches/taglib-fix-possible-ogg-packet-loss.patch
@@ -0,0 +1,24 @@
+From 9336c82da3a04552168f208cd7a5fa4646701ea4 Mon Sep 17 00:00:00 2001
+From: Tsuda Kageyu <tsuda.kageyu@gmail.com>
+Date: Thu, 1 Dec 2016 11:32:01 +0900
+Subject: [PATCH] Fix possible Ogg packet losses.
+
+See https://github.com/taglib/taglib/issues/864 for details.
+
+---
+ taglib/ogg/oggfile.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/taglib/ogg/oggfile.cpp b/taglib/ogg/oggfile.cpp
+index 86b0b0764..c36e4d46c 100644
+--- a/taglib/ogg/oggfile.cpp
++++ b/taglib/ogg/oggfile.cpp
+@@ -253,7 +253,7 @@ void Ogg::File::writePacket(unsigned int i, const Byte=
Vector &packet)
+   ByteVectorList packets =3D firstPage->packets();
+   packets[i - firstPage->firstPacketIndex()] =3D packet;
+=20
+-  if(firstPage !=3D lastPage && lastPage->packetCount() > 2) {
++  if(firstPage !=3D lastPage && lastPage->packetCount() > 1) {
+     ByteVectorList lastPagePackets =3D lastPage->packets();
+     lastPagePackets.erase(lastPagePackets.begin());
+     packets.append(lastPagePackets);
--=20
2.28.0


--=-=-=--



------------=_1599218102-14904-1--