libsndfile: security bump to version 1.0.28

Fixes:

CVE-2017-7585 - In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to cause a
stack-based buffer overflow via a specially crafted FLAC file.

CVE-2017-7586 - In libsndfile before 1.0.28, an error in the "header_read()"
function (common.c) when handling ID3 tags can be exploited to cause a
stack-based buffer overflow via a specially crafted FLAC file.

CVE-2017-7741 - In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to cause a
segmentation violation (with write memory access) via a specially crafted
FLAC file during a resample attempt, a similar issue to CVE-2017-7585.

CVE-2017-7742 - In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to cause a
segmentation violation (with read memory access) via a specially crafted
FLAC file during a resample attempt, a similar issue to CVE-2017-7585.

Dop undocumented patch adjusting SUBDIRS in Makefile.in as it no longer
applies.  Instead pass --disable-full-suite to disable man pages,
documentation and programs, as that was presumably the reason for the patch.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

diff --git a/package/libsndfile/0001-srconly.patch b/package/libsndfile/0001-srconly.patch
deleted file mode 100644 (file)
index 417e340..0000000
--- a/package/libsndfile/0001-srconly.patch
+++ /dev/null
@@ -1,17 +0,0 @@
----
- Makefile.in |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: libsndfile-1.0.18/Makefile.in
-===================================================================
---- libsndfile-1.0.18.orig/Makefile.in
-+++ libsndfile-1.0.18/Makefile.in
-@@ -260,7 +260,7 @@
- top_srcdir = @top_srcdir@
- DISTCHECK_CONFIGURE_FLAGS = --enable-gcc-werror
- @BUILD_OCTAVE_MOD_TRUE@octave_dir = Octave
--SUBDIRS = M4 man doc Win32 src $(octave_dir) examples regtest tests programs
-+SUBDIRS = src
- DIST_SUBDIRS = M4 man doc Win32 src Octave examples regtest tests programs
- EXTRA_DIST = libsndfile.spec.in sndfile.pc.in Mingw-make-dist.sh
- pkgconfigdir = $(libdir)/pkgconfig

diff --git a/package/libsndfile/libsndfile.hash b/package/libsndfile/libsndfile.hash
index a87b7c3085fb0a9f827044c3b9561e7d24d457c8..31500cd970efd958e0edeb6678d7b79e70835ac7 100644 (file)
--- a/package/libsndfile/libsndfile.hash
+++ b/package/libsndfile/libsndfile.hash
@@ -1,2 +1,2 @@
 # Locally calculated after checking pgp signature
-sha256 a391952f27f4a92ceb2b4c06493ac107896ed6c76be9a613a4731f076d30fac0        libsndfile-1.0.27.tar.gz
+sha256 1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9        libsndfile-1.0.28.tar.gz

diff --git a/package/libsndfile/libsndfile.mk b/package/libsndfile/libsndfile.mk
index 936f4be218d9d509589fbea605385be6a15271f0..22909ffb62ba4a3bcc95785da9dc65ac2517cc36 100644 (file)
--- a/package/libsndfile/libsndfile.mk
+++ b/package/libsndfile/libsndfile.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBSNDFILE_VERSION = 1.0.27
+LIBSNDFILE_VERSION = 1.0.28
 LIBSNDFILE_SITE = http://www.mega-nerd.com/libsndfile/files
 LIBSNDFILE_INSTALL_STAGING = YES
 LIBSNDFILE_LICENSE = LGPL-2.1+
@@ -13,6 +13,7 @@ LIBSNDFILE_LICENSE_FILES = COPYING
 LIBSNDFILE_CONF_OPTS = \
        --disable-sqlite \
        --disable-alsa \
-       --disable-external-libs
+       --disable-external-libs \
+       --disable-full-suite
 
 $(eval $(autotools-package))