Backport upstream commits for CVE-2012-1107 and CVE-2012-1108 wrt #407673 by Michael Harrison

(Portage version: 2.2.0_alpha90/cvs/Linux x86_64)

3 files changed, 87 insertions, 1 deletions

diff --git a/media-libs/taglib/ChangeLog b/media-libs/taglib/ChangeLog
index ebefb5376f67..797b4713df38 100644
--- a/media-libs/taglib/ChangeLog
+++ b/media-libs/taglib/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for media-libs/taglib
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/taglib/ChangeLog,v 1.104 2012/02/03 19:02:41 johu Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/taglib/ChangeLog,v 1.105 2012/03/10 13:13:21 ssuominen Exp $
+
+*taglib-1.7-r1 (10 Mar 2012)
+
+  10 Mar 2012; Samuli Suominen <ssuominen@gentoo.org> +taglib-1.7-r1.ebuild,
+  +files/taglib-1.7-security.patch:
+  Backport upstream commits for CVE-2012-1107 and CVE-2012-1108 wrt #407673 by
+  Michael Harrison
 
   03 Feb 2012; Johannes Huber <johu@gentoo.org> -taglib-1.6.3.ebuild:
   Remove old.
diff --git a/media-libs/taglib/files/taglib-1.7-security.patch b/media-libs/taglib/files/taglib-1.7-security.patch
new file mode 100644
index 000000000000..47765b3dc19f
--- /dev/null
+++ b/media-libs/taglib/files/taglib-1.7-security.patch
@@ -0,0 +1,30 @@
+http://bugs.gentoo.org/407673
+
+CVE-2012-1107
+http://github.com/taglib/taglib/commit/77d61c6eca4d08b9b025738acf6b926cc750db23
+
+CVE-2012-1108
+http://github.com/taglib/taglib/commit/ab8a0ee8937256311e649a88e8ddd7c7f870ad59
+
+--- taglib/ape/apeproperties.cpp
++++ taglib/ape/apeproperties.cpp
+@@ -193,7 +193,7 @@
+   uint blocksPerFrame = header.mid(4, 4).toUInt(false);
+   uint finalFrameBlocks = header.mid(8, 4).toUInt(false);
+   uint totalBlocks = totalFrames > 0 ? (totalFrames -  1) * blocksPerFrame + finalFrameBlocks : 0;
+-  d->length = totalBlocks / d->sampleRate;
++  d->length = d->sampleRate > 0 ? totalBlocks / d->sampleRate : 0;
+   d->bitrate = d->length > 0 ? ((d->streamLength * 8L) / d->length) / 1000 : 0;
+ }
+ 
+--- taglib/ogg/xiphcomment.cpp
++++ taglib/ogg/xiphcomment.cpp
+@@ -287,7 +287,7 @@
+ 
+   int pos = 0;
+ 
+-  int vendorLength = data.mid(0, 4).toUInt(false);
++  uint vendorLength = data.mid(0, 4).toUInt(false);
+   pos += 4;
+ 
+   d->vendorID = String(data.mid(pos, vendorLength), String::UTF8);
diff --git a/media-libs/taglib/taglib-1.7-r1.ebuild b/media-libs/taglib/taglib-1.7-r1.ebuild
new file mode 100644
index 000000000000..ac862f5542e0
--- /dev/null
+++ b/media-libs/taglib/taglib-1.7-r1.ebuild
@@ -0,0 +1,49 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/taglib/taglib-1.7-r1.ebuild,v 1.1 2012/03/10 13:13:21 ssuominen Exp $
+
+EAPI=4
+inherit cmake-utils
+
+DESCRIPTION="A library for reading and editing audio meta data"
+HOMEPAGE="http://developer.kde.org/~wheeler/taglib.html"
+SRC_URI="http://developer.kde.org/~wheeler/files/src/${P}.tar.gz"
+
+LICENSE="LGPL-2 MPL-1.1"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~x86-fbsd ~x86-freebsd ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x86-solaris"
+SLOT="0"
+IUSE="+asf debug examples +mp4 test"
+
+RDEPEND="sys-libs/zlib"
+DEPEND="${RDEPEND}
+	dev-util/pkgconfig
+	test? ( dev-util/cppunit )
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.6.1-install-examples.patch
+	"${FILESDIR}"/${P}-security.patch
+	)
+
+DOCS="AUTHORS NEWS"
+
+src_configure() {
+	mycmakeargs=(
+		$(cmake-utils_use_build examples)
+		$(cmake-utils_use_with asf)
+		$(cmake-utils_use_with mp4)
+	)
+
+	cmake-utils_src_configure
+}
+
+pkg_postinst() {
+	if ! use asf; then
+		elog "You've chosen to disable the asf use flag, thus taglib won't include"
+		elog "support for Microsoft's 'advanced systems format' media container"
+	fi
+	if ! use mp4; then
+		elog "You've chosen to disable the mp4 use flag, thus taglib won't include"
+		elog "support for the MPEG-4 part 14 / MP4 media container"
+	fi
+}