--- libvorbisidec-1.0.2+svn18153.orig/codebook.c +++ libvorbisidec-1.0.2+svn18153/codebook.c @@ -258,7 +258,7 @@ t[i] = book->valuelist+entry[i]*book->dim; } for(i=0,o=0;idim;i++,o+=step) - for (j=0;j>shift; }else{ for (i = 0; i < step; i++) { @@ -267,7 +267,7 @@ t[i] = book->valuelist+entry[i]*book->dim; } for(i=0,o=0;idim;i++,o+=step) - for (j=0;jvaluelist+entry*book->dim; - for (j=0;jdim;) + for (j=0;idim;) a[i++]+=t[j++]>>shift; } }else{ @@ -295,7 +295,7 @@ entry = decode_packed_entry_number(book,b); if(entry==-1)return(-1); t = book->valuelist+entry*book->dim; - for (j=0;jdim;) + for (j=0;idim;) a[i++]+=t[j++]<<-shift; } } @@ -352,15 +352,15 @@ long i,j,entry; int chptr=0; int shift=point-book->binarypoint; - + int m=offset+n; if(shift>=0){ - for(i=offset;ivaluelist+entry*book->dim; - for (j=0;jdim;j++){ + for (j=0;idim;j++){ a[chptr++][i]+=t[j]>>shift; if(chptr==ch){ chptr=0; @@ -371,12 +371,12 @@ } }else{ - for(i=offset;ivaluelist+entry*book->dim; - for (j=0;jdim;j++){ + for (j=0;idim;j++){ a[chptr++][i]+=t[j]<<-shift; if(chptr==ch){ chptr=0; --- libvorbisidec-1.0.2+svn18153.orig/debian/changelog +++ libvorbisidec-1.0.2+svn18153/debian/changelog @@ -1,9 +1,97 @@ -libvorbisidec (1.2.0-1) unstable; urgency=low +libvorbisidec (1.0.2+svn18153-1+deb9u1build0.18.04.1) bionic-security; urgency=medium - * Initial Release. + * No change rebuild to bump version higher than artful (LP: #1780681) - -- Christopher L Cheney Wed, 09 Oct 2002 22:00:00 -0500 + -- Marc Deslauriers Mon, 09 Jul 2018 10:22:06 -0400 -Local variables: -mode: debian-changelog -End: +libvorbisidec (1.0.2+svn18153-1+deb9u1) stretch-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Prevent out-of-bounds write in codebook decoding (CVE-2018-5147) + (Closes: #893132) + + -- Salvatore Bonaccorso Fri, 16 Mar 2018 21:00:34 +0100 + +libvorbisidec (1.0.2+svn18153-1) unstable; urgency=medium + + * QA upload. + * Set maintainer to Debian QA Group. (see #698378) + * Add libogg-dev dependency to libvorbisidec-dev. + (Closes: #739864) + + -- Adrian Bunk Mon, 23 Jan 2017 22:57:11 +0200 + +libvorbisidec (1.0.2+svn18153-0.2) unstable; urgency=low + + * Non-maintainer upload. + * Add pkg-config to Build-Depends. + + -- Luk Claes Mon, 25 Jun 2012 22:14:45 +0200 + +libvorbisidec (1.0.2+svn18153-0.1) unstable; urgency=medium + + * Non-maintainer upload by the Security Team. + * New upstream version to fix security issues. + * CVE-2008-1419: correctly handle codebook.dim==0 case + * CVE-2008-1423: check for absurdly huge codebooks + * CVE-2008-2009: sanity check for underpopulated Huffman trees + * CVE-2009-3379: multiple vulnerabilities MFSA 2009-63 + * CVE-2012-0444: fix decoding memory corruption + Closes: #669196 + * Add libogg-dev dependency to avoid FTBFS. + * Don't ship .la file. + + -- Luk Claes Sat, 23 Jun 2012 16:51:00 +0200 + +libvorbisidec (1.0.2+svn16259-2) unstable; urgency=low + + * updated ivorbisfile_example.c to ensure proper alignment of pcm data + on short boundaries (affects any arch where char arrays can be placed + on misaligned boundaries, such as armel). + (Closes: #548815) + + -- Daniel Kahn Gillmor Mon, 28 Sep 2009 16:01:06 -0400 + +libvorbisidec (1.0.2+svn16259-1) unstable; urgency=low + + * pulled new changes from upstream SVN. + * switched from Vcs-Svn to Vcs-Git + * bumped policy to 3.8.3 (no changes needed) + * revised debian/copyright to meet latest machine-readable form + * moved to my more-generic get-orig-source to pull new upstream versions + from svn. + * removed Dm-Upload-Allowed, no longer needed + * added debian/clean to ensure "build twice" cleanliness. + * added iseeking_example.c to example source. + + -- Daniel Kahn Gillmor Tue, 22 Sep 2009 13:39:34 -0400 + +libvorbisidec (1.0.2+svn15687-1) unstable; urgency=low + + * New upsteam version (minor header cleanup, does not break ABI or API) + * updated my e-mail address. + * debian/control: switched XS-Dm-Upload-Allowed to Dm-Upload-Allowed. + * switched to debhelper >= 7.0.50, minimized debian/rules + * debian/rules added get-orig-source target to build new "upstream + tarballs" from upstream SVN. + * bumped policy to 3.8.1 (no changes needed) + + -- Daniel Kahn Gillmor Wed, 01 Apr 2009 13:10:24 -0400 + +libvorbisidec (1.0.2+svn14261-1) unstable; urgency=low + + * New upstream version. + * fixes double-free bug (Closes: #453745) + * added Homepage, Vcs-Svn, and Vcs-Browser fields to debian/control. + * added XS-Dm-Upload-Allowed: yes to debian/control. + + -- Daniel Kahn Gillmor Sun, 02 Dec 2007 02:19:38 -0500 + +libvorbisidec (1.0.2+svn12153-1) unstable; urgency=low + + * shipping ivorbisfile_example.c and a simple makefile in examples for + libvorbisidec-dev + * created BSD debian packaging license to BSD. + * Initial release (Closes #167464). + + -- Daniel Kahn Gillmor Wed, 29 Nov 2006 00:27:16 -0500 --- libvorbisidec-1.0.2+svn18153.orig/debian/clean +++ libvorbisidec-1.0.2+svn18153/debian/clean @@ -0,0 +1,10 @@ +Makefile.in +aclocal.m4 +config.guess +config.h.in +config.sub +configure +depcomp +install-sh +ltmain.sh +missing --- libvorbisidec-1.0.2+svn18153.orig/debian/compat +++ libvorbisidec-1.0.2+svn18153/debian/compat @@ -0,0 +1 @@ +7 --- libvorbisidec-1.0.2+svn18153.orig/debian/control +++ libvorbisidec-1.0.2+svn18153/debian/control @@ -1,22 +1,31 @@ Source: libvorbisidec +Priority: extra +Maintainer: Debian QA Group +Build-Depends: debhelper (>= 7.0.50), autotools-dev, devscripts, automake, libtool, libogg-dev, pkg-config +Standards-Version: 3.8.3 Section: libs -Priority: optional -Maintainer: Christopher L Cheney -Build-Depends: autotools-dev, debhelper (>> 4.0.18), devscripts, gawk -Standards-Version: 3.5.7.0 +Homepage: http://wiki.xiph.org/index.php/Tremor +Vcs-Git: git://lair.fifthhorseman.net/~dkg/libvorbisidec -Package: libvorbisidec1 +Package: libvorbisidec-dev +Section: libdevel Architecture: any -Section: libs -Depends: ${shlibs:Depends} -Description: Ogg Bitstream Library - Libogg is a library for manipulating ogg bitstreams. It handles - both making ogg bitstreams and getting packets from ogg bitstreams. +Depends: libvorbisidec1 (= ${binary:Version}), ${misc:Depends}, libogg-dev +Description: Integer-only Ogg Vorbis decoder, AKA "tremor" (Development Files) + libvorbisidec is an Ogg Vorbis audio decoder (also known as + "tremor"), implemented with no floating point arithmetic. This makes + it particularly amenable to use on systems which lack floating point + hardware. + . + This package contains the development files. -Package: libvorbisidec-dev +Package: libvorbisidec1 Architecture: any -Section: devel -Depends: libvorbisidec1 (= ${Source-Version}), libc6-dev -Description: Ogg Bitstream Library Development - The libogg-dev package contains the header files and documentation - needed to develop applications with libogg. +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Integer-only Ogg Vorbis decoder, AKA "tremor" + libvorbisidec is an Ogg Vorbis audio decoder (also known as + "tremor"), implemented with no floating point arithmetic. This makes + it particularly amenable to use on systems which lack floating point + hardware. + + --- libvorbisidec-1.0.2+svn18153.orig/debian/copyright +++ libvorbisidec-1.0.2+svn18153/debian/copyright @@ -1,37 +1,15 @@ -This package was debianized by Christopher L Cheney on -Wed, 09 Oct 2002 22:00:00 -0500. - -It was downloaded from cvs. - -Upstream Author(s): Monty - -Copyright: -Copyright (c) 2002, Xiph.org Foundation - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -- Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - -- Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution. - -- Neither the name of the Xiph.Org Foundation nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR -CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - +Format-Specification: http://svn.debian.org/wsvn/dep/web/deps/dep5.mdwn?op=file&rev=59 +Name: Tremor, the integer-only Vorbis decoder +Maintainer: Monty +Source: http://svn.xiph.org/trunk/Tremor + +Copyright: 1994-2009, Xiph.org Foundation +License: BSD + On Debian systems the full text of the BSD License can be found in + /usr/share/common-licenses/BSD. + +Files: debian/* +Copyright: 2006-2009, Daniel Kahn Gillmor +License: BSD + On Debian systems the full text of the BSD License can be found in + /usr/share/common-licenses/BSD. --- libvorbisidec-1.0.2+svn18153.orig/debian/dirs +++ libvorbisidec-1.0.2+svn18153/debian/dirs @@ -0,0 +1,2 @@ +usr/bin +usr/sbin --- libvorbisidec-1.0.2+svn18153.orig/debian/docs +++ libvorbisidec-1.0.2+svn18153/debian/docs @@ -0,0 +1 @@ +README --- libvorbisidec-1.0.2+svn18153.orig/debian/get-orig-source +++ libvorbisidec-1.0.2+svn18153/debian/get-orig-source @@ -0,0 +1,31 @@ +#!/bin/sh + +# a script to generate an "upstream tarball" from the main svn. + +# Author: Daniel Kahn Gillmor + +# Usage: invoke this from the top level of the source, with: +# make -f debian/rules get-orig-source + +set -e +set -x + +SVN_SOURCE="$1" +PKG_NAME="$2" +MAIN_VERSION="$3" + +SVN_VERS=$(svn info "$SVN_SOURCE" | grep '^Last Changed Rev:' | cut -f4 -d' ') + +DIRNAME="${PKG_NAME}-${MAIN_VERSION}+svn${SVN_VERS}" +TARBALL="../${PKG_NAME}_${MAIN_VERSION}+svn${SVN_VERS}.orig.tar.gz" + +if [ -e "$TARBALL" ] ; then + printf '%s already exists.\n' "$TARBALL" >&2 + exit 1 +fi + +svn export -q "$SVN_SOURCE" -r "$SVN_VERS" "debian/$DIRNAME" +tar c -C debian "$DIRNAME" | gzip -9 -n > "$TARBALL" +rm -rf "debian/$DIRNAME" + +ls -la "$TARBALL" --- libvorbisidec-1.0.2+svn18153.orig/debian/libvorbisidec-dev.dirs +++ libvorbisidec-1.0.2+svn18153/debian/libvorbisidec-dev.dirs @@ -0,0 +1,3 @@ +usr/lib +usr/include +usr/include/tremor --- libvorbisidec-1.0.2+svn18153.orig/debian/libvorbisidec-dev.examples +++ libvorbisidec-1.0.2+svn18153/debian/libvorbisidec-dev.examples @@ -0,0 +1,3 @@ +ivorbisfile_example.c +iseeking_example.c +debian/source_examples/Makefile --- libvorbisidec-1.0.2+svn18153.orig/debian/libvorbisidec-dev.install +++ libvorbisidec-1.0.2+svn18153/debian/libvorbisidec-dev.install @@ -1,8 +1,4 @@ -debian/tmp/usr/include/tremor/config_types.h -debian/tmp/usr/include/tremor/ivorbiscodec.h -debian/tmp/usr/include/tremor/ivorbisfile.h -debian/tmp/usr/include/tremor/ogg.h -debian/tmp/usr/include/tremor/os_types.h -debian/tmp/usr/lib/libvorbisidec.a -debian/tmp/usr/lib/libvorbisidec.la -debian/tmp/usr/lib/libvorbisidec.so +debian/tmp/usr/include/tremor* +debian/tmp/usr/lib/lib*.a +debian/tmp/usr/lib/lib*.so +doc/* usr/share/doc/libvorbisidec-dev/html --- libvorbisidec-1.0.2+svn18153.orig/debian/libvorbisidec1.dirs +++ libvorbisidec-1.0.2+svn18153/debian/libvorbisidec1.dirs @@ -0,0 +1 @@ +usr/lib --- libvorbisidec-1.0.2+svn18153.orig/debian/libvorbisidec1.install +++ libvorbisidec-1.0.2+svn18153/debian/libvorbisidec1.install @@ -1 +1 @@ -debian/tmp/usr/lib/libvorbisidec.so.* +debian/tmp/usr/lib/lib*.so.* --- libvorbisidec-1.0.2+svn18153.orig/debian/rules +++ libvorbisidec-1.0.2+svn18153/debian/rules @@ -1,151 +1,11 @@ #!/usr/bin/make -f -# Sample debian/rules that uses debhelper. -# GNU copyright 1997 to 1999 by Joey Hess. +%: + dh $@ -# Uncomment this to turn on verbose mode. -#export DH_VERBOSE=1 +override_dh_auto_configure: + ./autogen.sh --prefix=/usr -# This is the debhelper compatibility version to use. -export DH_COMPAT=4 - -# This has to be exported to make some magic below work. -export DH_OPTIONS - -# These are used for cross-compiling and for saving the configure script -# from having to guess our platform (since we know it already) -DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) -DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) - -objdir = $(CURDIR)/obj-$(DEB_BUILD_GNU_TYPE) - -ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) - CFLAGS += -g -endif -ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) - INSTALL_PROGRAM += -s -endif - -configure: configure-stamp -configure-stamp: - dh_testdir - - # make build directory - mkdir $(objdir) - - # run configure with build tree $(objdir) - # change ../configure to ../autogen.sh for CVS build - cd $(objdir) && \ - ../configure --build=$(DEB_BUILD_GNU_TYPE) --host=$(DEB_HOST_GNU_TYPE) \ - --prefix=/usr - - touch configure-stamp - -build: build-stamp -build-stamp: configure-stamp - dh_testdir - - cd $(objdir) && \ - $(MAKE) - - touch build-stamp - -autotools: - OLDDATESUB=`./config.sub -t | tr -d -` ;\ - OLDDATEGUESS=`./config.guess -t | tr -d -` ;\ - NEWDATESUB=`/usr/share/misc/config.sub -t | tr -d -` ;\ - NEWDATEGUESS=`/usr/share/misc/config.guess -t | tr -d -` ;\ - if [ $$OLDDATESUB -lt $$NEWDATESUB -o \ - $$OLDDATEGUESS -lt $$NEWDATEGUESS ]; then \ - dch -a -p "GNU config automated update: config.sub\ - ($$OLDDATESUB to $$NEWDATESUB), config.guess\ - ($$OLDDATEGUESS to $$NEWDATEGUESS)" ;\ - cp -f /usr/share/misc/config.sub config.sub ;\ - cp -f /usr/share/misc/config.guess config.guess ;\ - echo WARNING: GNU config scripts updated from master copies 1>&2 ;\ - fi - -debian-clean: - dh_testdir - dh_testroot - - dh_clean - -clean: autotools - dh_testdir - dh_testroot - rm -f build-stamp configure-stamp - - # Remove build tree - rm -rf $(objdir) - - # if Makefile exists run distclean - if test -f Makefile; then \ - $(MAKE) distclean; \ - fi - - #if test -d CVS; then \ - $(MAKE) cvs-clean ;\ - fi - - dh_clean - -install: DH_OPTIONS= -install: build - dh_testdir - dh_testroot - dh_clean -k - dh_installdirs - - cd $(objdir) && \ - $(MAKE) install DESTDIR=$(CURDIR)/debian/tmp - - dh_install --list-missing - -# This single target is used to build all the packages, all at once, or -# one at a time. So keep in mind: any options passed to commands here will -# affect _all_ packages. Anything you want to only affect one package -# should be put in another target, such as the install target. -binary-common: - dh_testdir - dh_testroot -# dh_installxfonts - dh_installchangelogs - dh_installdocs - dh_installexamples -# dh_installmenu -# dh_installdebconf -# dh_installlogrotate -# dh_installemacsen -# dh_installpam -# dh_installmime -# dh_installinit -# dh_installcron -# dh_installinfo -# dh_undocumented - dh_installman - dh_strip - dh_link - dh_compress - dh_fixperms - dh_makeshlibs -V - dh_installdeb -# dh_perl - dh_shlibdeps - dh_gencontrol - dh_md5sums - dh_builddeb - -# Build architecture independant packages using the common target. -binary-indep: build install -# $(MAKE) -f debian/rules DH_OPTIONS=-i binary-common - -# Build architecture dependant packages using the common target. -binary-arch: build install - $(MAKE) -f debian/rules DH_OPTIONS=-a binary-common - -# Any other binary targets build just one binary package at a time. -binary-%: build install - $(MAKE) -f debian/rules binary-common DH_OPTIONS=-p$* - -binary: binary-indep binary-arch -.PHONY: build clean binary-indep binary-arch binary install configure +# fetch a new version of the upstream source, if anything has changed +# in our directory since the last clean upload. +get-orig-source: + debian/get-orig-source http://svn.xiph.org/trunk/Tremor libvorbisidec 1.0.2 --- libvorbisidec-1.0.2+svn18153.orig/debian/source_examples/Makefile +++ libvorbisidec-1.0.2+svn18153/debian/source_examples/Makefile @@ -0,0 +1,25 @@ +#!/usr/bin/make + +# makefile documenting how to build example code from the +# libvorbisidec ("tremor") library distribution. + +# Author: Daniel Kahn Gillmor + +TARGETS = ivorbisfile_example iseeking_example + +all: $(TARGETS) + +%: %.c + gcc -g -o $@ $< -lvorbisidec + +clean: + rm -f $(TARGETS) + +# it is OK to unzip gzipped source (dh_installexamples auto-compresses +# larger files in the examples directory) +%.c: %.c.gz + gzip -d $< +# but save any .c files that get unzipped! +.PRECIOUS: %.c + +.PHONY: all clean