From 1f521b7055a464439774332f1a69ed31b565715f Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Mon, 30 May 2016 17:17:09 +0300 Subject: gnu: id3lib: Fix CVE-2007-4460. * gnu/packages/mp3.scm (id3lib)[source]: Add patch. * gnu/packages/patches/id3lib-CVE-2007-4460.patch: New variable. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/mp3.scm | 6 +-- gnu/packages/patches/id3lib-CVE-2007-4460.patch | 54 +++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/id3lib-CVE-2007-4460.patch diff --git a/gnu/local.mk b/gnu/local.mk index 5f10dd86be..11b7ccb692 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -551,6 +551,7 @@ dist_patch_DATA = \ %D%/packages/patches/icu4c-CVE-2014-6585.patch \ %D%/packages/patches/icu4c-CVE-2015-1270.patch \ %D%/packages/patches/icu4c-CVE-2015-4760.patch \ + %D%/packages/patches/id3lib-CVE-2007-4460.patch \ %D%/packages/patches/ilmbase-fix-tests.patch \ %D%/packages/patches/inkscape-drop-wait-for-targets.patch \ %D%/packages/patches/irrlicht-mesa-10.patch \ diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm index 997c50f5f4..8451f0ac9f 100644 --- a/gnu/packages/mp3.scm +++ b/gnu/packages/mp3.scm @@ -108,11 +108,11 @@ versions of ID3v2.") (source (origin (method url-fetch) (uri (string-append "mirror://sourceforge/id3lib/id3lib/" - version "/id3lib-" - version ".tar.gz")) + version "/id3lib-" version ".tar.gz")) (sha256 (base32 - "0yfhqwk0w8q2hyv1jib1008jvzmwlpsxvc8qjllhna6p1hycqj97")))) + "0yfhqwk0w8q2hyv1jib1008jvzmwlpsxvc8qjllhna6p1hycqj97")) + (patches (search-patches "id3lib-CVE-2007-4460.patch")))) (build-system gnu-build-system) (arguments `(#:phases diff --git a/gnu/packages/patches/id3lib-CVE-2007-4460.patch b/gnu/packages/patches/id3lib-CVE-2007-4460.patch new file mode 100644 index 0000000000..36c84179fc --- /dev/null +++ b/gnu/packages/patches/id3lib-CVE-2007-4460.patch @@ -0,0 +1,54 @@ +This patch fixes an issues where temporary files were created in an insecure +way. + +It was first intruduced in version 3.8.3-7 and fixes +http://bugs.debian.org/438540 +--- a/src/tag_file.cpp ++++ b/src/tag_file.cpp +@@ -242,8 +242,8 @@ + strcpy(sTempFile, filename.c_str()); + strcat(sTempFile, sTmpSuffix.c_str()); + +-#if ((defined(__GNUC__) && __GNUC__ >= 3 ) || !defined(HAVE_MKSTEMP)) +- // This section is for Windows folk && gcc 3.x folk ++#if !defined(HAVE_MKSTEMP) ++ // This section is for Windows folk + fstream tmpOut; + createFile(sTempFile, tmpOut); + +@@ -257,7 +257,7 @@ + tmpOut.write((char *)tmpBuffer, nBytes); + } + +-#else //((defined(__GNUC__) && __GNUC__ >= 3 ) || !defined(HAVE_MKSTEMP)) ++#else //!defined(HAVE_MKSTEMP) + + // else we gotta make a temp file, copy the tag into it, copy the + // rest of the old file after the tag, delete the old file, rename +@@ -270,7 +270,7 @@ + //ID3_THROW_DESC(ID3E_NoFile, "couldn't open temp file"); + } + +- ofstream tmpOut(fd); ++ ofstream tmpOut(sTempFile); + if (!tmpOut) + { + tmpOut.close(); +@@ -285,14 +285,14 @@ + uchar tmpBuffer[BUFSIZ]; + while (file) + { +- file.read(tmpBuffer, BUFSIZ); ++ file.read((char *)tmpBuffer, BUFSIZ); + size_t nBytes = file.gcount(); +- tmpOut.write(tmpBuffer, nBytes); ++ tmpOut.write((char *)tmpBuffer, nBytes); + } + + close(fd); //closes the file + +-#endif ////((defined(__GNUC__) && __GNUC__ >= 3 ) || !defined(HAVE_MKSTEMP)) ++#endif ////!defined(HAVE_MKSTEMP) + + tmpOut.close(); + file.close(); -- cgit v1.2.3