[taglib/el5] merge el6 build (1.6.1) and backport ogg_xiphcomment security patch

Rex Dieter rdieter at fedoraproject.org
Mon Mar 19 17:50:46 UTC 2012 

commit d90fec132c17b0d95c22cd1cbabd05de59c1b019
Author: Rex Dieter <rdieter at fedoraproject.org>
Date:   Mon Mar 19 12:50:09 2012 -0500

    merge el6 build (1.6.1) and backport ogg_xiphcomment security patch

 .gitignore                         |    3 +-
 sources                            |    2 +-
 taglib-1.5-kde#161721.patch        |   14 ---
 taglib-1.6.1-ogg_xiphcomment.patch |   12 +++
 taglib.spec                        |  160 +++++++++++++++++++++++++++++++++---
 5 files changed, 162 insertions(+), 29 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 61b11a4..d3a362d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-taglib-1.5.tar.gz
+/taglib-1.6.1.tar.gz
+/taglib-1.7.1.tar.gz
diff --git a/sources b/sources
index 064762a..1dfd4fd 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-7b557dde7425c6deb7bbedd65b4f2717  taglib-1.5.tar.gz
+db0502b3c3448ff1f1f9b090c1daa5f7  taglib-1.6.1.tar.gz
diff --git a/taglib-1.6.1-ogg_xiphcomment.patch b/taglib-1.6.1-ogg_xiphcomment.patch
new file mode 100644
index 0000000..211fdd7
--- /dev/null
+++ b/taglib-1.6.1-ogg_xiphcomment.patch
@@ -0,0 +1,12 @@
+diff -up taglib-1.6.1/taglib/ogg/xiphcomment.cpp.ogg_xiphcomment taglib-1.6.1/taglib/ogg/xiphcomment.cpp
+--- taglib-1.6.1/taglib/ogg/xiphcomment.cpp.ogg_xiphcomment	2009-07-11 08:17:06.000000000 -0500
++++ taglib-1.6.1/taglib/ogg/xiphcomment.cpp	2012-03-19 12:40:04.000000000 -0500
+@@ -287,7 +287,7 @@ void Ogg::XiphComment::parse(const ByteV
+ 
+   int pos = 0;
+ 
+-  int vendorLength = data.mid(0, 4).toUInt(false);
++  uint vendorLength = data.mid(0, 4).toUInt(false);
+   pos += 4;
+ 
+   d->vendorID = String(data.mid(pos, vendorLength), String::UTF8);
diff --git a/taglib.spec b/taglib.spec
index 582c2fe..89858dc 100644
--- a/taglib.spec
+++ b/taglib.spec
@@ -1,9 +1,18 @@
 
-# cvsadmin: http://bugzilla.redhat.com/418271
+# Fedora cvs admin requests for taglib: http://bugzilla.redhat.com/418271
+
+%bcond_without tests
+
+%if %{with tests}
+%global buildtests -DBUILD_TESTS=ON
+%endif
+
+%bcond_without doc
+%global apidocdir __api-doc_fedora
 
 Name:       taglib	
-Version:    1.5
-Release:    2%{?dist}
+Version:    1.6.1
+Release:    1%{?dist}.2
 Summary:    Audio Meta-Data Library
 
 Group: 	    System Environment/Libraries
@@ -22,42 +31,79 @@ Patch1:     taglib-1.5b1-multilib.patch
 Patch2:     taglib-1.5rc1-multilib.patch
 
 ## upstream patches
-Patch100: taglib-1.5-kde#161721.patch
+# CVE-2012-1108 taglib: ogg file with vendorLength field modification causes crash
+# http://bugzilla.redhat.com/800559
+# https://github.com/taglib/taglib/commit/ab8a0ee8937256311e649a88e8ddd7c7f870ad59
+Patch100:  taglib-1.6.1-ogg_xiphcomment.patch
 
 BuildRequires: cmake
+BuildRequires: pkgconfig
 BuildRequires: zlib-devel
+%if %{with tests}
+BuildRequires: cppunit-devel
+%endif
+%if %{with doc}
+BuildRequires: doxygen
+BuildRequires: graphviz
+%endif
+
 
 %description
 TagLib is a library for reading and editing the meta-data of several
-popular audio formats. Currently it supports both ID3v1 and ID3v2 for
-MP3 files, Ogg Vorbis comments and ID3 tags and Vorbis comments in
-FLAC files.
+popular audio formats. Currently it supports both ID3v1 and ID3v2 for MP3
+files, Ogg Vorbis comments and ID3 tags and Vorbis comments in FLAC, MPC,
+Speex, WavPack, TrueAudio files, as well as APE Tags.
+
+
+%if %{with doc}
+%package doc
+Summary: API Documentation for %{name}
+Group: Documentation
+%if 0%{?fedora} > 9 || 0%{?rhel} >= 6
+BuildArch: noarch
+%endif
+
+%description doc
+This is API documentation generated from the TagLib source code.
+%endif
+
 
 %package devel
 Summary: Development files for %{name} 
 Group:	 Development/Libraries
 Requires: %{name} = %{version}-%{release}
 Requires: pkgconfig
+%if ! %{with doc}
+Obsoletes: %{name}-doc
+%endif
+
 %description devel
-%{summary}.
+Files needed when building software with %{name}.
 
 
 %prep
 %setup -q -n taglib-%{version}%{?beta}
 
+# patch1 not applied
+## omit for now
 %patch2 -p1 -b .multilib
-
-%patch100 -p1 -b .kde#161721.patch
+%patch100 -p1 -b .ogg_xiphcomment
 
 
 %build
 mkdir -p %{_target_platform}
 pushd %{_target_platform}
-%{cmake} ..
+%{cmake} %{?buildtests} -DWITH_ASF=1 -DWITH_MP4=1 ..
 popd
 
 make %{?_smp_mflags} -C %{_target_platform}
 
+%if %{with doc}
+cd doc
+doxygen taglib.doxygen
+cd -
+%endif
+
 
 %install
 rm -rf %{buildroot}
@@ -65,9 +111,24 @@ rm -rf %{buildroot}
 make install DESTDIR=%{buildroot} -C %{_target_platform}
 
 rm -fr examples/.deps
-rm -fr examples/Makefile*
+rm -fr examples/Makefile* examples/CMake*
 rm -f %{buildroot}%{_libdir}/lib*.la
 
+%if %{with doc}
+rm -fr %{apidocdir} ; mkdir %{apidocdir}
+cp -a doc/html doc/*.png %{apidocdir}
+ln -s html/index.html %{apidocdir}
+find %{apidocdir} -name '*.md5' | xargs rm
+%endif
+
+
+%if %{with tests}
+%check
+cp -a tests/data %{_target_platform}/tests
+cd %{_target_platform}
+LD_LIBRARY_PATH=%{buildroot}%{_libdir}:$LD_LIBRARY_PATH make check
+%endif
+
 
 %clean
 rm -rf %{buildroot}
@@ -80,7 +141,7 @@ rm -rf %{buildroot}
 
 %files
 %defattr(-,root,root,-)
-%doc AUTHORS COPYING.LGPL
+%doc AUTHORS COPYING.LGPL NEWS
 %{_libdir}/lib*.so.*
 
 %files devel
@@ -91,8 +152,81 @@ rm -rf %{buildroot}
 %{_libdir}/lib*.so
 %{_libdir}/pkgconfig/*.pc
 
+%if %{with doc}
+%files doc
+%defattr(-,root,root,-)
+%doc %{apidocdir}/*
+%endif
+
 
 %changelog
+* Mon Mar 19 2012 Rex Dieter <rdieter at fedoraproject.org> - 1.6.1-1.2
+- taglib: ogg file with vendorLength field modification causes crash (#800559)
+
+* Fri Nov 13 2009 Dennis Gregorovic <dgregor at redhat.com> - 1.6.1-1.1
+- Fix conditional for RHEL
+
+* Sat Oct 31 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 1.6.1-1
+- Update to 1.6.1 (bug-fixes, of which one is considered a fix for
+  a serious bug: saving of Ogg FLAC comments).
+
+* Thu Sep 17 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 1.6-2
+- Include the new NEWS file as %%doc.
+
+* Mon Sep 14 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 1.6-1
+- Add patch to fix MP4 test on ppc/ppc64.
+- Update to 1.6 final.
+
+* Sun Sep  6 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 1.6-0.1.rc1
+- Update to 1.6rc1 (further bug-fixes and support for AIFF and WAV).
+- Build optional support for MP4 and ASF/WMA files.
+
+* Fri Sep  4 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 1.5-8
+- Merge another bug-fix from 1.6rc1 (this adds 3 symbols) and
+  really add tstring bug-fix:
+  * Split Ogg packets larger than 64k into multiple pages. (BUG:171957)
+  * Fixed a possible crash in the non-const version of String::operator[]
+    and in String::operator+=. (BUG:169389)
+
+* Sun Aug 23 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 1.5-7
+- Build API documentation into -doc package.
+
+* Sat Aug 22 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 1.5-6
+- Add %%check section and conditionally build with tests.
+- Update descriptions (and mention the additional file formats).
+- Cherry-pick bug-fix patches from 1.6 development (also replaces the
+  old taglib-1.5-kde#161721.patch):
+  * Fixed crash when saving a Locator APEv2 tag. (BUG:169810)
+  * TagLib can now use FLAC padding block. (BUG:107659)
+  * Fixed overflow while calculating bitrate of FLAC files with a very
+    high bitrate.
+  * XiphComment::year() now falls back to YEAR if DATE doesn't exist
+    and XiphComment::year() falls back to TRACKNUM if TRACKNUMBER doesn't
+    exist. (BUG:144396)
+  * Fixed a bug in ByteVectorList::split().
+  * Fixed a possible crash in the non-const version of String::operator[]
+    and in String::operator+=. (BUG:169389)
+  * ID3v2.2 frames are now not incorrectly saved. (BUG:176373)
+  * Support for ID3v2.2 PIC frames. (BUG:167786)
+  * Improved ID3v2.3 genre parsing. (BUG:188578)
+  * Better checking of corrupted ID3v2 APIC data. (BUG:168382)
+  * Bitrate calculating using the Xing header now uses floating point
+    numbers. (BUG:172556)
+  * Added support for PRIV ID3v2 frames.
+  * Empty ID3v2 genres are no longer treated as numeric ID3v1 genres.
+  * Added support for the POPM (rating/playcount) ID3v2 frame.
+  * Fixed crash on handling unsupported ID3v2 frames, e.g. on encrypted
+    frames. (BUG:161721)
+
+* Sun Jul 26 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.5-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Fri Dec 12 2008 Rex Dieter <rdieter at fedoraproject.org> 1.5-3
+- rebuild for pkgconfig deps
+
 * Mon Oct 06 2008 Rex Dieter <rdieter at fedoraproject.org> 1.5-2
 - Encrypted frames taglib/Amarok crash (kde#161721)

More information about the scm-commits mailing list