Thursday, February 24, 2022

Re: update audio/flac 1.3.4

Nam Nguyen:

> Here is an update to flac 1.3.4, released on 20 Feb 2022. It comes with
> security fixes.

> This update:
> - removes upstreamed bitreader.c patch
> - updates cpu.c ppc patch

I have a different version of that patch that minimizes the changes.

> - bumps library majors
>
> This commit adds -fvisibility=hidden for clang, which explains this
> change, despite upstream reporting "Interface changes: ... (none)."

Well, that poses a problem. If we bump the library majors, we can't
commit this to -stable.

Indeed I don't see any interface changes, except for the removal
of a _lot_ of symbols that weren't intended as part of the API
before.

So our unsatisfactory choices are:
(1) Bump, no backport to -stable.
(2) No bump, in violation of our API policy.
(3) No bump and remove -fvisibility to retain the old symbols.

Suggestions?

Index: Makefile
===================================================================
RCS file: /cvs/ports/audio/flac/Makefile,v
retrieving revision 1.62
diff -u -p -r1.62 Makefile
--- Makefile 8 May 2021 15:19:22 -0000 1.62
+++ Makefile 24 Feb 2022 17:38:27 -0000
@@ -2,8 +2,7 @@

COMMENT= free lossless audio codec

-DISTNAME= flac-1.3.3
-REVISION= 0
+DISTNAME= flac-1.3.4
CATEGORIES= audio archivers
HOMEPAGE= https://www.xiph.org/flac/
SHARED_LIBS += FLAC 11.0 # 11.0
Index: distinfo
===================================================================
RCS file: /cvs/ports/audio/flac/distinfo,v
retrieving revision 1.13
diff -u -p -r1.13 distinfo
--- distinfo 12 Aug 2019 21:47:23 -0000 1.13
+++ distinfo 24 Feb 2022 17:38:27 -0000
@@ -1,2 +1,2 @@
-SHA256 (flac-1.3.3.tar.xz) = IT6CvXFsnebbL5i8rbxMJMfi7+jHWTmhqE4oU5xOF0g=
-SIZE (flac-1.3.3.tar.xz) = 1044472
+SHA256 (flac-1.3.4.tar.xz) = j/BgfnWjIt181uxI9PIlRxQEricw0OqUUSexNVFV5zc=
+SIZE (flac-1.3.4.tar.xz) = 1038356
Index: patches/patch-src_libFLAC_bitreader_c
===================================================================
RCS file: patches/patch-src_libFLAC_bitreader_c
diff -N patches/patch-src_libFLAC_bitreader_c
--- patches/patch-src_libFLAC_bitreader_c 8 May 2021 15:19:22 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,17 +0,0 @@
-$OpenBSD: patch-src_libFLAC_bitreader_c,v 1.1 2021/05/08 15:19:22 naddy Exp $
-
-CVE-2020-0499: Fix out-of-bounds read
-https://github.com/xiph/flac/commit/2e7931c27eb15e387da440a37f12437e35b22dd4
-
-Index: src/libFLAC/bitreader.c
---- src/libFLAC/bitreader.c.orig
-+++ src/libFLAC/bitreader.c
-@@ -864,7 +864,7 @@ incomplete_lsbs:
- cwords = br->consumed_words;
- words = br->words;
- ucbits = FLAC__BITS_PER_WORD - br->consumed_bits;
-- b = br->buffer[cwords] << br->consumed_bits;
-+ b = cwords < br->capacity ? br->buffer[cwords] << br->consumed_bits : 0;
- } while(cwords >= words && val < end);
- }
-
Index: patches/patch-src_libFLAC_cpu_c
===================================================================
RCS file: /cvs/ports/audio/flac/patches/patch-src_libFLAC_cpu_c,v
retrieving revision 1.3
diff -u -p -r1.3 patch-src_libFLAC_cpu_c
--- patches/patch-src_libFLAC_cpu_c 15 Aug 2019 18:22:34 -0000 1.3
+++ patches/patch-src_libFLAC_cpu_c 24 Feb 2022 17:38:27 -0000
@@ -1,43 +1,16 @@
$OpenBSD: patch-src_libFLAC_cpu_c,v 1.3 2019/08/15 18:22:34 cwen Exp $

-Remove getauxval(3) code for ppc because we don't implement this
+No support for reading PPC hwcaps on OpenBSD.

Index: src/libFLAC/cpu.c
--- src/libFLAC/cpu.c.orig
+++ src/libFLAC/cpu.c
-@@ -53,10 +53,6 @@
- #define dfprintf(file, format, ...)
-

No comments:

Post a Comment