From: Sergei Lukin <sergej.lukin@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Cc: Sergei Lukin <sergej.lukin@gmail.com>
Subject: [alpine-aports] [PATCH v3.2] main/wavpack: security upgrade to 5.1.0 - fixes #6821
Date: Mon,  6 Feb 2017 14:33:11 +0000
Message-Id: <1486391591-15531-1-git-send-email-sergej.lukin@gmail.com>
Precedence: list

CVE-2016-10169: global buffer overread in read_code / read_words.c
CVE-2016-10170: Heap out of bounds read in WriteCaffHeader / caff.c
CVE-2016-10171: heap out of bounds read in unreorder_channels / wvunpack.c
CVE-2016-10172: Heap out of bounds read in read_new_config_info / open_utils.c
---
A comment from upstream says:
The current release [5.1.0] has been extensively tested by AFL and is probably the most robust WavPack release to date. It is also 100% functionally compatible with 4.80 (no broken apps).
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc#commitcomment-20691383

http://www.wavpack.com/changelog.txt

 main/wavpack/APKBUILD | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/main/wavpack/APKBUILD b/main/wavpack/APKBUILD
index 86aa3e6..ff92c64 100644
--- a/main/wavpack/APKBUILD
+++ b/main/wavpack/APKBUILD
@@ -1,8 +1,9 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
 # Contributor: Carlo Landmeter
 # Maintainer:  Natanael Copa <ncopa@alpinelinux.org>
 pkgname=wavpack
-pkgver=4.70.0
-pkgrel=3
+pkgver=5.1.0
+pkgrel=0
 pkgdesc="Audio compression format with lossless, lossy, and hybrid compression modes"
 url="http://www.wavpack.com/"
 arch="all"
@@ -11,13 +12,18 @@ depends=""
 makedepends="autoconf automake libtool"
 install=
 subpackages="$pkgname-dev $pkgname-doc"
-source="http://www.wavpack.com/${pkgname}-${pkgver}.tar.bz2
-		iconv-underlinking.patch"
+source="http://www.wavpack.com/${pkgname}-${pkgver}.tar.bz2"
+
+# secfixes:
+#   5.1.0-r0:
+#   - CVE-2016-10169
+#   - CVE-2016-10170
+#   - CVE-2016-10171
+#   - CVE-2016-10172
 
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
 	cd "$_builddir"
-	update_config_sub || return 1
 	for i in $source; do
 		case $i in
 		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
@@ -53,9 +59,6 @@ package() {
 	rm "$pkgdir"/usr/lib/*.la
 }
 
-md5sums="4c0186ef0dc8367ce5cd7cc0f398b714  wavpack-4.70.0.tar.bz2
-262979a78da1ff825243352c7bfb691e  iconv-underlinking.patch"
-sha256sums="2cade379b0aba99fbc4e442ccc6dac6c609f6212e46516a083e24c8c364430a4  wavpack-4.70.0.tar.bz2
-e6245c0ee10fa6600dbe7947fb1cb5cf8fad7b3b0409d026ead0c1faf6ac11e0  iconv-underlinking.patch"
-sha512sums="6a93e36b3bea5b410142416b4b0329c5f65031418cdd303d395ca2aaad2a1ab02987b9a329dec6d14fe9387a3d5978caaf6345056eece24c5ad0ae9273349449  wavpack-4.70.0.tar.bz2
-d0af2b03753ecfec1a9e36460dd85970c4cae0b6dec36ac7e6a7a9a06aaa22e19467224104f3c6b14efdd59a4df28f2c6e6177866ce2b7feed1b7c4b7bb5f33c  iconv-underlinking.patch"
+md5sums="7f06272651f0c2292c1d0ba353386782  wavpack-5.1.0.tar.bz2"
+sha256sums="1939627d5358d1da62bc6158d63f7ed12905552f3a799c799ee90296a7612944  wavpack-5.1.0.tar.bz2"
+sha512sums="4c31616ae63c3a875afa20f26ce935f7a8f9921e2892b4b8388eca3ccd83b2d686f43eed8b9ec1dead934a1148401b9dced3b05f509b7942c48d7af31cf80a54  wavpack-5.1.0.tar.bz2"
-- 
2.4.11



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---