From patchwork Tue Aug 18 17:59:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Pierre Langlois X-Patchwork-Id: 23670 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 4F0ED27BBE6; Tue, 18 Aug 2020 19:00:27 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTP id 6704A27BBE5 for ; Tue, 18 Aug 2020 19:00:26 +0100 (BST) Received: from localhost ([::1]:55054 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k85uL-0000qa-19 for patchwork@mira.cbaines.net; Tue, 18 Aug 2020 14:00:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37826) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k85tz-0000qL-Gw for guix-patches@gnu.org; Tue, 18 Aug 2020 14:00:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:53579) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1k85tz-00024n-41 for guix-patches@gnu.org; Tue, 18 Aug 2020 14:00:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1k85tz-00045X-2a for guix-patches@gnu.org; Tue, 18 Aug 2020 14:00:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#42890] [PATCH] gnu: taglib: Include patch to prevent OGG corruption. Resent-From: Pierre Langlois Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 18 Aug 2020 18:00:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 42890 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Pierre Langlois Cc: 42890@debbugs.gnu.org, mail@brendan.scot X-Debbugs-Original-Cc: 42890@debbugs.gnu.org, Brendan Tildesley , guix-patches@gnu.org Received: via spool by 42890-submit@debbugs.gnu.org id=B42890.159777355715580 (code B ref 42890); Tue, 18 Aug 2020 18:00:02 +0000 Received: (at 42890) by debbugs.gnu.org; 18 Aug 2020 17:59:17 +0000 Received: from localhost ([127.0.0.1]:36888 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k85t7-000435-UL for submit@debbugs.gnu.org; Tue, 18 Aug 2020 13:59:16 -0400 Received: from mout.gmx.net ([212.227.15.15]:43579) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k85t6-00042r-DW for 42890@debbugs.gnu.org; Tue, 18 Aug 2020 13:59:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1597773541; bh=/6asiQaJ/N7hbp0dYw4fUhWGH32CbUeERo1zB5OrhIw=; h=X-UI-Sender-Class:References:From:To:Cc:Subject:In-reply-to:Date; b=cKCviK/Z1jBIPvXmFchk9qrPk+Kc573AUGNXvg8zp2U+msZSJ6MiImvEHBJCmpvdV 8ZWZVQXxJWZwoQ4DqOoIlw7l5205fzGtHf5W8KgEDRGoPC/mpszs4MuftJpEM0sHws tzFoGtFbJwJPo52dqzqDG9EvVYhJLUM/0UhycrkE= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from labiere ([82.69.64.142]) by mail.gmx.com (mrgmx004 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MXGrE-1k9pcZ2326-00Yj9R; Tue, 18 Aug 2020 19:59:01 +0200 References: <87r1s6oam4.fsf@gmx.com> <98bfcbfa-4142-2985-864f-c146ac8d1f92@brendan.scot> <87blj82tt6.fsf@gmx.com> User-agent: mu4e 1.4.13; emacs 26.3 From: Pierre Langlois In-reply-to: <87blj82tt6.fsf@gmx.com> Date: Tue, 18 Aug 2020 18:59:00 +0100 Message-ID: <87pn7ndee3.fsf@gmx.com> MIME-Version: 1.0 X-Provags-ID: V03:K1:tF2Kab6701CT1e+8nzHVXwBgaxmpvE9BMKwPwFqhaHWQZq60y+S reRUY1yHk8miZv3ZY4HZx/pPF+0P5phu8kqtOGT0VMkcXZLI4qyXGzPKqjAFK9YKw6Z8qPy 4evDsPxihyQL7O47NIIOB7nszMCWsqPDdbgNNEDoK1HBBuPp6Z6PtMr/kzwLDGLvRKdAGzh vKw0wiavODftW1DG3f2Cw== X-UI-Out-Filterresults: notjunk:1;V03:K0:k0LBwixxlmQ=:9AXBdHS2DFudxirArrqNxc /VTiQIu1dBhN+c5OoXF5lLmHGo4nf61WQXpR6ii9MEn8YCejbwfkduppQju/Kd40xSAjPHrP9 llZtIkajaKftlycMF7CaBRBpuBwRPvFv+m3dtMLRHgVXKU8Uvnyh8BZxrlZjTd6nnInGsyryS f/rL1sAy3O7IsnYMbGw6grFR2j+clHeDhwKp4lpxdJxv8J5f0mvSFhp5lqUq4Hcbv0Smrdw5s Hwgq91G8nWo/8Na0W6gZNH9HYbhRzIBEs3F7IfehaEO0DkwUUcMvcDvYDqfP5O/SCVijYq1F8 7aRPR9lj4NEFqtBa/ZVkcnBEHk3Js+uzQmTBq4sMcM1/NrJ2dDrO+aOulLHpZ4EXhkoFAUF7i z5fTeRqanBY/lv4BIrAKuH1cmjLkFW9jGvMPjjULNhX8J2HkykilgZYWjKW7Pw078pC/DEaP8 6WjU+Zv8OdZpnvzdLhqUGYeSbcRIF00sf/lDHTJJSVKS2G3mae9pvMGYMUhEpm5RKK6NM1dsI an2j2fYlYUFI89dLb3MBN8VM0BTZHDySJ1gKpL1/4QXTWdLmXZ/PMJhUzWx3XvCiRDUaxOMcW ycwGMk11odEz0Y8EhppKaWIQ38xjMx5SjKQDO00qB0jCu6OD0JQZ7ueRHCBtLyRsxiIpxzuGQ yp5rz9sm4/zPSoKOn4p/EJhEQQJCN8Q5q/indE45keglIaeFAWNbFYXvLdEqY996y5XABw7OM N9UnNJqQ5HZGBgyWx7Pw9D5F9IRjazhJ2e4RPYP7eMuFMGiR4u0pYZbgh9tlqJdAse+8HitWp 9YrkCLxx9410/y/ncT1DIR80/WmD92aXet0Tt+JFnf/QMIb+URLjqw3KdPos5oyKufo0ASFUT kRjWEkJ7aZH4aeDrUDavUCiAwPXG5hkux77yaVu9e59bi9dBXbPuh/bSGYLE6ZknxSjEavfA1 zWJoc0K16FDvwajBjVYA+Ydr1xC50EZ02fy7FSYgvBL4vun5E1NMyjC3c0M2yhXciaqawP7BC 5LpNSUCB/+SMR5lEQ3IknD06Bbi0Nm+HjlFsVcI3RB1RRuXZMBtfqxGsdSmBfpMNIdL++HrZ7 f9lDl2BTve26mJetis5Pj2rUj3DpmnUr3RgCh9ePV3pw6Ec9PrPL/h32MqgxTiiXzLEs4RmYB Y5DXuFwifyeo+Jf0d0zzPzIhJh21VXfGyFNATk9SIztZARAyx3tQt/+WOqg4LMUegQf+467I/ mDevK7sryzBezgm6KDvWB3iNZJT1+iByy+AzRpA== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches Pierre Langlois writes: > Hi Brendan, > > Brendan Tildesley writes: > >> I should apologise. I also prepared this same patch to submit over a >> year or two ago but ended up neglecting it. I also discovered these two >> CVE patches (attached) from another distribution that i was going to >> add. Perhaps the best solution is to switch to git-reference and choose >> a more recent commit that includes all these fixes. Your patch is in >> master at >> https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4 >> and the two I attached are also in master. > > No worries! Yeah I think it's a good to just use a git-reference in this > case, I'll try that and submit another patch, thanks for the suggestion! I wasn't so sure which recent commit to use, but then I saw there was a 1.12-beta-1 pre-release from September 2019 so I thought we'd use that. Looking at some discussions upstream [0], it might still be a while until we get a proper release though :-/ 0: https://github.com/taglib/taglib/issues/864#issuecomment-631874581 From 97a5d71bd50c72d2d7562a7d22baca04f4987657 Mon Sep 17 00:00:00 2001 From: Pierre Langlois Date: Tue, 18 Aug 2020 18:38:01 +0100 Subject: [PATCH] gnu: taglib: Update to 1.12-beta-1. This switches to a yet unreleased version of taglib, to make sure long standings issues and CVEs are covered until a proper release is made upstream. Among these, we have: - CVE-2017-12678 - CVE-2018-11439 - https://github.com/taglib/taglib/issues/864 * gnu/packges/mp3.scm (taglib): Update to 1.12-beta-1. [source]: Switch to using git-fetch. --- gnu/packages/mp3.scm | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm index 92e3d5d5f8..7ee009df74 100644 --- a/gnu/packages/mp3.scm +++ b/gnu/packages/mp3.scm @@ -4,7 +4,7 @@ ;;; Copyright © 2015 Mark H Weaver ;;; Copyright © 2016 Efraim Flashner ;;; Copyright © 2017 Thomas Danckaert -;;; Copyright © 2017, 2019 Pierre Langlois +;;; Copyright © 2017, 2019, 2020 Pierre Langlois ;;; Copyright © 2018, 2019, 2020 Tobias Geerinckx-Rice ;;; Copyright © 2019 Ricardo Wurmus ;;; Copyright © 2020 Michael Rohleder @@ -50,6 +50,7 @@ #:use-module (gnu packages video) ;ffmpeg #:use-module (guix packages) #:use-module (guix download) + #:use-module (guix git-download) #:use-module (guix utils) #:use-module (guix build-system gnu) #:use-module (guix build-system python) @@ -160,14 +161,16 @@ a highly stable and efficient implementation.") (define-public taglib (package (name "taglib") - (version "1.11.1") + (version "1.12-beta-1") (source (origin - (method url-fetch) - (uri (string-append "http://taglib.github.io/releases/taglib-" - version ".tar.gz")) + (method git-fetch) + (uri (git-reference + (url "https://github.com/taglib/taglib") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) (sha256 (base32 - "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn")))) + "1mp6w2ikniw8w6d5wr0h20j0ijg8jw7s9dli5a8k9znpznvxpym4")))) (build-system cmake-build-system) (arguments '(#:tests? #f ; Tests are not ran with BUILD_SHARED_LIBS on. -- 2.28.0