media-libs/libsndfile: Fix CVE-2018-13139

Bug: https://bugs.gentoo.org/660452
Package-Manager: Portage-2.3.49, Repoman-2.3.10

2 files changed, 98 insertions, 0 deletions

diff --git a/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2018-13139.patch b/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2018-13139.patch
new file mode 100644
index 000000000000..18e6ae76e62c
--- /dev/null
+++ b/media-libs/libsndfile/files/libsndfile-1.0.28-CVE-2018-13139.patch
@@ -0,0 +1,31 @@
+From df18323c622b54221ee7ace74b177cdcccc152d7 Mon Sep 17 00:00:00 2001
+From: "Brett T. Warden" <brett.t.warden@intel.com>
+Date: Tue, 28 Aug 2018 12:01:17 -0700
+Subject: [PATCH] Check MAX_CHANNELS in sndfile-deinterleave
+
+Allocated buffer has space for only 16 channels. Verify that input file
+meets this limit.
+
+Fixes #397
+---
+ programs/sndfile-deinterleave.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c
+index 53660310..225b4d54 100644
+--- a/programs/sndfile-deinterleave.c
++++ b/programs/sndfile-deinterleave.c
+@@ -89,6 +89,13 @@ main (int argc, char **argv)
+ 		exit (1) ;
+ 		} ;
+ 
++	if (sfinfo.channels > MAX_CHANNELS)
++	{	printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n",
++			argv [1], sfinfo.channels, MAX_CHANNELS) ;
++		exit (1) ;
++		} ;
++
++
+ 	state.channels = sfinfo.channels ;
+ 	sfinfo.channels = 1 ;
+ 
\ No newline at end of file
diff --git a/media-libs/libsndfile/libsndfile-1.0.28-r3.ebuild b/media-libs/libsndfile/libsndfile-1.0.28-r3.ebuild
new file mode 100644
index 000000000000..a6eb6e3a48c1
--- /dev/null
+++ b/media-libs/libsndfile/libsndfile-1.0.28-r3.ebuild
@@ -0,0 +1,67 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} pypy{,3} )
+
+inherit python-any-r1 multilib-minimal
+
+MY_P=${P/_pre/pre}
+
+DESCRIPTION="C library for reading and writing files containing sampled sound"
+HOMEPAGE="http://www.mega-nerd.com/libsndfile"
+if [[ ${MY_P} == ${P} ]]; then
+	SRC_URI="http://www.mega-nerd.com/libsndfile/files/${P}.tar.gz"
+else
+	SRC_URI="http://www.mega-nerd.com/tmp/${MY_P}b.tar.gz"
+fi
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="alsa minimal sqlite static-libs test"
+
+RDEPEND="
+	!minimal? (
+		>=media-libs/flac-1.2.1-r5[${MULTILIB_USEDEP}]
+		>=media-libs/libogg-1.3.0[${MULTILIB_USEDEP}]
+		>=media-libs/libvorbis-1.3.3-r1[${MULTILIB_USEDEP}]
+	)
+	alsa? ( media-libs/alsa-lib )
+	sqlite? ( >=dev-db/sqlite-3.2 )"
+DEPEND="${RDEPEND}"
+BDEPEND="
+	virtual/pkgconfig
+	test? ( ${PYTHON_DEPS} )"
+
+S=${WORKDIR}/${MY_P}
+
+PATCHES=(
+	"${FILESDIR}"/${P}-arm-varargs-failure.patch
+	"${FILESDIR}"/${P}-CVE-2017-12562.patch
+	"${FILESDIR}"/${P}-CVE-2018-13139.patch
+)
+
+pkg_setup() {
+	use test && python-any-r1_pkg_setup
+}
+
+multilib_src_configure() {
+	ECONF_SOURCE="${S}" econf \
+		--disable-octave \
+		--enable-gcc-pipe \
+		--enable-gcc-opt \
+		$(use_enable static-libs static) \
+		$(use_enable !minimal external-libs) \
+		$(multilib_native_enable full-suite) \
+		$(multilib_native_use_enable alsa) \
+		$(multilib_native_use_enable sqlite)
+}
+
+multilib_src_install_all() {
+	einstalldocs
+
+	# package provides .pc files
+	find "${D}" -name '*.la' -delete || die
+}