# # spec file for package libvorbis # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libvorbis Version: 1.3.6 Release: 3.4 Summary: The Vorbis General Audio Compression Codec License: BSD-3-Clause Group: System/Libraries Url: http://www.vorbis.com/ Source: http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.xz Source1: baselibs.conf Patch1: libvorbis-lib64.dif Patch2: libvorbis-m4.dif Patch12: vorbis-ocloexec.patch Patch101: vorbis-CVE-2017-14160.patch Patch102: vorbis-CVE-2018-10393.patch Patch103: vorbis-CVE-2018-10392.patch BuildRequires: libogg-devel BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: xz BuildRoot: %{_tmppath}/%{name}-%{version}-build # bug437293 (SLES10 -> SLES11 upgrade path) %ifarch ppc64 Obsoletes: libvorbis-64bit %endif %description Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and general-purpose compressed audio format for audio and music at fixed and variable bit rates from 16 to 128 kbps/channel. The native bitstream format of Vorbis is libogg (Ogg). Alternatively, libmatroska (matroska) can also be used. %package -n libvorbis0 Summary: The Vorbis General Audio Compression Codec # # libvorbis was last used in openSUSE 11.3 Group: System/Libraries Provides: %{name} = 1.3.2 Obsoletes: %{name} < 1.3.2 # bug437293 (SLES10 -> SLES11 upgrade path) %ifarch ppc64 Obsoletes: libvorbis-64bit %endif %description -n libvorbis0 Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and general-purpose compressed audio format for audio and music at fixed and variable bit rates from 16 to 128 kbps/channel. The native bitstream format of Vorbis is libogg (Ogg). Alternatively, libmatroska (matroska) can also be used. %package -n libvorbisenc2 Summary: The Vorbis General Audio Compression Codec Group: System/Libraries %description -n libvorbisenc2 Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and general-purpose compressed audio format for audio and music at fixed and variable bit rates from 16 to 128 kbps/channel. The native bitstream format of Vorbis is libogg (Ogg). Alternatively, libmatroska (matroska) can also be used. %package -n libvorbisfile3 Summary: The Vorbis General Audio Compression Codec Group: System/Libraries %description -n libvorbisfile3 Vorbis is a fully open, nonproprietary, patent-and-royalty-free, and general-purpose compressed audio format for audio and music at fixed and variable bit rates from 16 to 128 kbps/channel. The native bitstream format of Vorbis is libogg (Ogg). Alternatively, libmatroska (matroska) can also be used. %package devel Summary: Include Files and Libraries mandatory for Ogg Vorbis Development Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libogg-devel Requires: libvorbis0 = %{version} Requires: libvorbisenc2 = %{version} Requires: libvorbisfile3 = %{version} # bug437293 (SLES10 -> SLES11 upgrade path) %ifarch ppc64 Obsoletes: libvorbis-devel-64bit %endif # %description devel This package contains all necessary include files and libraries needed to compile and develop applications that use libvorbis. %prep %setup -q %patch2 # %%patch5 -p1 if [ "%{_lib}" == "lib64" ]; then %patch1 fi %patch12 %patch101 -p1 %patch102 -p1 %patch103 -p1 %build # Fix optimization level sed -i s,-O20,-O3,g configure.ac autoreconf -fiv %configure \ --disable-examples \ --disable-static make %{?_smp_mflags} %install make DESTDIR=%{buildroot} install # docs are built in a separate spec file rm -rf %{buildroot}%{_datadir}/doc/* # remove unneeded files find %{buildroot} -type f -name "*.la" -delete -print %check make %{?_smp_mflags} check %post -n libvorbis0 -p /sbin/ldconfig %postun -n libvorbis0 -p /sbin/ldconfig %post -n libvorbisenc2 -p /sbin/ldconfig %postun -n libvorbisenc2 -p /sbin/ldconfig %post -n libvorbisfile3 -p /sbin/ldconfig %postun -n libvorbisfile3 -p /sbin/ldconfig %files -n libvorbis0 %defattr(0644,root,root,0755) %{_libdir}/libvorbis.so.0* %files -n libvorbisenc2 %defattr(0644,root,root,0755) %{_libdir}/libvorbisenc.so.2* %files -n libvorbisfile3 %defattr(0644,root,root,0755) %{_libdir}/libvorbisfile.so.3* %files devel %defattr(-,root,root) %doc AUTHORS %license COPYING %{_datadir}/aclocal/*.m4 %{_includedir}/vorbis %{_libdir}/lib*.so %{_libdir}/pkgconfig/*.pc %changelog * Tue Jun 5 2018 tiwai@suse.de - Replace vorbis-CVE-2017-14160.patch with the upstream fix (commit 018ca26dece6), refresh vorbis-CVE-2018-10393.patch - Fix the validation of channels in mapping0_forward() (CVE-2018-10392, bsc#1091070): vorbis-CVE-2018-10392.patch * Thu May 3 2018 tiwai@suse.de - Fix out-of-bounds access inside bark_noise_hybridmp function (CVE-2017-14160, bsc#1059812): downstream fix: vorbis-CVE-2017-14160.patch - Fix stack-basedbuffer over-read in bark_noise_hybridm (CVE-2018-10393, bsc#1091072): downstream fix: vorbis-CVE-2018-10393.patch * Sat Mar 17 2018 tiwai@suse.de - Split libvorbis-doc subpackage to a separate spec file for reducing the dependencies * Fri Mar 16 2018 tiwai@suse.de - Update to version 1.3.6: * Fix CVE-2018-5146 - out-of-bounds write on codebook decoding. * Fix CVE-2017-14632 - free() on unitialized data * Fix CVE-2017-14633 - out-of-bounds read * Fix bitrate metadata parsing. * Fix out-of-bounds read in codebook parsing. * Fix residue vector size in Vorbis I spec. * Appveyor support * Travis CI support * Add secondary CMake build system. * Build system fixes - Build documents with doxygen, and many tex stuff; this requires to disable parallel builds partially - Move COPYING to license directory - Drop obsoleted patches: vorbis-fix-linking.patch 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch libvorbis-CVE-2018-5146.patch * Fri Mar 16 2018 tiwai@suse.de - Fix VUL-0: libvorbis: Out of bounds memory write while processing Vorbis audio data (CVE-2018-5146, bsc#1085687): libvorbis-CVE-2018-5146.patch * Tue Dec 19 2017 tiwai@suse.de - Fix VUL-0: out-of-bounds array read vulnerability exists in function mapping0_forward() (CVE-2017-14633, bsc#1059811): 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch - Fix VUL-0: Remote Code Execution upon freeing uninitialized memory in function vorbis_analysis_headerout(CVE-2017-14632, bsc#1059809): 0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch * Tue Nov 29 2016 aloisio@gmx.com - Added 32bit libvorbis-devel in baselibs.conf * Fri Mar 6 2015 mpluskal@suse.com - Cleanup spec file with spec-cleaner - Update to 1.3.5 * Tolerate single-entry codebooks. * Fix decoder crash with invalid input. * Fix encoder crash with non-positive sample rates. * Fix issues in vorbisfile's seek bisection code. * Spec errata. * Reject multiple headers of the same type. * Various build fixes and code cleanup. * Mon Aug 18 2014 fcrozat@suse.com - Fix obsoletes and provides in baselibs.conf. * Sun Feb 23 2014 andreas.stieger@gmx.de - Xiph libvorbis 1.3.4 * reduced static data size in libvorbisenc * associated minor changes required to libvorbis and libvorbisfile * minor build fixes and build system updates * no functional changes over the previous 1.3.3 release - removed libvorbis-pkgconfig.patch, in upstream - updated vorbis-fix-linking.patch for context changes * Tue Apr 16 2013 mmeister@suse.com - Added url as source. Please see http://en.opensuse.org/SourceUrls * Sat Mar 2 2013 seife+obs@b1-systems.com - fix build with automake-1.13.1 * Wed Jun 20 2012 ftake@geeko.jp - updated to 1.3.3 * vorbis: additional proofing against invalid/malicious streams in decode (see SVN for details). * vorbis: fix a memory leak in vorbis_commentheader_out(). * updates, corrections and clarifications in the Vorbis I specification document * build warning fixes * Tue Feb 21 2012 tiwai@suse.de - VUL-0: CVE-2012-0444: libvorbis: heap-based buffer overflow (bnc#747912) * Sun Dec 25 2011 idonmez@suse.com - -O20 optimization level doesn't exist, use -O3 * Fri Nov 25 2011 crrodriguez@opensuse.org - open files with O_CLOEXEC, in order to avoid fd leaks when calling applications fork() ..execve()... This patch does not cover the executable tools since it is not critical for them. * Tue Nov 22 2011 coolo@suse.com - add libtool as buildrequire to avoid implicit dependency * Mon Aug 29 2011 crrodriguez@opensuse.org - Fix build with no-add-needed * Thu May 5 2011 dmueller@suse.de - fix provides/obsoletes in baselibs * Fri Dec 10 2010 davejplater@gmail.com - Split libvorbisenc2 and libvorbisfile3 from libvorbis0 - Removed services. * Wed Dec 8 2010 coolo@novell.com - fix the package split * Wed Dec 8 2010 reddwarf@opensuse.org - updated to version 1.3.2 * vorbis: additional proofing against invalid/malicious streams in floor, residue, and bos/eos packet trimming code (see SVN for details). * vorbis: Added programming documentation tree for the low-level calls * vorbisfile: Correct handling of serial numbers array element [0] on non-seekable streams * vorbisenc: Back out an [old] AoTuV HF weighting that was first enabled in 1.3.0; there are a few samples where I really don't like the effect it causes. * vorbis: return correct timestamp for granule positions with high bit set. * vorbisfile: the [undocumented] half-rate decode api made no attempt to keep the pcm offset tracking consistent in seeks. Fix and add a testing mode to seeking_example.c to torture test seeking in halfrate mode. Also remove requirement that halfrate mode only work with seekable files. * vorbisfile: Fix a chaining bug in raw_seeks where seeking out of the current link would fail due to not reinitializing the decode machinery. * vorbisfile: improve seeking strategy. Reduces the necessary number of seek callbacks in an open or seek operation by well over 2/3. - updated to version 1.3.1 * tweak + minor arithmetic fix in floor1 fit * revert noise norm to conservative 1.2.3 behavior pending more listening testing - updated to versio 1.3.0 * Optimized surround support for 5.1 encoding at 44.1/48kHz * Added encoder control call to disable channel coupling * Correct an overflow bug in very low-bitrate encoding on 32 bit machines that caused inflated bitrates * Numerous API hardening, leak and build fixes * Correct bug in 22kHz compand setup that could cause a crash * Correct bug in 16kHz codebooks that could cause unstable pure tones at high bitrates - run spec-cleaner - removed libvorbis-automake-fix.diff, libvorbis-doc-fixes.diff, libvorbis-r16326-CVE-2009-3379.diff and libvorbis-r16597-CVE-2009-3379.diff (upstream fixed) - follow library packaging policy - run make check * Wed May 26 2010 tiwai@suse.de - VUL-0: libvorbis: memory corruption while parsing ogg files (bnc#608192, CVE-2009-3379) * Wed Dec 16 2009 jengelh@medozas.de - add baselibs.conf as a source - enable parallel building - package documentation as noarch * Wed Nov 11 2009 tiwai@suse.de - updated to version 1.2.3: * correct a vorbisfile bug that prevented proper playback of Vorbis files where all audio in a logical stream is in a single page * Additional decode setup hardening against malicious streams * Add 'OV_EXCLUDE_STATIC_CALLBACKS' define for developers who wish to avoid avoid unused symbol warnings from the static callbacks defined in vorbisfile.h - updated to version 1.2.2: * define VENDOR and ENCODER strings * seek correctly in files bigger than 2 GB (Windows) * fix regression from CVE-2008-1420; 1.0b1 files work again * mark all tables as constant to reduce memory occupation * additional decoder hardening against malicious streams * substantially reduce amount of seeking performed by Vorbisfile * Multichannel decode bugfix * build system updates * minor specification clarifications/fixes - dropped aotuv patch temporarily * Thu Jul 23 2009 tiwai@suse.de - updated to aoTuV patch version beta5.7: * including security fixes * improved encoding speed of low bitrate mode * reduced distrotion by clipping at low sampling frequency * fixed noise control part of impulse block * tuning of each part was redone * expanded noise control of the impulse block * fixed pre-echo reduction code * noise normalization reviewed * detailed tuning done again * Mon Jun 22 2009 coolo@novell.com - fix build with automake 1.11 * Wed Jan 7 2009 olh@suse.de - obsolete old -XXbit packages (bnc#437293) * Thu Nov 20 2008 pth@suse.de - Fix the test in libvorbis-m4.dif and adapt libvorbis-lib64.dif. * Wed May 14 2008 tiwai@suse.de - VUL-0: Multiple vulnerabilities in libogg and libvorbis (bnc#372246) * CVE-2008-1419 vorbis: zero-dim codebooks can cause crash, infinite loop or heap overflow * CVE-2008-1420 vorbis: integer overflow in partvals computation * CVE-2008-1423 vorbis: integer oveflow caused by huge codebooks * Mon Apr 28 2008 tiwai@suse.de - fixed dependency in *.pc files (bnc#384153) - removed old run_ldconfig * Thu Apr 10 2008 ro@suse.de - added baselibs.conf file to build xxbit packages for multilib support * Thu Aug 2 2007 tiwai@suse.de - updated to version 1.2.0: * new ov_fopen() convenience call that avoids the common stdio conflicts with ov_open() and MSVC runtimes. * libvorbisfile now handles multiplexed streams * improve robustness to corrupt input streams * fix a minor encoder bug * updated RTP draft * build system updates * minor corrections to the specification * Fri Jul 27 2007 tiwai@suse.de - fix the documentation link (#293784) - split documentation to doc subpackage - remove -fno-strict-aliasing gcc option * Mon Jul 9 2007 tiwai@suse.de - fix array boundary conditional flaw in mapping (#287124, CVE-2007-3106) * Mon Apr 23 2007 tiwai@suse.de - use aoTuV beta5 patch: * The action of noise normalization has been improved. * The threshold of a stereo mode change was calculated dynamically. * Noise control of an impulse block was changed (quality 0-10 / 32-48kHz). And pre-echo decreased slightly. * Tuning of each part was redone according to above-mentioned changed part and additional part. * Mon Apr 16 2007 tiwai@suse.de - follow library packaging policy * move docs to devel package * remove static library - remove obsolete m4 files * Wed Jan 25 2006 mls@suse.de - converted neededforbuild to BuildRequires * Wed Jan 11 2006 tiwai@suse.de - compile with -fstack-protector. * Fri Dec 2 2005 tiwai@suse.de - updated to version 1.1.2. * Tue Oct 18 2005 tiwai@suse.de - updated to version 1.1.1. * Sun Sep 4 2005 aj@suse.de - Build with -fno-strict-aliasing (#115135). * Thu Jul 7 2005 tiwai@suse.de - remove -fsigned-char (#93878). - fixed Requires of devel subpackage. * Mon Jun 20 2005 tiwai@suse.de - updated to aoTuV beta4. * Wed Jan 19 2005 tiwai@suse.de - fixed compile warnings with gcc-4.0. * Wed Nov 24 2004 tiwai@suse.de - updated to libvorbis version 1.1.0. - updated to aoTuV beta3. * Thu Aug 5 2004 tiwai@suse.de - applied aoTuV patch to improve the encoding quality. * Fri Apr 16 2004 tiwai@suse.de - fixed the type-punning. - disabled the removal of $RPM_BUILD_ROOT in %%install. * Wed Jan 21 2004 tiwai@suse.de - fixed quoting in m4 files. * Fri Jan 9 2004 adrian@suse.de - add %%run_ldconfig to %%postun * Fri Jan 9 2004 tiwai@suse.de - updated to version 1.0.1. removed obsolete patches. - added pkgconfig to neededforbuild. * Sat Mar 1 2003 adrian@suse.de - let libvorbis-devel require libogg-devel * Fri Jan 17 2003 tiwai@suse.de - fixed m4 macro (bug #21267). * Thu Jan 9 2003 kukuk@suse.de - Add *.la files to -devel filelist * Wed Dec 4 2002 tiwai@suse.de - fixed the undefined weak links. - renamed m4.dif and lib64.dif with libvorbis- prefix to avoid filename conflictions. * Thu Sep 19 2002 tiwai@suse.de - don't add -I/usr/include to VORBIS_VFLAGS. - fix test for prefix. - move devel documents under %%{_docdir}/libvorbis-devel. * Mon Aug 12 2002 tiwai@suse.de - added Requires %%{name} = %%{version} to devel package. * Tue Jul 23 2002 tiwai@suse.de - fixed m4 file for lib64. - provides the backward compatible m4 file. * Mon Jul 22 2002 tiwai@suse.de - updated to version 1.0. - clean up the spec file. - added %%run_ldconfig. * Wed Jun 12 2002 meissner@suse.de - rm acinclude.m4 so we don't have the problematic ogg.m4 (which contains /lib hardcoded). * Thu Apr 18 2002 kukuk@suse.de - Remove additional optimization, default is better - Add --libdir to configure to build on x86_64 * Thu Feb 7 2002 tiwai@suse.de - fixed build on s390x. * Fri Jan 4 2002 tiwai@suse.de - updated to RC3. sync with cvs 2002.01.04. * Tue Dec 4 2001 tiwai@suse.de - sync with cvs 2001.12.04. * Wed Oct 24 2001 tiwai@suse.de - sync with cvs 20011024. + fixed/updated documents + tuned up parameters + bugfixes on 64bit arch. - removed Requires to libogg. * Sat Oct 20 2001 schwab@suse.de - Fix use of qsort. * Mon Aug 13 2001 tiwai@suse.de - updated to 1.0rc2 from cvs 20010813. * Thu Jun 7 2001 tiwai@suse.de - fixed build with the recent libtool. * Tue Apr 3 2001 bk@suse.de - make use of RPM_OPT_FLAGS - include the include/vorbis dir into the file list(+rpm-macroized) * Mon Mar 12 2001 tiwai@suse.de - corrected copyright in spec file. * Mon Feb 26 2001 tiwai@suse.de - Updated to 1.0beta4. * Wed Jan 31 2001 tiwai@suse.de - Initial version: 1.0beta3.