Comment 1 Tobias Scherbaum (RETIRED) 2007-07-27 20:47:16 UTC

cc'ing sound@g.o

Comment 2 Pierre-Yves Rofes (RETIRED) 2007-07-28 12:25:29 UTC

setting status. sound, please provide the updated ebuild.

Comment 3 Robert Buchholz (RETIRED) 2007-07-29 16:06:29 UTC

The corresponding CVEs are CVE-2007-4029 and CVE-2007-3106.

Comment 4 Robert Buchholz (RETIRED) 2007-08-06 00:28:44 UTC

Once this goes to stabling, it will probably supersede bug #155258 which is still open for mips.

Comment 5 Samuli Suominen (RETIRED) 2007-08-14 14:50:39 UTC

I've never touched vorbis sources or ebuild (yet) but it looks like biggest problem doing this bump is lack of aotuv[1] patch for vorbis 1.2.0 and don't know how backportable it is (yet)

[1] http://www.geocities.jp/aoyoume/aotuv/

Comment 6 Robert Buchholz (RETIRED) 2007-08-20 11:19:24 UTC

aoTuV's author points out [1]:
  I don't have the plan to merge beta5 and libvorbis 1.2.0.
  It will happen by the upcoming version of aoTuV. ;-) ...

The SUSE people however did exactly that, so we could
1) update the patchset from 4.51 to beta5 with the attached patch
2) remove aotuv
3) wait for a new upstream release (last one is >1 year)

[1] http://www.hydrogenaudio.org/forums/index.php?showtopic=56415&pid=508305

Comment 7 Robert Buchholz (RETIRED) 2007-08-20 11:22:28 UTC

Created attachment 128664 [details, diff]
libvorbis-1.2.0-aotuv-b5.diff

Porting the patch didn't change much against the b5-1.1.2, see [2] for a diff.

[2] http://lists.opensuse.org/opensuse-commit/2007-08/msg00213.html

Comment 8 Samuli Suominen (RETIRED) 2007-08-20 14:10:00 UTC

rbu, Thanks, but still.. I don't know about others, but I'm waiting "official" aotuv for 1.2.0 before bumping.

Security, Fixing version is 1.1.2-r1, security fixes backported from 1.2.0 by Debian folks. It's in tree now, so archteams can test and stabilize it.

Comment 9 Samuli Suominen (RETIRED) 2007-08-20 14:16:41 UTC

(In reply to comment #8)
> rbu, Thanks, but still.. I don't know about others, but I'm waiting "official"
> aotuv for 1.2.0 before bumping.

Actually, I meant to say.. I don't have anything against bumping it with your suggestions.. but I just feel we shouldn't be jumping to stable with it. I believe it should stay in ~arch for while.. same deal with flac, and other media-libs.. They potentially break a lot of.. you know

Comment 10 Pierre-Yves Rofes (RETIRED) 2007-08-20 14:27:07 UTC

Thanks drac.
Arches, please test and mark stable media-libs/libvorbis-1.1.2-r1.
Target keywords are:"alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc x86 ~x86-fbsd"

Comment 11 Robert Buchholz (RETIRED) 2007-08-20 16:21:48 UTC

(In reply to comment #9)
> Actually, I meant to say.. I don't have anything against bumping it with your
> suggestions.. but I just feel we shouldn't be jumping to stable with it. I
> believe it should stay in ~arch for while.. same deal with flac, and other
> media-libs.. They potentially break a lot of.. you know

I see your point. Would be nice to have the general bump though without having to wait for aotuv upstream.

Also, amd64 stable.

Comment 12 Markus Ullmann (RETIRED) 2007-08-20 17:15:19 UTC

Songs still play and encode fine

Stable on x86

Comment 13 Jeroen Roovers (RETIRED) 2007-08-20 18:02:29 UTC

Stable for HPPA.

Comment 14 Gustavo Zacarias (RETIRED) 2007-08-21 13:52:50 UTC

sparc stable.

Comment 15 Tobias Scherbaum (RETIRED) 2007-08-22 15:29:48 UTC

ppc stable

Comment 16 Raúl Porcel (RETIRED) 2007-08-24 14:52:29 UTC

alpha/ia64 stable

Comment 17 Markus Rothe (RETIRED) 2007-08-29 10:12:53 UTC

ppc64 stable

Comment 18 Pierre-Yves Rofes (RETIRED) 2007-08-29 11:24:31 UTC

ready for glsa decision. I didn't see that that code execution was possible, so it could be rated B2. Anyway, I vote YES.

Comment 19 Matt Drew (RETIRED) 2007-09-04 23:57:20 UTC

If I'm correct in reading this, it would require a malformed ogg vorbis file, so this looks like a B2 to me - voting yes and submitting request.

Comment 20 Robert Buchholz (RETIRED) 2007-09-20 15:36:38 UTC

It seems 1.2.0 fixed some more issues than mentioned here. RedHat's security update also mentions CVE-2007-4065 and CVE-2007-4066.

You can find the issues and relevant commits/patches at their bug: https://bugzilla.redhat.com/249780

sound, could you please verify whether our patch includes these fixes. If not, we should prepare a new fix or stable 1.2.0.

Comment 21 Samuli Suominen (RETIRED) 2007-09-20 16:04:17 UTC

(In reply to comment #20)
> It seems 1.2.0 fixed some more issues than mentioned here. RedHat's security
> update also mentions CVE-2007-4065 and CVE-2007-4066.
> 
> You can find the issues and relevant commits/patches at their bug:
> https://bugzilla.redhat.com/249780
> 
> sound, could you please verify whether our patch includes these fixes. If not,
> we should prepare a new fix or stable 1.2.0.
> 

it doesn't look like our patch includes fix for these, i'd say mark 1.2.0 stable and be done with it, used it in ~x86 since it was released without issues, includes a ebuild cleanup too..

(for aotuv we have bug 157549 which we can add once aotuv upstream wakes again and releases a tarball for 1.2.0)

Comment 22 Robert Buchholz (RETIRED) 2007-09-20 16:05:11 UTC

Sorry to cause double work here, so please test and stabilize media-libs/libvorbis-1.2.0.
Targets are "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86"

Comment 23 Jeroen Roovers (RETIRED) 2007-09-20 16:57:21 UTC

Stable for HPPA.

Comment 24 Tobias Scherbaum (RETIRED) 2007-09-20 17:15:06 UTC

ppc stable

Comment 25 Christian Faulhammer (RETIRED) 2007-09-20 18:53:45 UTC

x86 stable

Comment 26 Robert Buchholz (RETIRED) 2007-09-20 19:07:32 UTC

amd64 stable

Comment 27 Brent Baude (RETIRED) 2007-09-20 20:42:59 UTC

ppc64 stable

Comment 28 Raúl Porcel (RETIRED) 2007-09-22 16:47:30 UTC

alpha/ia64 stable, thanks Tobias

Comment 29 Raúl Porcel (RETIRED) 2007-09-26 14:01:03 UTC

sparc stable

Comment 30 Robert Buchholz (RETIRED) 2007-10-07 21:32:11 UTC

GLSA 200710-03, thanks anyone.