[Vorbis-dev] r19427 missing from tremor git repo
Peter Korsgaard
peter at korsgaard.com
Sat Mar 17 15:10:00 UTC 2018
Hi,
Given CVE-2018-5146, I wanted to update the tremor package we have in
Buildroot (an embedded Linux build system), and I noticed an
inconsistency between the tremor git and svn repos.
We are currently using r19427 from svn, but the fix for CVE-2018-5146
was only added to git, so I wanted to move to that. Comparing the two
repos I noticed that r19427 is missing from the git repo. r19427 is:
r19427 | tterribe | 2015-01-07 14:10:59 +0100 (Wed, 07 Jan 2015) | 4 lines
Port r19426 from libvorbis.
Reject multiple headers of the same type.
And r19426 refers to:
commit c761e218422b7f656635466fea013d9b4ba686f3
Author: Tim Terriberry <tterribe at xiph.org>
Date: Wed Jan 7 03:16:56 2015 +0000
Reject multiple headers of the same type.
A common application pattern is to call vorbis_synthesis_headerin()
and count how many times it succeeds.
If you feed it multiple valid comment headers, they will all
succeed, meaning you can be fooled into think you have a valid
Vorbis file despite never seeing a setup header.
This patch makes libvorbis reject multiple headers of the same type,
preventing this from occurring.
svn path=/trunk/vorbis/; revision=19426
Was this commit excluded from git by accident or by purpose? If by
accident, could it be included please? What repo will future changes be
added to? I would prefer to not carry local patches for CVE-2018-5416 or
r19427 if possible.
Thanks.
--
Bye, Peter Korsgaard
More information about the Vorbis-dev
mailing list