From be56a9327e204874d56d2fc1ef3215ae7f08b7d7 Mon Sep 17 00:00:00 2001 From: tm Date: Sat, 16 Oct 2021 18:09:24 +0000 Subject: Pullup ticket #6516 - requested by wiz multimedia/libmediainfo: security fix multimedia/mediainfo: security fix Revisions pulled up: - multimedia/libmediainfo/Makefile 1.8 - multimedia/mediainfo/Makefile 1.15 - multimedia/mediainfo/distinfo 1.17 - multimedia/mediainfo/patches/patch-MediaInfoLib_Source_MediaInfo_Multiple_File__Gxf.cpp 1.1 - multimedia/mediainfo/patches/patch-MediaInfoLib_Source_MediaInfo_Multiple_File__MpegPs.cpp 1.1 --- Module Name: pkgsrc Committed By: wiz Date: Thu Oct 14 07:03:02 UTC 2021 Modified Files: pkgsrc/multimedia/libmediainfo: Makefile pkgsrc/multimedia/mediainfo: Makefile distinfo Added Files: pkgsrc/multimedia/mediainfo/patches: patch-MediaInfoLib_Source_MediaInfo_Multiple_File__Gxf.cpp patch-MediaInfoLib_Source_MediaInfo_Multiple_File__MpegPs.cpp Log Message: medainfo: fix two CVEs using upstream patches Bump PKGREVISION --- multimedia/libmediainfo/Makefile | 3 ++- multimedia/mediainfo/Makefile | 3 ++- multimedia/mediainfo/distinfo | 4 +++- ...-MediaInfoLib_Source_MediaInfo_Multiple_File__Gxf.cpp | 16 ++++++++++++++++ ...diaInfoLib_Source_MediaInfo_Multiple_File__MpegPs.cpp | 16 ++++++++++++++++ 5 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 multimedia/mediainfo/patches/patch-MediaInfoLib_Source_MediaInfo_Multiple_File__Gxf.cpp create mode 100644 multimedia/mediainfo/patches/patch-MediaInfoLib_Source_MediaInfo_Multiple_File__MpegPs.cpp diff --git a/multimedia/libmediainfo/Makefile b/multimedia/libmediainfo/Makefile index 93e22ce5c90..c0ef4df299b 100644 --- a/multimedia/libmediainfo/Makefile +++ b/multimedia/libmediainfo/Makefile @@ -1,5 +1,6 @@ -# $NetBSD: Makefile,v 1.7 2020/05/20 06:09:05 rillig Exp $ +# $NetBSD: Makefile,v 1.7.12.1 2021/10/16 18:09:24 tm Exp $ +PKGREVISION= 1 .include "../../multimedia/mediainfo/Makefile.common" PKGNAME= libmediainfo-${MIVER} diff --git a/multimedia/mediainfo/Makefile b/multimedia/mediainfo/Makefile index ad1c116cd51..5bfc0d0126f 100644 --- a/multimedia/mediainfo/Makefile +++ b/multimedia/mediainfo/Makefile @@ -1,5 +1,6 @@ -# $NetBSD: Makefile,v 1.14 2015/09/07 01:02:00 dsainty Exp $ +# $NetBSD: Makefile,v 1.14.50.1 2021/10/16 18:09:24 tm Exp $ +PKGREVISION= 1 .include "../../multimedia/mediainfo/Makefile.common" PKGNAME= mediainfo-${MIVER} diff --git a/multimedia/mediainfo/distinfo b/multimedia/mediainfo/distinfo index 5f88b3dc10f..a0dc0a4e6e9 100644 --- a/multimedia/mediainfo/distinfo +++ b/multimedia/mediainfo/distinfo @@ -1,7 +1,9 @@ -$NetBSD: distinfo,v 1.15 2020/08/03 09:51:28 wiz Exp $ +$NetBSD: distinfo,v 1.15.10.1 2021/10/16 18:09:24 tm Exp $ SHA1 (mediainfo_20.03_AllInclusive.7z) = e6cbdaa85b9c4b182cd1325506926637b0e158d8 RMD160 (mediainfo_20.03_AllInclusive.7z) = 976c635af03faa44d9a4cca2bc5c143efa44601d SHA512 (mediainfo_20.03_AllInclusive.7z) = 850f4ee5f8ceb3a91a4466ff73c9f2fb70a1a63f8bdd7ffd8dd40e83b619b71c59e9b8659a8636758c90a62d7024b4e617b17025c72f23a7bcd25a3823d2ee39 Size (mediainfo_20.03_AllInclusive.7z) = 3706487 bytes SHA1 (patch-MediaInfoLib_Source_MediaInfo_MediaInfo__Config.h) = 19d6cba816c9e282e31fac527cbc39b9303f9f08 +SHA1 (patch-MediaInfoLib_Source_MediaInfo_Multiple_File__Gxf.cpp) = 04f3533bf6a79a2dd8dcee80fd0f68e73303ccbb +SHA1 (patch-MediaInfoLib_Source_MediaInfo_Multiple_File__MpegPs.cpp) = 800904386799b205a366f4f693ad9a7ff3d5856b diff --git a/multimedia/mediainfo/patches/patch-MediaInfoLib_Source_MediaInfo_Multiple_File__Gxf.cpp b/multimedia/mediainfo/patches/patch-MediaInfoLib_Source_MediaInfo_Multiple_File__Gxf.cpp new file mode 100644 index 00000000000..ff4481cc2db --- /dev/null +++ b/multimedia/mediainfo/patches/patch-MediaInfoLib_Source_MediaInfo_Multiple_File__Gxf.cpp @@ -0,0 +1,16 @@ +$NetBSD: patch-MediaInfoLib_Source_MediaInfo_Multiple_File__Gxf.cpp,v 1.1.2.2 2021/10/16 18:09:25 tm Exp $ + +Fix CVE-2020-26797 +https://github.com/MediaArea/MediaInfoLib/commit/7bab1c3a043784be2c90f2e54a0e5a8d7263eead + +--- MediaInfoLib/Source/MediaInfo/Multiple/File_Gxf.cpp.orig 2020-04-03 12:46:46.000000000 +0000 ++++ MediaInfoLib/Source/MediaInfo/Multiple/File_Gxf.cpp +@@ -1577,7 +1577,7 @@ File__Analyze* File_Gxf::ChooseParser_Ch + File_ChannelGrouping* Parser; + if (Audio_Count%2) + { +- if (!Streams[TrackID-1].IsChannelGrouping) ++ if (!TrackID || !Streams[TrackID-1].IsChannelGrouping) + return NULL; //Not a channel grouping + + Parser=new File_ChannelGrouping; diff --git a/multimedia/mediainfo/patches/patch-MediaInfoLib_Source_MediaInfo_Multiple_File__MpegPs.cpp b/multimedia/mediainfo/patches/patch-MediaInfoLib_Source_MediaInfo_Multiple_File__MpegPs.cpp new file mode 100644 index 00000000000..f042b8e5673 --- /dev/null +++ b/multimedia/mediainfo/patches/patch-MediaInfoLib_Source_MediaInfo_Multiple_File__MpegPs.cpp @@ -0,0 +1,16 @@ +$NetBSD: patch-MediaInfoLib_Source_MediaInfo_Multiple_File__MpegPs.cpp,v 1.1.2.2 2021/10/16 18:09:25 tm Exp $ + +Fix for CVE-2020-15395 +https://github.com/MediaArea/MediaInfoLib/commit/7b935cda2db88bfb63bda157bb93d69091c2c199 + +--- MediaInfoLib/Source/MediaInfo/Multiple/File_MpegPs.cpp.orig 2020-04-03 12:46:46.000000000 +0000 ++++ MediaInfoLib/Source/MediaInfo/Multiple/File_MpegPs.cpp +@@ -405,7 +405,7 @@ void File_MpegPs::Streams_Fill_PerStream + Fill(Stream_Audio, StreamPos_Last, Audio_MuxingMode, "SL"); + #endif //MEDIAINFO_MPEG4_YES + +- if (Counts[StreamKind_Last]+Count==Count_Get(StreamKind_Last)) //Old method ++ if (StreamKind_Last