--- mp3splt-2.6.2+20170630.orig/debian/changelog +++ mp3splt-2.6.2+20170630/debian/changelog @@ -0,0 +1,137 @@ +mp3splt (2.6.2+20170630-2) unstable; urgency=medium + + * Properly zero the ogg and vorbis state structures after they are malloc'd. + This fixes the second issue that was indicated in CVE-2017-11333, which + isn't actually the fault of libvorbis. It's caused by the libmp3splt ogg + plugin unwinding when the error in the test file is detected, and calling + vorbis_block_clear() on an uninitialised vorbis_block struct before the + call to vorbis_block_init() occurs. Similar things would go badly for the + other uninitialised structs if this one didn't explode first. + + -- Ron Lee Wed, 27 Sep 2017 03:21:24 +0930 + +mp3splt (2.6.2+20170630-1) unstable; urgency=medium + + * Adopt this package now. I was prepared to do that with the 2.2.8 bugfixes + but ended up keeping them as a locally packaged version when there was one + more maintainer upload, three years after 2.2.5. But it's only been NMU'd + since then and was 'officially' orphaned in February, and nobody else had + picked it up or saved the mp3splt package from being removed for Stretch, + or the mp3splt-gtk package from being removed from unstable too. So let's + resurrect them based on the work I did with cleaning this up previously. + Closes: #856294, #856296, #777433 + + * Build with gtk3 and gstreamer 1.0 now. Include the FLAC plugin and PCRE + support. Enable gnome support. + + * Fix some of the issues that stronger hardening options and the stricter + checking of new toolchain releases shook out. + + -- Ron Lee Fri, 30 Jun 2017 20:07:09 +0930 + +mp3splt (2.2.8-1) unstable; urgency=low + + * Prepare a new upstream release, primarily to fix #585614 in mp3splt-gtk, + and #536027 in mp3splt. + * Ok, scratch that thought. Entirely repackage the whole lot instead. + It's all in one source file now. The lib doesn't look like it keeps a + stable API or does soname management, but fortunately nothing except the + two apps from the same upstream actually need it. So make it internal + with no -dev exported, and build the whole lot in a single pass without + needing crazy hacks to look in local source dirs for a separate package. + * Profit. + + -- Ron Lee Sun, 13 Jun 2010 01:28:03 +0930 + +mp3splt (2.2.6a-1) UNRELEASED; urgency=low + + * move debian/rules to the libmp3splt-dev package + * regenerate debian/control against libmp3splt 0.5.7a-1, to get the + bumped build dep + * change build dependency on debhelper to 7.0.50 instead of 7.2 + * standards version 3.8.3 + * remove dep on libmp3splt-plugin, moved to libmp3splt0 + * suggest mp3splt-gtk + * New Upstream Version + - fix -o option fails without any '@' variable (Closes: #536027) + + -- Ryan Niebur Thu, 30 Jul 2009 19:42:50 -0700 + +mp3splt (2.2.5-1) unstable; urgency=low + + * New Upstream Version + * add DM-Upload-Allowed field + * remove quilt patching, patches are applied upstream + * pass --disable-mp3splttest, those tests look for ../libmp3splt + * pass --enable-oggsplt_symlink, previous versions of the package had + the oggsplt binary, but my last one didn't...oops + * add dependency on libmp3splt-mp3 | libmp3splt-plugin, since the + dependency was removed from the libmp3splt0 package due to a + circular dependency + + -- Ryan Niebur Thu, 21 May 2009 18:50:38 -0700 + +mp3splt (2.2.3-1) unstable; urgency=low + + * Adopt package (Closes: #488931) + * New upstream release (Closes: #459510, #403463, #316046) + * Document default min= value (Closes: #316050) + * Redo packaging from scratch + + -- Ryan Niebur Sun, 29 Mar 2009 02:12:55 -0700 + +mp3splt (2.1c-5) unstable; urgency=low + + * Orphan this package + * Bump Standards-Version up to 3.8.0 (no changes) + + -- Francois Marier Mon, 15 Sep 2008 13:13:02 +1200 + +mp3splt (2.1c-4) unstable; urgency=low + + * Fix hyphens in manpage + * Bump debhelper compatibility to 6 + + -- Francois Marier Tue, 03 Jun 2008 14:55:19 +1200 + +mp3splt (2.1c-3) unstable; urgency=low + + * Build-depend on automake1.7 to fix powerpc build problems + + -- Francois Marier Fri, 04 Jan 2008 01:17:28 -0500 + +mp3splt (2.1c-2) unstable; urgency=low + + * Add support for audacity labels (closes: #456771) + Thanks to Federico Grau for the patch! + * debian/copyright: it's actually released under the LGPL 2, not 2.1 + + -- Francois Marier Sun, 23 Dec 2007 20:18:56 -0500 + +mp3splt (2.1c-1) unstable; urgency=low + + * New upstream release + * Setting myself as maintainer (closes: #457132) + * Bump Standards-Version up to 3.7.3 + * Bump debhelper version to 5 + * Add homepage and Vcs-* fields in debian/control + * Rewrite debian/copyright page + * Add a watch file + * Removed AUTHORS from debian/docs + * Check for the existence of the Makefile before calling it (lintian warning) + + -- Francois Marier Sun, 23 Dec 2007 11:11:17 -0500 + +mp3splt (2.1-1.1) unstable; urgency=low + + * NMU with the permission of the maintainer. + * Fix build failure. Closes: #300270. + + -- Joost Yervante Damad Thu, 13 Apr 2006 15:55:35 +0200 + +mp3splt (2.1-1) unstable; urgency=low + + * Initial release. + + -- Paul Melnikow Mon, 4 Oct 2004 16:30:24 -0400 + --- mp3splt-2.6.2+20170630.orig/debian/compat +++ mp3splt-2.6.2+20170630/debian/compat @@ -0,0 +1 @@ +7 --- mp3splt-2.6.2+20170630.orig/debian/control +++ mp3splt-2.6.2+20170630/debian/control @@ -0,0 +1,62 @@ +Source: mp3splt +Section: sound +Priority: optional +Maintainer: Ron Lee +Build-Depends: debhelper (>= 7.0.15), + libogg-dev, libvorbis-dev, libflac-dev, libmad0-dev, + libid3tag0-dev, libltdl3-dev, libpcre3-dev, libgtk-3-dev, + libgstreamer1.0-dev, libgstreamer-plugins-base1.0-dev, + audacious-dev, libaudclient-dev, libgnomeui-dev, + gnome-doc-utils, rarian-compat, doxygen, graphviz +Standards-Version: 4.1.0.0 +Homepage: http://mp3splt.sourceforge.net/ +Vcs-Git: git://git.debian.org/users/ron/mp3splt.git +Vcs-Browser: http://git.debian.org/?p=users/ron/mp3splt.git + +Package: mp3splt +Architecture: any +Depends: libmp3splt (= ${libmp3splt:Version}), ${shlibs:Depends} +Suggests: mp3splt-gtk +Description: split MP3, Ogg Vorbis, or FLAC files without re-encoding + This package provides the command line interface for splitting audio files at + a given begin and end time position without decoding. If splitting an album, + you can select split points and filenames manually or read them from CDDB or + cue files. Splitting on silence and data from Mp3Wrap or AlbumWrap is also + supported. For mp3 files, both ID3v1 & ID3v2 tags are supported. A GTK + interface is provided in the mp3splt-gtk package. + +Package: mp3splt-gtk +Architecture: any +Depends: libmp3splt (= ${libmp3splt:Version}), ${shlibs:Depends} +Recommends: gstreamer1.0-plugins-good +Suggests: mp3splt, audacious +Description: split MP3, Ogg Vorbis, or FLAC files without re-encoding + This package provides the graphical interface for splitting audio files at a + given begin and end time position without decoding. If splitting an album, + you can select split points and filenames manually or read them from CDDB or + cue files. Splitting on silence and data from Mp3Wrap or AlbumWrap is also + supported. For mp3 files, both ID3v1 & ID3v2 tags are supported. A command + line interface is provided in the mp3splt package. + +Package: libmp3splt +Section: libs +Architecture: any +Depends: ${shlibs:Depends} +Recommends: mp3splt | mp3splt-gtk +Conflicts: libmp3splt0, libmp3splt0-ogg, libmp3splt0-mp3, libmp3splt0-flac, libmp3splt-dev +Replaces: libmp3splt0, libmp3splt0-ogg, libmp3splt0-mp3, libmp3splt0-flac, libmp3splt-dev +Breaks: mp3splt (<< 2.6.2), mp3splt-gtk (<< 0.9.2) +Description: support library for mp3splt and mp3splt-gtk + The mp3splt utility splits audio files at a given begin and end time position + without decoding. This package provides the library functions used by the + command line and graphical interfaces. + +Package: mp3splt-dbg +Section: debug +Priority: extra +Architecture: any +Depends: libmp3splt (= ${libmp3splt:Version}) | mp3splt (= ${binary:Version}) + | mp3splt-gtk (= ${mp3splt-gtk:Version}) +Description: debugging symbols for mp3splt, mp3splt-gtk and libmp3splt + This package provides the detached debug symbols for mp3splt. + --- mp3splt-2.6.2+20170630.orig/debian/copyright +++ mp3splt-2.6.2+20170630/debian/copyright @@ -0,0 +1,26 @@ +This package was debianised by Ron on +Sat, 15 Jun 2010 10:26:56 +0930. Some parts salvaged from +Ryan Niebur's triple source packages where possible, but +mostly redone from scratch as a single package. + +It was downloaded from + + Copyright (C) 2002-2005 Matteo Trotta + Copyright (C) 2005-2014 Alexandru Ionut Munteanu + + You can redistribute this software and/or modify it under the + terms of the GNU General Public License as published + by the Free Software Foundation; either version 2 of the License, + or (at your option) any later version. + + On Debian systems you can find the full text of the GNU General + Public License version 2 in '/usr/share/common-licenses/GPL-2'. + + +The Debian packaging is: + + Copyright 2009, Ryan Niebur + Copyright 2010 - 2017, Ron + +and is provided under the same license as mp3splt itself. + --- mp3splt-2.6.2+20170630.orig/debian/libmp3splt.lintian-overrides +++ mp3splt-2.6.2+20170630/debian/libmp3splt.lintian-overrides @@ -0,0 +1 @@ +libmp3splt: package-name-doesnt-match-sonames --- mp3splt-2.6.2+20170630.orig/debian/rules +++ mp3splt-2.6.2+20170630/debian/rules @@ -0,0 +1,217 @@ +#!/usr/bin/make -f +# Copyright Ron Lee 2003 - 2017 + +#export DH_VERBOSE=1 + +SHELL = /bin/bash + +NUM_CPUS = $(shell getconf _NPROCESSORS_ONLN 2>/dev/null) +PARALLEL = $(subst parallel=,,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) +NJOBS = -j$(or $(PARALLEL),$(NUM_CPUS),1) + + +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH) + + +HARD_CPPFLAGS = -D_FORTIFY_SOURCE=2 +HARD_CFLAGS = -Wformat=2 +HARD_LDFLAGS = -Wl,-z,now + +ifneq (,$(filter-out alpha hppa arm, $(DEB_HOST_ARCH))) + HARD_CFLAGS += -fstack-protector-strong --param ssp-buffer-size=4 +endif +ifneq (,$(filter-out ia64 hppa avr32, $(DEB_HOST_ARCH))) + HARD_LDFLAGS += -Wl,-z,relro +endif + +# Keep dpkg-buildpackage the hell out of messing with our compile flags, +# we should trust upstream to know better than it what to use here. +# We explicitly re-add -g and -O2 here, since by explicitly overriding +# these variables, we otherwise disable autoconf adding them by default. +CPPFLAGS = $(HARD_CPPFLAGS) +CFLAGS = $(HARD_CFLAGS) -g -O2 +CXXFLAGS = $(HARD_CFLAGS) -g -O2 +LDFLAGS = $(HARD_LDFLAGS) + + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS = -g -O0 +endif +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + INSTALL_PROGRAM += -s +endif + + +# The mp3splt project consists of three parts, a common shared library, and +# two front-end applications, one command-line the other a GUI. Even though +# all parts of that are typically released in lockstep and must all be updated +# together, the libmp3splt and mp3splt-gtk releases have a different version +# to what the CLI mp3splt component does. (presumably because they were split +# out of it at some later point in time when the GUI tool was added). +# +# We take the mp3splt binary package version from the changelog, since we use +# its version as the source package version. For the library and GUI binary +# packages, we use the upstream version of those components, to minimise any +# confusion when comparing what we ship to upstream's latest release. To get +# that, we parse it from the version that their respective configure reports. +# The debian revision part will obviously always be the same for all of them. +mp3splt_version := $(shell dpkg-parsechangelog -SVersion) +debian_revision := $(shell echo $(mp3splt_version) | sed -e 's/.*-//') +libmp3splt_version := $(shell ./libmp3splt/configure -V | awk '/libmp3splt configure/ {print $$3}')-$(debian_revision) +mp3splt_gtk_version := $(shell ./mp3splt-gtk/configure -V | awk '/mp3splt-gtk configure/ {print $$3}')-$(debian_revision) +SUBST_VARS = -Vlibmp3splt:Version=$(libmp3splt_version) -Vmp3splt-gtk:Version=$(mp3splt_gtk_version) + + +lib_objdir := lib-objs +cli_objdir := cli-objs +gui_objdir := gui-objs + + +show-versions: + @echo " mp3splt_version = $(mp3splt_version)" + @echo " libmp3splt_version = $(libmp3splt_version)" + @echo " mp3splt_gtk_version = $(mp3splt_gtk_version)" + @echo " debian_revision = $(debian_revision)" + @echo " SUBST_VARS = $(SUBST_VARS)" + + +clean: + dh_testdir + dh_testroot + $(RM) -r $(lib_objdir) $(cli_objdir) $(gui_objdir) + dh_clean + + +$(lib_objdir)/config.status: libmp3splt/configure + dh_testdir + mkdir -p $(lib_objdir) + cd $(lib_objdir) && \ + ../libmp3splt/configure --host=$(DEB_HOST_GNU_TYPE) \ + --build=$(DEB_BUILD_GNU_TYPE) \ + --prefix=/usr \ + --disable-maintainer-mode \ + --enable-silent-rules \ + CPPFLAGS="$(CPPFLAGS)" \ + CFLAGS="$(CFLAGS)" \ + CXXFLAGS="$(CXXFLAGS)" \ + LDFLAGS="$(LDFLAGS)" \ + || (cat config.log; exit 1) + + +# Set LIBMP3SPLT_CFLAGS and LIBMP3SPLT_LIBS so that we don't need an +# installed libmp3splt.pc to find the library files and headers. +lib_cflags = -I$(CURDIR)/libmp3splt/include +lib_ldflags = -L$(CURDIR)/$(lib_objdir)/src/.libs -lmp3splt + +$(cli_objdir)/config.status: mp3splt/configure + dh_testdir + mkdir -p $(cli_objdir) + cd $(cli_objdir) && \ + ../mp3splt/configure --host=$(DEB_HOST_GNU_TYPE) \ + --build=$(DEB_BUILD_GNU_TYPE) \ + --prefix=/usr \ + --disable-maintainer-mode \ + --enable-silent-rules \ + --disable-rpath \ + --enable-oggsplt_symlink \ + --enable-flacsplt_symlink \ + LIBMP3SPLT_CFLAGS="$(lib_cflags)" \ + LIBMP3SPLT_LIBS="$(lib_ldflags)" \ + CPPFLAGS="$(CPPFLAGS)" \ + CFLAGS="$(CFLAGS)" \ + CXXFLAGS="$(CXXFLAGS)" \ + LDFLAGS="$(LDFLAGS)" \ + || (cat config.log; exit 1) + +$(gui_objdir)/config.status: mp3splt-gtk/configure + dh_testdir + mkdir -p $(gui_objdir) + cd $(gui_objdir) && \ + ../mp3splt-gtk/configure --host=$(DEB_HOST_GNU_TYPE) \ + --build=$(DEB_BUILD_GNU_TYPE) \ + --prefix=/usr \ + --disable-maintainer-mode \ + --enable-silent-rules \ + --disable-rpath \ + LIBMP3SPLT_CFLAGS="$(lib_cflags)" \ + LIBMP3SPLT_LIBS="$(lib_ldflags)" \ + CPPFLAGS="$(CPPFLAGS)" \ + CFLAGS="$(CFLAGS)" \ + CXXFLAGS="$(CXXFLAGS)" \ + LDFLAGS="$(LDFLAGS)" \ + || (cat config.log; exit 1) + + +build: build-arch +build-arch: build-lib-stamp build-cli-stamp build-gui-stamp +build-indep: + +build-lib-stamp: $(lib_objdir)/config.status + dh_testdir + $(MAKE) $(NJOBS) -C $(lib_objdir) + touch $@ + +build-cli-stamp: $(cli_objdir)/config.status + dh_testdir + $(MAKE) $(NJOBS) -C $(cli_objdir) + touch $@ + +build-gui-stamp: $(gui_objdir)/config.status + dh_testdir + $(MAKE) $(NJOBS) -C $(gui_objdir) + touch $@ + + + +install: install-arch +install-arch: install-lib-stamp install-cli-stamp install-gui-stamp +install-indep: + +install-lib-stamp: build-lib-stamp + dh_testdir + cd $(lib_objdir) && $(MAKE) install DESTDIR=$(CURDIR)/debian/libmp3splt + $(RM) debian/libmp3splt/usr/lib/libmp3splt0/*.{a,la,so} + $(RM) debian/libmp3splt/usr/lib/*.{a,la,so} + $(RM) debian/libmp3splt/usr/share/doc/libmp3splt/doxygen/*.md5 + $(RM) -r debian/libmp3splt/usr/lib/pkgconfig + $(RM) -r debian/libmp3splt/usr/include + dh_lintian -plibmp3splt + touch $@ + +install-cli-stamp: build-cli-stamp + dh_testdir + cd $(cli_objdir) && $(MAKE) install DESTDIR=$(CURDIR)/debian/mp3splt + touch $@ + +install-gui-stamp: build-gui-stamp + dh_testdir + cd $(gui_objdir) && $(MAKE) install DESTDIR=$(CURDIR)/debian/mp3splt-gtk + touch $@ + + + +binary: binary-arch +binary-indep: + +binary-arch: install-arch + dh_testdir + dh_testroot + dh_installdocs -a + dh_installchangelogs -a + dh_strip -a --dbg-package=mp3splt-dbg + dh_compress -a + dh_fixperms -a + dh_makeshlibs -plibmp3splt -V'libmp3splt (= $(libmp3splt_version))' + dh_installdeb -a + dh_shlibdeps -a -- -xlibmp3splt + dh_gencontrol -pmp3splt -pmp3splt-dbg -- $(SUBST_VARS) + dh_gencontrol -pmp3splt-gtk -- -v$(mp3splt_gtk_version) $(SUBST_VARS) + dh_gencontrol -plibmp3splt -- -v$(libmp3splt_version) $(SUBST_VARS) + dh_md5sums -a + dh_builddeb -a + + +.PHONY: clean build build-arch build-indep install install-arch install-indep \ + binary binary-arch binary-indep show-versions --- mp3splt-2.6.2+20170630.orig/debian/source.lintian-overrides +++ mp3splt-2.6.2+20170630/debian/source.lintian-overrides @@ -0,0 +1 @@ +mp3splt: debhelper-but-no-misc-depends --- mp3splt-2.6.2+20170630.orig/libmp3splt/plugins/ogg.c +++ mp3splt-2.6.2+20170630/libmp3splt/plugins/ogg.c @@ -212,26 +212,36 @@ goto error; } memset(oggstate, 0, sizeof(splt_ogg_state)); + if ((oggstate->sync_in = malloc(sizeof(ogg_sync_state)))==NULL) { goto error; } + memset(oggstate->sync_in, 0, sizeof(ogg_sync_state)); + if ((oggstate->stream_in = malloc(sizeof(ogg_stream_state)))==NULL) { goto error; } + memset(oggstate->stream_in, 0, sizeof(ogg_stream_state)); + if ((oggstate->vd = malloc(sizeof(vorbis_dsp_state)))==NULL) { goto error; } + memset(oggstate->vd, 0, sizeof(vorbis_dsp_state)); + if ((oggstate->vi = malloc(sizeof(vorbis_info)))==NULL) { goto error; } + memset(oggstate->vi, 0, sizeof(vorbis_info)); + if ((oggstate->vb = malloc(sizeof(vorbis_block)))==NULL) { goto error; } + memset(oggstate->vb, 0, sizeof(vorbis_block)); if ((oggstate->headers = malloc(sizeof(splt_v_packet) * TOTAL_HEADER_PACKETS))==NULL) {