Per [1] this CVE is already patched by commit [2].
This can be also verified with yocto build.
Running without this patch:
root@qemux86-64:~# sfconvert poc.wav output format wave
malloc(): corrupted top size
Aborted
Running with it:
root@qemux86-64:~# sfconvert poc.wav output format wave
Audio File Library: Bad number of coefficients [error 62]
Could not open file 'poc.wav' for reading.
[1] https://github.com/mpruett/audiofile/issues/56
[2] c48e4c6503
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is inactive project, so no official CVE fix will be available
anymore. That however does not mean that there is no fix available.
Following tries to prove that patch provided here is valid.
NVD CVE report [1] links issue [2] where this is reported.
Based on the report, fix was proposed in [3].
There was some review however the patch autor was not active.
[4] was later created trying to adddress the comments, but the project
was not active anymore. In this PR the patch was shrunk to a one-liner
in discussion.
I have tested the poc and it is real.
The patch fixes it, while not breaking the execution if good file path
is provided as argument.
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-43361
[2] https://github.com/xiph/vorbis-tools/issues/41
[3] https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/7
[4] https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/8
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It exports all symbols globally which results in a symbol clash, for
example "hashtable_del" of ulogd2. It has been revealed because the
recipe inherits cmake over autotools since Langdale.
This fixes it by specifying visibility scope of symbols in its version
script which matches what is given with the libtool flag
'-export-symbols-regex' in Makefile.am.
Signed-off-by: Jaeyoon Jung <jaeyoon.jung@lge.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
After fixing the TMPDIR [buildpaths] warning, a segmentation fault while
running gphoto2 command.
It seems 'sed' is primarily designed for text processing. When running
'sed' on a binary, it may overwrite or corrupt critical parts of the
binary.
> root@qemux86-64:~# gphoto2 -v
> Segmentation fault
Signed-off-by: Hieu Van Nguyen <hieu2.nguyen@lge.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog: https://github.com/c-ares/c-ares/releases/tag/v1.32.0
Features:
Add support for DNS 0x20 to help prevent cache poisoning attacks, enabled
by specifying ARES_FLAG_DNS0x20. Disabled by default. PR #800
Rework query timeout logic to automatically adjust timeouts based on network
conditions. The timeout specified now is only used as a hint until there
is enough history to calculate a more valid timeout. PR #794
Changes:
DNS RR TXT strings should not be automatically concatenated as there are use
cases outside of RFC 7208. In order to maintain ABI compliance, the ability
to retrieve TXT strings concatenated is retained as well as a new API to
retrieve the individual strings. This restores behavior from c-ares 1.20.0.
PR #801
Clean up header inclusion logic to make hacking on code easier. PR #797
GCC/Clang: Enable even more strict warnings to catch more coding flaws. 253bdee
MSVC: Enable /W4 warning level. PR #792
Bugfixes:
Tests: Fix thread race condition in test cases for EventThread. PR #803
Windows: Fix building with UNICODE. PR #802
Thread Saftey: ares_timeout() was missing lock. 74a64e4
Fix building with DJGPP (32bit protected mode DOS). PR #789
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Similarly to old openssl versions, proftpd has patch releases with
characters instead of numbers.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Patch releases have character after version
devtool upgrade would currently downgrade 1.3.8b -> 1.3.8
This will make it upgrade 1.3.8b -> 1.3.8c
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Commit d89fc818b7 changed the
permissions back to 700, which is wrong for /usr/share, these
files are intended to be world readable. Change it back.
Fixes: d89fc818b7 ("polkit: Install rules in subdir")
Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- Plug memory leak in the notification portal backend
- Implement the contrast setting
- Set correct platform data for notification activation
- Drop use of private GNOME Shell notification API
- Depend on the graphical-session target
- Ensure proper shutdown target
- Build against xdg-desktop-portal >= 1.19.1
- Translation updates
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
- feat: implement heapq for tracking cache expire times
- fix: ensure cache does not return stale created and ttl values
- feat: improve performance of processing incoming records
- fix: split wheel builds to avoid timeout
- fix: move wheel builds to macos-13
- feat: speed up parsing incoming records
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Due to GitHub actions changes, binary wheels were missing for macOS Intel.
- Not implemented error for __reduce__() on ObjectProxy was incorrectly
displaying the error as being on __reduce_ex__().
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
Bugfix where async and return_cmd does not raise exceptions
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
- Write installer metadata like INSTALLER and REQUESTED to dist-info directory
when installing packages.
- Respect .python-version file in the project root directory when selecting the
Python interpreter. By default, it will be written when running pdm use command.
- Fix a problem of missing dependencies when adding to dev dependencies if both
editable and non-editable dependencies exist.
- Use stdlib for URL <-> Path conversions.
- shellingham.detect_shell() returns ('tcsh', '/bin/tcsh') for tcsh on FreeBSD,
so the current code tries to use the Bash venv activation script and fails due
to syntax error. This change fixes the issue.
- Fix a performance issue because pypi source credentials were being queried
many times from keyring.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Typing: Fix type annotations for Tuple <marshmallow.fields.Tuple>,
Boolean <marshmallow.fields.Boolean>, and
Pluck <marshmallow.fields.Pluck> constructors
- Typing: Fix overload for marshmallow.class_registry.get_class
- Various documentation improvements
- Add top-level API back to docs
- Typing: Improve type annotations for SchemaMeta.get_declared_fields
- Typing: Relax type annotation for Schema.opts to allow subclasses to define
their own options classes
- Restore marshmallow.base.SchemaABC for backwards-compatibility
- Don't override __new__ to avoid breaking usages of inspect.signature with
Field <marshmallow.fields.Field> classes. This allows marshmallow-sqlalchemy
users to upgrade marshmallow without upgrading to marshmallow-sqlalchemy>=1.1.1.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- fix problem with functools.singledispatch
- uprev to v0.9
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- Reduced accuracy representations of years when parsing a calendar date are now
only allowed to be [YY]
- No longer specify a Python interpreter version to Black
- Cleanup unsupported Pylint configuration options
- Fix used-before-assignment errors
- Fix coverage issue caused by unreachable conditional in _parse_interval_end
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Copyright year updated to 2025.
Changelog:
==========
- Many xml_attribute:: and xml_node:: functions now transparently support
std::string_view and std::string when C++17 support is detected.
- Improve pkg-config file generation for NixOS
- PUGIXML_BUILD_APPLE_FRAMEWORK CMake option can be used to build pugixml
as .xcframework
- PUGIXML_INSTALL CMake option can be used to disable installation targets
- Fix clang/gcc warnings -Wzero-as-null-pointer-constant, -Wuseless-cast,
-Wshorten-64-to-32
- Fix unreferenced function warnings in PUGIXML_NO_STL configuration
- Fix CMake 3.31 deprecation warnings
- Stop using deprecated throw() when noexcept is available
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Update CMake toolchain link in README file
- CMake cleanup, bump to v3.5, and submodule improvements
- Fix usage of memset
- Assigned Client Identifier constant misspelled
- Exporting the -static CMake targets when both shared and static libraries built.
- Some minor hardening of MQTTProperties functions
- Zero out MQTTProperty before reading
- Fix doc comment for MQTTAsync_disconnected
- Small cleanup of OpenSSL/LibreSSL CMake
- Fix usage of realloc
- Fix compiler warnings
- Small cleanup of OpenSSL/LibreSSL CMake (2nd try)
- Fix IpV6 link local address connections
- Added support for UNIX-domain sockets for v1.3.x
- Build all the sample applications for the static library
- Fix possible memory leak
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- If the Monit configuration file contains a string with unbalanced escape
sequences, Monit may crash upon startup.
- If the password in the set mmonit URL contains only binary characters,
syntax check passed (-t), but Monit aborts after start and reports error
- If the every <cron> statement contained a syntax error, syntax check
passed (-t), but Monit aborts after start and reports error
- If the timeout option value was set to 0, the syntax check was
successful (-t), but Monit aborts after starting and reports error
- The set syslog statement's facility option did not permit the specification
of the log_user.
- Double interpretation of format strings during RETHROW
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
- Support of both Apple Silicon and Intel for macOS package.
- Add cvlan/svlan/tpmr capabilities.
- Disable LLDP in firmware for Intel X7xx cards on FreeBSD.
- Add lldpctl_watch_sync_unblock to liblldpctl.
- Add C++ wrapper for lldpctl.
- Fix AppArmor policy for /run/lldpd/lldpd.socket.lock.
- Do not query stats for a down interface on Linux.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
