diff --git a/CVE-2025-2173.patch b/CVE-2025-2173.patch deleted file mode 100644 index e5b2f9c024a90aa6347213281d9fed96f44241f2..0000000000000000000000000000000000000000 --- a/CVE-2025-2173.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 8def647eea27f7fd7ad33ff79c2d6d3e39948dce Mon Sep 17 00:00:00 2001 -From: Ileana Dumitrescu -Date: Mon, 10 Mar 2025 20:36:05 +0200 -Subject: [PATCH] src/conv.c: Check src_length to avoid an unitinialized heap - read - ---- - src/conv.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/src/conv.c b/src/conv.c -index 9a2a418..3099202 100644 ---- a/src/conv.c -+++ b/src/conv.c -@@ -578,8 +578,8 @@ strndup_iconv_from_ucs2 (unsigned long * out_size, - * @returns - * A pointer to the allocated buffer. You must free() the buffer - * when it is no longer needed. The function returns @c NULL when -- * the conversion fails, when it runs out of memory or when @a src -- * is @c NULL. -+ * the conversion fails, when it runs out of memory, src_length is -+ * set to zero, or when @a src is @c NULL. - * - * @since 0.2.23 - */ -@@ -593,6 +593,9 @@ vbi_strndup_iconv_ucs2 (const char * dst_codeset, - char *result; - unsigned long size; - -+ if (0 == src_length) -+ return NULL; -+ - buffer = strndup_iconv_from_ucs2 (&size, - dst_codeset, - src, src_length, diff --git a/CVE-2025-2174_CVE-2025-2176_CVE-2025-2177.patch b/CVE-2025-2174_CVE-2025-2176_CVE-2025-2177.patch deleted file mode 100644 index 903ed6487bcf6ae55e0f3539c42e836e819ee7a9..0000000000000000000000000000000000000000 --- a/CVE-2025-2174_CVE-2025-2176_CVE-2025-2177.patch +++ /dev/null @@ -1,116 +0,0 @@ -From ca1672134b3e2962cd392212c73f44f8f4cb489f Mon Sep 17 00:00:00 2001 -From: Ileana Dumitrescu -Date: Mon, 10 Mar 2025 20:36:32 +0200 -Subject: [PATCH] src/conv.c, src/io-sim.c, src/search.c: Avoid integer - overflow leading to heap overflow - ---- - src/conv.c | 18 ++++++++++++++---- - src/io-sim.c | 5 ++++- - src/search.c | 13 ++++++++++--- - 3 files changed, 28 insertions(+), 8 deletions(-) - -diff --git a/src/conv.c b/src/conv.c -index 3099202..aa8fb8d 100644 ---- a/src/conv.c -+++ b/src/conv.c -@@ -338,7 +338,8 @@ vbi_strlen_ucs2 (const uint16_t * src) - * @returns - * A pointer to the allocated buffer. You must free() the buffer - * when it is no longer needed. The function returns @c NULL when -- * it runs out of memory, or when @a src is @c NULL. -+ * it runs out of memory, src_size is too large, or when @a src -+ * is @c NULL. - * - * @since 0.2.23 - */ -@@ -349,7 +350,11 @@ strndup_identity (unsigned long * out_size, - { - char *buffer; - -- buffer = vbi_malloc (src_size + 4); -+ unsigned long check_buffer_size = (src_size + 4); -+ if (src_size > check_buffer_size) -+ return NULL; -+ -+ buffer = vbi_malloc (check_buffer_size); - if (NULL == buffer) { - if (NULL != out_size) - *out_size = 0; -@@ -381,7 +386,8 @@ strndup_identity (unsigned long * out_size, - * @returns - * A pointer to the allocated buffer. You must free() the buffer - * when it is no longer needed. The function returns @c NULL when -- * it runs out of memory, or when @a src is @c NULL. -+ * it runs out of memory, src_length is too large, or when @a src -+ * is @c NULL. - * - * @since 0.2.23 - */ -@@ -403,7 +409,11 @@ strndup_utf8_ucs2 (unsigned long * out_size, - if (src_length < 0) - src_length = vbi_strlen_ucs2 (src); - -- buffer = vbi_malloc (src_length * 3 + 1); -+ unsigned long check_buffer_size = (src_length * 3 + 1); -+ if (src_length > check_buffer_size) -+ return NULL; -+ -+ buffer = vbi_malloc (check_buffer_size); - if (NULL == buffer) - return NULL; - -diff --git a/src/io-sim.c b/src/io-sim.c -index 831c668..f5a48eb 100644 ---- a/src/io-sim.c -+++ b/src/io-sim.c -@@ -1898,7 +1898,10 @@ vbi_capture_sim_load_caption (vbi_capture * cap, - } - - if (b->size >= b->capacity) { -- if (!extend_buffer (b, b->capacity + 256)) -+ unsigned int check_buffer_size = (b->capacity + 256); -+ if (b->capacity > check_buffer_size) -+ return FALSE; -+ if (!extend_buffer (b, check_buffer_size)) - return FALSE; - } - -diff --git a/src/search.c b/src/search.c -index b325eed..f0feada 100644 ---- a/src/search.c -+++ b/src/search.c -@@ -2,7 +2,7 @@ - * libzvbi -- Teletext page cache search functions - * - * Copyright (C) 2000, 2001, 2002 Michael H. Schimek -- * Copyright (C) 2000, 2001 Iñaki G. Etxebarria -+ * Copyright (C) 2000, 2001 I�aki G. Etxebarria - * - * Originally based on AleVT 1.5.1 by Edgar Toernig - * -@@ -470,7 +470,8 @@ ucs2_strlen(const void *string) - * All this has yet to be addressed. - * - * @return -- * A vbi_search context or @c NULL on error. -+ * A vbi_search context or @c NULL on error or pattern string length -+ * is too large. - */ - vbi_search * - vbi_search_new(vbi_decoder *vbi, -@@ -490,7 +491,13 @@ vbi_search_new(vbi_decoder *vbi, - return NULL; - - if (!regexp) { -- if (!(esc_pat = malloc(sizeof(ucs2_t) * pat_len * 2))) { -+ unsigned int check_size = (sizeof(ucs2_t) * pat_len * 2); -+ if (pat_len > check_size) { -+ free(s); -+ return NULL; -+ } -+ -+ if (!(esc_pat = malloc(check_size))) { - free(s); - return NULL; - } diff --git a/zvbi-0.2.35.tar.bz2 b/zvbi-0.2.35.tar.bz2 deleted file mode 100644 index 57e02194ebb89666ce48e815c0baca2af28b5eda..0000000000000000000000000000000000000000 Binary files a/zvbi-0.2.35.tar.bz2 and /dev/null differ diff --git a/zvbi-0.2.44.tar.gz b/zvbi-0.2.44.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..8f4bd264cda424240c69337cd229dccd3c4b3dd3 Binary files /dev/null and b/zvbi-0.2.44.tar.gz differ diff --git a/zvbi.spec b/zvbi.spec index 41844c94b45a0dbb8234606a6afe54c5d525545d..93b05ff7e457f927681b83f65598650ec26a4861 100644 --- a/zvbi.spec +++ b/zvbi.spec @@ -1,18 +1,17 @@ Name: zvbi -Version: 0.2.35 -Release: 9 +Version: 0.2.44 +Release: 1 Summary: A library provides functions to capture and decode VBI data -License: LGPLv2+ and GPLv2+ and BSD -URL: http://zapping.sourceforge.net/ZVBI/index.html -Source0: http://downloads.sourceforge.net/zapping/%{name}-%{version}.tar.bz2 +License: GPL-2.0-or-later AND LGPL-2.0-or-later AND LGPL-2.1-or-later AND BSD-2-Clause AND MIT +URL: https://github.com/zapping-vbi/zvbi +Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz Patch0001: %{name}-0.2.24-tvfonts.patch Patch0002: %{name}-0.2.25-openfix.patch -Patch0003: CVE-2025-2173.patch -Patch0004: CVE-2025-2174_CVE-2025-2176_CVE-2025-2177.patch -BuildRequires: gcc-c++ doxygen fontconfig gettext >= 0.16.1 libpng-devel +BuildRequires: gcc-c++ doxygen fontconfig gettext >= 0.21.0 libpng-devel BuildRequires: libICE-devel xorg-x11-font-utils systemd-units +BuildRequires: autoconf automake libtool gettext-devel Requires(post): systemd-units Requires(preun): systemd-units @@ -63,6 +62,7 @@ WantedBy=multi-user.target EOF %build +autoreconf -fi %configure --disable-rpath --enable-v4l --enable-dvb --enable-proxy %make_build @@ -113,12 +113,12 @@ if [ "$1" = "0" ]; then fi %files -f %{name}.lang -%doc AUTHORS COPYING COPYING.LIB +%doc AUTHORS +%license COPYING COPYING.md %{_bindir}/%{name}* %{_sbindir}/zvbid %{_unitdir}/zvbid.service %{_libdir}/*.so.* -%exclude %{_initrddir} %dir %{_datadir}/fonts/%{name} %{_datadir}/fonts/%{name}/*.gz %{_datadir}/fonts/%{name}/fonts.dir @@ -132,15 +132,24 @@ fi %{_libdir}/pkgconfig/%{name}-0.2.pc %files help -%doc BUGS ChangeLog NEWS README TODO +%doc BUGS ChangeLog NEWS README.md TODO %{_mandir}/man1/* %changelog -* Tue Mar 18 2025 yaoxin <1024769339@qq.com> - 0.2.35-9 +* Wed Mar 26 2025 yaoxin <1024769339@qq.com> - 0.2.44-1 +- Update to 0.2.44 for fix CVE-2025-2175 + +* Tue Mar 18 2025 yaoxin <1024769339@qq.com> - 0.2.42-4 - Fix CVE-2025-2173,CVE-2025-2174,CVE-2025-2176 and CVE-2025-2177 -* Fri Nov 24 2023 lwg - 0.2.35-8 +* Sun Feb 04 2024 lvgenggeng 0.2.42-3 +- move license file to prefered dir + +* Fri Nov 24 2023 lwg - 0.2.42-2 - fix uninstall error +* Mon Sep 04 2023 yaoxin - 0.2.42-1 +- Update to 0.2.42 + * Mon Dec 02 2019 Jiangping Hu - 0.2.35-7 - Package init