public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
To: git-commits@fedoraproject.org
Subject: [rpms/vorbis-tools] f43: CVE-2026-34253 - fix arbitrary code execution via buffer underflow
Date: Tue, 09 Jun 2026 08:40:32 GMT [thread overview]
Message-ID: <178099443262.1.7168112340587561509.rpms-vorbis-tools-50bc6e96c5a4@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/vorbis-tools
Branch : f43
Commit : 50bc6e96c5a41a791d2409c6a5bb3b4d9e5a4fd2
Author : Lukáš Zaoral <lzaoral@redhat.com>
Date : 2026-06-09T10:38:19+02:00
Stats : +256/-4 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/vorbis-tools/c/50bc6e96c5a41a791d2409c6a5bb3b4d9e5a4fd2?branch=f43
Log:
CVE-2026-34253 - fix arbitrary code execution via buffer underflow
Resolves: rhbz#2479549
---
diff --git a/vorbis-tools-1.4.3-CVE-2026-34253.patch b/vorbis-tools-1.4.3-CVE-2026-34253.patch
new file mode 100644
index 0000000..70018c2
--- /dev/null
+++ b/vorbis-tools-1.4.3-CVE-2026-34253.patch
@@ -0,0 +1,248 @@
+From 4bb4fb33b25949178179f689db9afb477abeb572 Mon Sep 17 00:00:00 2001
+From: "Timothy B. Terriberry" <tterribe@xiph.org>
+Date: Tue, 24 Jun 2025 09:14:13 -0700
+Subject: [PATCH] Do not assume fgets result is non-empty
+
+If a file contains an embedded NUL ('\0') character, strlen() on
+ the result of fgets() can be 0, even when we have not reached the
+ end of the file.
+Therefore we cannot access index [strlen(buf)-1] to check a
+ character at the end of the string.
+
+Thanks to Momoko Shiraishi for the report.
+
+Fixes #2332
+---
+ ogg123/playlist.c | 8 ++++++--
+ ogg123/remote.c | 2 +-
+ vorbiscomment/vcomment.c | 2 +-
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/ogg123/playlist.c b/ogg123/playlist.c
+index afcf5d7..3d3bc8f 100644
+--- a/ogg123/playlist.c
++++ b/ogg123/playlist.c
+@@ -265,10 +265,14 @@ int playlist_append_from_file(playlist_t *list, char *playlist_filename)
+
+ /* Crop off trailing newlines if present. Handle DOS (\r\n), Unix (\n)
+ * and MacOS<9 (\r) line endings. */
+- if (filename[length - 2] == '\r' && filename[length - 1] == '\n')
++ if (length >= 2 && filename[length - 2] == '\r'
++ && filename[length - 1] == '\n') {
+ filename[length - 2] = '\0';
+- else if (filename[length - 1] == '\n' || filename[length - 1] == '\r')
++ }
++ else if (length >= 1 && (
++ filename[length - 1] == '\n' || filename[length - 1] == '\r')) {
+ filename[length - 1] = '\0';
++ }
+
+ if (stat(filename, &stat_buf) == 0) {
+
+diff --git a/ogg123/remote.c b/ogg123/remote.c
+index 30f9787..1107174 100644
+--- a/ogg123/remote.c
++++ b/ogg123/remote.c
+@@ -150,7 +150,7 @@ static void * remotethread(void * arg) {
+ #endif
+
+ fgets(buf, MAXBUF, stdin);
+- buf[strlen(buf)-1] = 0;
++ buf[strcspn(buf, "\n")] = 0;
+
+ /* Lock on */
+ pthread_mutex_lock (&main_lock);
+diff --git a/vorbiscomment/vcomment.c b/vorbiscomment/vcomment.c
+index 2f1e17a..9c93f05 100644
+--- a/vorbiscomment/vcomment.c
++++ b/vorbiscomment/vcomment.c
+@@ -123,7 +123,7 @@ char * read_line (FILE *input)
+ buffers[buffer_count] = buffer;
+ buffer_count++;
+
+- if (retval[strlen (retval) - 1] == '\n')
++ if (strchr(retval, '\n') != NULL)
+ {
+ /* End of the line */
+ break;
+--
+2.54.0
+
+From cfc497a442f51fb4885e132deaf2e0ba067bd280 Mon Sep 17 00:00:00 2001
+From: "Timothy B. Terriberry" <tterribe@xiph.org>
+Date: Tue, 24 Jun 2025 09:38:56 -0700
+Subject: [PATCH] ogg123: Handle EOF/error in remote interface
+
+Previously, if there was an error or EOF reading commands for the
+ remote interface, the reader would loop infinitely trying to read
+ another command that will never come.
+Instead, treat error or EOF as a Quit command.
+
+We manually send an error message / log, instead of using the
+ existing error path, because we still want the main thread to
+ process the Quit.
+---
+ ogg123/remote.c | 128 ++++++++++++++++++++++++++----------------------
+ 1 file changed, 69 insertions(+), 59 deletions(-)
+
+diff --git a/ogg123/remote.c b/ogg123/remote.c
+index 1107174..b0416a5 100644
+--- a/ogg123/remote.c
++++ b/ogg123/remote.c
+@@ -139,6 +139,7 @@ static void * remotethread(void * arg) {
+ buf[MAXBUF]=0;
+
+ while(!done) {
++ char *ret;
+ /* Read a line */
+ buf[0] = 0;
+ send_log("Waiting for input: ...");
+@@ -149,77 +150,86 @@ static void * remotethread(void * arg) {
+ select (1, &fd, NULL, NULL, NULL);
+ #endif
+
+- fgets(buf, MAXBUF, stdin);
+- buf[strcspn(buf, "\n")] = 0;
++ ret = fgets(buf, MAXBUF, stdin);
+
+ /* Lock on */
+ pthread_mutex_lock (&main_lock);
+
+- send_log("Input: %s", buf);
+- error = 0;
+-
+- if (!strncasecmp(buf,"l",1)) {
+- /* prepare to load */
+- if ((b=strchr(buf,' ')) != NULL) {
+- /* Prepare to load a new song */
+- strcpy((char*)arg, b+1);
++ if (ret != NULL) {
++ buf[strcspn(buf, "\n")] = 0;
++ send_log("Input: %s", buf);
++ error = 0;
++
++ if (!strncasecmp(buf,"l",1)) {
++ /* prepare to load */
++ if ((b=strchr(buf,' ')) != NULL) {
++ /* Prepare to load a new song */
++ strcpy((char*)arg, b+1);
++ setstatus(NEXT);
++ }
++ else {
++ /* Invalid load command */
++ error = 1;
++ }
++ }
++ else
++ if (!strncasecmp(buf,"p",1)) {
++ /* Prepare to (un)pause */
++ invertpause();
++ }
++ else
++ if (!strncasecmp(buf,"j",1)) {
++ /* Prepare to seek */
++ if ((b=strchr(buf,' ')) != NULL) {
++ set_seek_opt(&options, b+1);
++ }
++ ignore = 1;
++ }
++ else
++ if (!strncasecmp(buf,"s",1)) {
++ /* Prepare to stop */
++ setstatus(STOP);
++ }
++ else
++ if (!strncasecmp(buf,"r",1)) {
++ /* Prepare to reload */
+ setstatus(NEXT);
+- }
++ }
++ else
++ if (!strncasecmp(buf,"h",1)) {
++ /* Send help */
++ send_msg("H +----------------------------------------------------+");
++ send_msg("H | Ogg123 remote interface |");
++ send_msg("H |----------------------------------------------------|");
++ send_msg("H | Load <file> - load a file and starts playing |");
++ send_msg("H | Pause - pause or unpause playing |");
++ send_msg("H | Jump [+|-]<f> - jump <f> seconds forth or back |");
++ send_msg("H | Stop - stop playing |");
++ send_msg("H | Reload - reload last song |");
++ send_msg("H | Quit - quit ogg123 |");
++ send_msg("H |----------------------------------------------------|");
++ send_msg("H | refer to README.remote for documentation |");
++ send_msg("H +----------------------------------------------------+");
++ ignore = 1;
++ }
++ else
++ if (!strncasecmp(buf,"q",1)) {
++ /* Prepare to quit */
++ setstatus(QUIT);
++ done = 1;
++ }
+ else {
+- /* Invalid load command */
++ /* Unknown input received */
+ error = 1;
+ }
+ }
+- else
+- if (!strncasecmp(buf,"p",1)) {
+- /* Prepare to (un)pause */
+- invertpause();
+- }
+- else
+- if (!strncasecmp(buf,"j",1)) {
+- /* Prepare to seek */
+- if ((b=strchr(buf,' ')) != NULL) {
+- set_seek_opt(&options, b+1);
+- }
+- ignore = 1;
+- }
+- else
+- if (!strncasecmp(buf,"s",1)) {
+- /* Prepare to stop */
+- setstatus(STOP);
+- }
+- else
+- if (!strncasecmp(buf,"r",1)) {
+- /* Prepare to reload */
+- setstatus(NEXT);
+- }
+- else
+- if (!strncasecmp(buf,"h",1)) {
+- /* Send help */
+- send_msg("H +----------------------------------------------------+");
+- send_msg("H | Ogg123 remote interface |");
+- send_msg("H |----------------------------------------------------|");
+- send_msg("H | Load <file> - load a file and starts playing |");
+- send_msg("H | Pause - pause or unpause playing |");
+- send_msg("H | Jump [+|-]<f> - jump <f> seconds forth or back |");
+- send_msg("H | Stop - stop playing |");
+- send_msg("H | Reload - reload last song |");
+- send_msg("H | Quit - quit ogg123 |");
+- send_msg("H |----------------------------------------------------|");
+- send_msg("H | refer to README.remote for documentation |");
+- send_msg("H +----------------------------------------------------+");
+- ignore = 1;
+- }
+- else
+- if (!strncasecmp(buf,"q",1)) {
+- /* Prepare to quit */
++ else {
++ send_err("E EOF or error reading commands");
++ send_log("EOF or error reading commands");
++ /* Treat EOF or error as a quit command. */
+ setstatus(QUIT);
+ done = 1;
+ }
+- else {
+- /* Unknown input received */
+- error = 1;
+- }
+
+ if (ignore) {
+ /* Unlock */
+--
+2.54.0
+
diff --git a/vorbis-tools.spec b/vorbis-tools.spec
index cd56bbb..05bd88f 100644
--- a/vorbis-tools.spec
+++ b/vorbis-tools.spec
@@ -1,7 +1,7 @@
Summary: The Vorbis General Audio Compression Codec tools
Name: vorbis-tools
Version: 1.4.3
-Release: 3%{?dist}
+Release: 4%{?dist}
Epoch: 1
# Automatically converted from old format: GPLv2 - review is highly recommended.
License: GPL-2.0-only
@@ -11,6 +11,10 @@ Source: https://ftp.osuosl.org/pub/xiph/releases/vorbis/%{name}-%{version}.tar.
# http://lists.xiph.org/pipermail/vorbis-dev/2021-January/020538.html
# http://lists.xiph.org/pipermail/vorbis-dev/2013-May/020336.html
Patch1: vorbis-tools-1.4.2-man-page.patch
+# CVE-2026-34253
+# https://gitlab.xiph.org/xiph/vorbis-tools/-/commit/4bb4fb33b25949178179f689db9afb477abeb572
+# https://gitlab.xiph.org/xiph/vorbis-tools/-/commit/cfc497a442f51fb4885e132deaf2e0ba067bd280
+Patch2: vorbis-tools-1.4.3-CVE-2026-34253.patch
BuildRequires: flac-devel
BuildRequires: gettext
@@ -40,9 +44,6 @@ comment editor.
%build
-# fix FTBFS if "-Werror=format-security" flag is used (#1025257)
-export CFLAGS="$RPM_OPT_FLAGS -Wno-error=format-security"
-
# uncomment this when debugging
#CFLAGS="$CFLAGS -O0"
@@ -63,6 +64,9 @@ rm -rf $RPM_BUILD_ROOT%{_docdir}/%{name}*
%changelog
+* Tue Jun 09 2026 Lukáš Zaoral <lzaoral@redhat.com> - 1:1.4.3-4
+- CVE-2026-34253 - fix arbitrary code execution via buffer underflow (rhbz#2479549)
+
* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.4.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
reply other threads:[~2026-06-09 8:40 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178099443262.1.7168112340587561509.rpms-vorbis-tools-50bc6e96c5a4@fedoraproject.org \
--to=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox