audio/tremor received a fix for CVE-2018-5146 (out-of-bounds write on codebook decoding). Since there are no releases, I checked out head from git and rolled my own tarball. It also includes some other fixes accumulated over the years.
OK? Everybody is investing minimal effort in this, myself included. As soon as arm gets hardfloat, I suggest we remove tremor from the tree with extreme prejudice. Index: Makefile =================================================================== RCS file: /cvs/ports/audio/tremor/Makefile,v retrieving revision 1.22 diff -u -p -r1.22 Makefile --- Makefile 16 Mar 2015 18:07:37 -0000 1.22 +++ Makefile 17 Mar 2018 00:47:03 -0000 @@ -2,15 +2,14 @@ COMMENT= integer-only, fully Ogg Vorbis compliant decoder library -DISTNAME= tremor-20120410 -REVISION= 1 +DISTNAME= tremor-20180316 CATEGORIES= audio -MASTER_SITES= http://comstyle.com/source/ -EXTRACT_SUFX= .tar.bz2 +MASTER_SITES= http://shell.uugrn.org/~naddy/ +EXTRACT_SUFX= .tar.xz -SHARED_LIBS= vorbisidec 3.0 +SHARED_LIBS= vorbisidec 3.0 # 1.3 -HOMEPAGE= http://www.xiph.org/vorbis/ +HOMEPAGE= https://www.xiph.org/vorbis/ # BSD PERMIT_PACKAGE_CDROM= Yes @@ -24,12 +23,12 @@ BUILD_DEPENDS= ${MODGNU_AUTOCONF_DEPEND ${MODGNU_AUTOMAKE_DEPENDS} \ devel/libtool -AUTOCONF_VERSION= 2.61 -AUTOMAKE_VERSION= 1.10 +AUTOCONF_VERSION= 2.69 +AUTOMAKE_VERSION= 1.15 CONFIGURE_STYLE= gnu -WRKDIST= ${WRKDIR}/Tremor +WRKDIST= ${WRKDIR}/tremor post-patch: @cd ${WRKSRC} && env AUTOCONF_VERSION=${AUTOCONF_VERSION} \ Index: distinfo =================================================================== RCS file: /cvs/ports/audio/tremor/distinfo,v retrieving revision 1.5 diff -u -p -r1.5 distinfo --- distinfo 18 Jan 2015 03:12:49 -0000 1.5 +++ distinfo 17 Mar 2018 00:47:03 -0000 @@ -1,2 +1,2 @@ -SHA256 (tremor-20120410.tar.bz2) = RM3oW90YOsiG9Vjf57Ms03BdmgdtONrQTu7l+dc7tOA= -SIZE (tremor-20120410.tar.bz2) = 256053 +SHA256 (tremor-20180316.tar.xz) = mRWKdGcmyjvMDDfC/IrAgezuw4tn50yZo4axmmCXHEA= +SIZE (tremor-20180316.tar.xz) = 110312 Index: patches/patch-vorbisidec_pc_in =================================================================== RCS file: patches/patch-vorbisidec_pc_in diff -N patches/patch-vorbisidec_pc_in --- patches/patch-vorbisidec_pc_in 14 Apr 2013 00:43:44 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -$OpenBSD: patch-vorbisidec_pc_in,v 1.1 2013/04/14 00:43:44 brad Exp $ - -Correct pkg-config file for overlinking. - ---- vorbisidec.pc.in.orig Wed Oct 5 01:12:59 2011 -+++ vorbisidec.pc.in Sat Mar 30 00:14:33 2013 -@@ -8,7 +8,7 @@ includedir=@includedir@ - Name: vorbisidec - Description: vorbisidec is the integer Ogg Vorbis library - Version: @VERSION@ --Requires: ogg -+Requires.private: ogg - Conflicts: --Libs: -L${libdir} -lvorbisidec -lm -+Libs: -L${libdir} -lvorbisidec - Cflags: -I${includedir} -- Christian "naddy" Weisgerber na...@mips.inka.de
