diff --git a/cdparanoia-10.2-format-security.patch b/cdparanoia-10.2-format-security.patch new file mode 100644 index 0000000..20b5bc4 --- /dev/null +++ b/cdparanoia-10.2-format-security.patch @@ -0,0 +1,16 @@ +diff -Naur cdparanoia-III-10.2.orig/main.c cdparanoia-III-10.2/main.c +--- cdparanoia-III-10.2.orig/main.c 2008-09-11 23:11:02.000000000 +0200 ++++ cdparanoia-III-10.2/main.c 2014-04-14 21:24:10.023000000 +0200 +@@ -588,10 +588,10 @@ + buffer[aheadposition+19]='>'; + } + +- fprintf(stderr,buffer); ++ fprintf(stderr, "%s", buffer); + + if (logfile != NULL && function==-1) { +- fprintf(logfile,buffer+1); ++ fprintf(logfile, "%s", buffer+1); + fprintf(logfile,"\n\n"); + fflush(logfile); + } diff --git a/cdparanoia.spec b/cdparanoia.spec index dffaea3..1d69bde 100644 --- a/cdparanoia.spec +++ b/cdparanoia.spec @@ -1,7 +1,7 @@ Summary: Compact Disc Digital Audio (CDDA) extraction tool (or ripper) Name: cdparanoia Version: 10.2 -Release: 14%{?dist} +Release: 15%{?dist} # the app is GPLv2, everything else is LGPLv2 License: GPLv2 and LGPLv2 Group: Applications/Multimedia @@ -14,6 +14,7 @@ Patch0: cdparanoia-10.2-#463009.patch # #466659 Patch1: cdparanoia-10.2-endian.patch Patch2: cdparanoia-10.2-install.patch +Patch3: cdparanoia-10.2-format-security.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root Requires: cdparanoia-libs = %{version}-%{release} Obsoletes: cdparanoia-III <= alpha9.8 @@ -62,6 +63,7 @@ for developing applications to read CD Digital Audio disks. %patch0 -p3 -b .#463009 %patch1 -p1 -b .endian %patch2 -p1 -b .install +%patch3 -p1 -b .fmt-sec %build %configure --includedir=%{_includedir}/cdda @@ -103,6 +105,9 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/*.a %changelog +* Mon Apr 14 2014 Jaromir Capik - 10.2-15 +- Fixing format-security flaws (#1037011) + * Sat Aug 03 2013 Fedora Release Engineering - 10.2-14 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild