diff --git a/.cvsignore b/.cvsignore index c3e7bad..bc21969 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,2 +1,2 @@ -audacity-1.3.4-20080123cvs.tar.bz2 audacity-src-1.3.2.tar.gz +audacity-src-1.3.5-rc3.tar.bz2 diff --git a/audacity-1.3.2-CVE-2007-6061.patch b/audacity-1.3.2-CVE-2007-6061.patch new file mode 100644 index 0000000..bb1f4fd --- /dev/null +++ b/audacity-1.3.2-CVE-2007-6061.patch @@ -0,0 +1,35 @@ +diff -Nur audacity-src-1.3.2-beta-orig/src/AudacityApp.cpp audacity-src-1.3.2-beta/src/AudacityApp.cpp +--- audacity-src-1.3.2-beta-orig/src/AudacityApp.cpp 2006-10-29 01:05:26.000000000 +0200 ++++ audacity-src-1.3.2-beta/src/AudacityApp.cpp 2008-05-02 17:46:49.000000000 +0200 +@@ -821,7 +821,7 @@ + if (tempFromPrefs != wxT("")) { + if (wxDirExists(tempFromPrefs)) + temp = tempFromPrefs; +- else if (wxMkdir(tempFromPrefs)) ++ else if (wxMkdir(tempFromPrefs, 0755)) + temp = tempFromPrefs; + } + +@@ -830,10 +830,21 @@ + if (temp==wxT("") && tempDefaultLoc != wxT("")) { + if (wxDirExists(tempDefaultLoc)) + temp = tempDefaultLoc; +- else if (wxMkdir(tempDefaultLoc)) ++ else if (wxMkdir(tempDefaultLoc, 0755)) + temp = tempDefaultLoc; + } + ++ // Check temp directory ownership. ++ struct stat tempStatBuf; ++ if ( lstat(temp.mb_str(), &tempStatBuf) != 0 ) { ++ temp.clear(); ++ } ++ else { ++ if ( geteuid() != tempStatBuf.st_uid ) { ++ temp.clear(); ++ } ++ } ++ + if (temp == wxT("")) { + // Failed + wxMessageBox(_("Audacity could not find a place to store temporary files.\nPlease enter an appropriate directory in the preferences dialog.")); diff --git a/audacity-1.3.2-libmp3lame-default.patch b/audacity-1.3.2-libmp3lame-default.patch new file mode 100644 index 0000000..687d983 --- /dev/null +++ b/audacity-1.3.2-libmp3lame-default.patch @@ -0,0 +1,12 @@ +diff -Nur audacity-src-1.3.2-beta-orig/src/AudacityApp.cpp audacity-src-1.3.2-beta/src/AudacityApp.cpp +--- audacity-src-1.3.2-beta-orig/src/AudacityApp.cpp 2006-10-29 01:05:26.000000000 +0200 ++++ audacity-src-1.3.2-beta/src/AudacityApp.cpp 2007-02-20 01:02:49.000000000 +0100 +@@ -509,6 +509,8 @@ + return false; + } + ++ gPrefs->Write(wxT("/MP3/MP3LibPath"),wxT("__RPM_LIBDIR__/libmp3lame.so.0")); ++ + // More initialization + InitCleanSpeech(); + diff --git a/audacity-1.3.4-libdir.patch b/audacity-1.3.4-libdir.patch index 464589d..2744688 100644 --- a/audacity-1.3.4-libdir.patch +++ b/audacity-1.3.4-libdir.patch @@ -12,15 +12,3 @@ diff -Nur audacity-src-1.3.4-beta-orig/src/effects/ladspa/LoadLadspa.cpp audacit #endif #ifdef __WXMAC__ -diff -Nur audacity-src-1.3.4-beta-orig/src/export/ExportMP3.cpp audacity-src-1.3.4-beta/src/export/ExportMP3.cpp ---- audacity-src-1.3.4-beta-orig/src/export/ExportMP3.cpp 2008-01-23 18:32:52.000000000 +0100 -+++ audacity-src-1.3.4-beta/src/export/ExportMP3.cpp 2008-03-21 23:21:00.000000000 +0100 -@@ -1552,7 +1552,7 @@ - - wxString GetLibraryPath() - { -- return wxT("/usr/lib"); -+ return wxT("__RPM_LIBDIR__"); - } - - wxString GetLibraryName() diff --git a/audacity-1.3.4-libmp3lame-default.patch b/audacity-1.3.4-libmp3lame-default.patch new file mode 100644 index 0000000..b53eed0 --- /dev/null +++ b/audacity-1.3.4-libmp3lame-default.patch @@ -0,0 +1,12 @@ +diff -Nur audacity-src-1.3.4-beta-orig/src/AudacityApp.cpp audacity-src-1.3.4-beta/src/AudacityApp.cpp +--- audacity-src-1.3.4-beta-orig/src/AudacityApp.cpp 2008-01-23 18:32:52.000000000 +0100 ++++ audacity-src-1.3.4-beta/src/AudacityApp.cpp 2008-04-12 16:40:33.000000000 +0200 +@@ -726,6 +726,8 @@ + return false; + } + ++ gPrefs->Write(wxT("/MP3/MP3LibPath"),wxT("__RPM_LIBDIR__/libmp3lame.so.0")); ++ + // More initialization + InitCleanSpeech(); + diff --git a/audacity.spec b/audacity.spec index 8a4a1f6..d53b753 100644 --- a/audacity.spec +++ b/audacity.spec @@ -1,17 +1,21 @@ +# TODO: +# - check upstream multi-lib changes +# - check upstream libmp3lame.so.0 rename + # Compile options: # --with mp3 : enable mp3 support Name: audacity -Version: 1.3.4 -Release: 0.5.20080123cvs%{?dist} +Version: 1.3.5 +Release: 0.1.rc3.20080505cvs%{?dist} Summary: Multitrack audio editor Group: Applications/Multimedia License: GPLv2 URL: http://audacity.sourceforge.net -# for post 1.3.4-beta snapshot +# for cvs 1.3.5-rc3 snapshot # cvs -d:pserver:anonymous@audacity.cvs.sourceforge.net:/cvsroot/audacity checkout audacity -Source0: audacity-1.3.4-20080123cvs.tar.bz2 +Source0: audacity-src-1.3.5-rc3.tar.bz2 Source1: audacity.png Source2: audacity.desktop @@ -19,6 +23,7 @@ Patch1: audacity-1.3.4-languages.patch Patch2: audacity-1.3.4-expat2.patch Patch3: audacity-1.3.4-libdir.patch Patch4: audacity-1.3.4-gcc43.patch +Patch5: audacity-1.3.4-libmp3lame-default.patch # for 1.3.2-beta Source100: http://downloads.sf.net/sourceforge/audacity/audacity-src-1.3.2.tar.gz @@ -38,6 +43,8 @@ Patch109: audacity-1.3.2-libdir.patch Patch110: audacity-1.3.2-jack-api-109.patch Patch111: audacity-1.3.2-soundtouch-cxxflags.patch Patch112: audacity-1.3.2-allegro-cflags.patch +Patch113: audacity-1.3.2-libmp3lame-default.patch +Patch114: audacity-1.3.2-CVE-2007-6061.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: alsa-lib-devel @@ -82,12 +89,14 @@ Linux/*BSD, MacOS, and Windows. ### 1.3.4-beta ### -cd audacity-src-1.3.4-beta +cd audacity-src-1.3.5-rc3 %patch1 -p1 -b .languages %patch2 -p1 -b .expat2 + # Substitute hardcoded library paths. %patch3 -p1 -for i in src/effects/ladspa/LoadLadspa.cpp src/export/ExportMP3.cpp +%patch5 -p1 +for i in src/effects/ladspa/LoadLadspa.cpp src/export/ExportMP3.cpp src/AudacityApp.cpp do sed -i -e 's!__RPM_LIBDIR__!%{_libdir}!g' $i sed -i -e 's!__RPM_LIB__!%{_lib}!g' $i @@ -118,9 +127,11 @@ cd audacity-src-1.3.2-beta %patch106 -p1 -b .FLAC %patch107 -p1 -b .expat2 %patch108 -p1 -b .gcc43 + # Substitute hardcoded library paths. %patch109 -p1 -for i in src/effects/ladspa/LoadLadspa.cpp src/export/ExportMP3.cpp +%patch113 -p1 +for i in src/effects/ladspa/LoadLadspa.cpp src/export/ExportMP3.cpp src/AudacityApp.cpp do sed -i -e 's!__RPM_LIBDIR__!%{_libdir}!g' $i sed -i -e 's!__RPM_LIB__!%{_lib}!g' $i @@ -128,10 +139,13 @@ done grep -q -s __RPM_LIB * -R && exit 1 # F9 devel only +%if 0%{?fedora} > 8 %patch110 -p1 -b .jack-api +%endif %patch111 -p1 -b .soundtouch-cxxflags %patch112 -p1 -b .allegro-cflags +%patch114 -p1 -b .CVE-2007-6061 # Substitute occurences of "libmp3lame.so" with "libmp3lame.so.0". for i in help/wxhelp/audacity.hhk help/wxhelp/exportmp3.htm locale/*.po src/export/ExportMP3.cpp @@ -150,7 +164,7 @@ cd - %build -cd audacity-src-1.3.4-beta +cd audacity-src-1.3.5-rc3 %configure \ --with-help \ --with-libsndfile=system \ @@ -191,7 +205,7 @@ rm -rf ${RPM_BUILD_ROOT} mkdir -p $RPM_BUILD_ROOT%{_datadir}/pixmaps cp %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/pixmaps -cd audacity-src-1.3.4-beta +cd audacity-src-1.3.5-rc3 make DESTDIR=${RPM_BUILD_ROOT} install cd - %{find_lang} %{name} @@ -239,6 +253,16 @@ umask 022 %changelog +* Mon May 5 2008 Michael Schwendt - 1.3.5-0.1.rc3.20080505cvs +- update to 1.3.5-rc3 cvs snapshot +- ExportMP3.cpp libdir patch obsolete + +* Sat May 3 2008 Michael Schwendt - 1.3.4-0.7.20080123cvs +- check ownership of temporary files directory (#436260) (CVE-2007-6061) + +* Sat Apr 12 2008 Michael Schwendt - 1.3.4-0.6.20080123cvs +- set a default location for libmp3lame.so.0 again + * Fri Mar 21 2008 Michael Schwendt - 1.3.4-0.5.20080123cvs - package the old 1.3.2-beta and a post 1.3.4-beta snapshot in the same package -- users may stick to the older one, but please help diff --git a/sources b/sources index 9286f83..6c0e743 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -65868316707d7229c8a03e7adf684bf5 audacity-1.3.4-20080123cvs.tar.bz2 bf63673140254f1283dfd55b61ff2422 audacity-src-1.3.2.tar.gz +2526e8953fee56cf09f7c8cdf2262dde audacity-src-1.3.5-rc3.tar.bz2