2018-01-13 - Ron Lee <email@example.com>
mp3splt (2.6.2+20170630-3) unstable; urgency=medium
* Drop support for things that are deprecated and/or unmaintained in GNOME:
scrollkeeper was obsoleted by rarian, which in turn is also obsoleted now.
The build dependency on libgnomeui-dev appears to have been spurious, as
the only "gnome integration" used here is the documentation - so drop it
too because its maintainers want to remove that for the Buster release.
Closes: #885757, #885758
2017-09-27 - Ron Lee <firstname.lastname@example.org>
mp3splt (2.6.2+20170630-2) unstable; urgency=medium
* Properly zero the ogg and vorbis state structures after they are malloc'd.
This fixes the second issue that was indicated in CVE-2017-11333, which
isn't actually the fault of libvorbis. It's caused by the libmp3splt ogg
plugin unwinding when the error in the test file is detected, and calling
vorbis_block_clear() on an uninitialised vorbis_block struct before the
call to vorbis_block_init() occurs. Similar things would go badly for the
other uninitialised structs if this one didn't explode first.
Update: This actually fixes CVE-2017-11735, not CVE-2017-11333 mentioned
above. There were two separate issues in the original bug report, but
I missed that they were assigned separate CVEs after reading the report
via the reference from CVE-2017-11333. Thanks to Guido Günther for
noting that they were distinct and querying which one this really fixed.
Also CVE-2017-11735 has now been REJECTED, replaced by CVE-2017-15185
which correctly attributes this issue to mp3splt not libvorbis.
2017-06-30 - Ron Lee <email@example.com>
mp3splt (2.6.2+20170630-1) unstable; urgency=medium
* Adopt this package now. I was prepared to do that with the 2.2.8 bugfixes
but ended up keeping them as a locally packaged version when there was one
more maintainer upload, three years after 2.2.5. But it's only been NMU'd
since then and was 'officially' orphaned in February, and nobody else had
picked it up or saved the mp3splt package from being removed for Stretch,
or the mp3splt-gtk package from being removed from unstable too. So let's
resurrect them based on the work I did with cleaning this up previously.
Closes: #856294, #856296, #777433
* Build with gtk3 and gstreamer 1.0 now. Include the FLAC plugin and PCRE
support. Enable gnome support.
* Fix some of the issues that stronger hardening options and the stricter
checking of new toolchain releases shook out.
2010-06-13 - Ron Lee <firstname.lastname@example.org>
mp3splt (2.2.8-1) unstable; urgency=low
* Prepare a new upstream release, primarily to fix #585614 in mp3splt-gtk,
and #536027 in mp3splt.
* Ok, scratch that thought. Entirely repackage the whole lot instead.
It's all in one source file now. The lib doesn't look like it keeps a
stable API or does soname management, but fortunately nothing except the
two apps from the same upstream actually need it. So make it internal
with no -dev exported, and build the whole lot in a single pass without
needing crazy hacks to look in local source dirs for a separate package.
2009-07-30 - Ryan Niebur <email@example.com>
mp3splt (2.2.6a-1) UNRELEASED; urgency=low
* move debian/rules to the libmp3splt-dev package
* regenerate debian/control against libmp3splt 0.5.7a-1, to get the
bumped build dep
* change build dependency on debhelper to 7.0.50 instead of 7.2
* standards version 3.8.3
* remove dep on libmp3splt-plugin, moved to libmp3splt0
* suggest mp3splt-gtk
* New Upstream Version
- fix -o option fails without any '@' variable (Closes: #536027)