git.libre-soc.org Git - buildroot.git/commit

author	Fabrice Fontaine <fontaine.fabrice@gmail.com>
	Sun, 12 Apr 2020 10:18:44 +0000 (12:18 +0200)
committer	Yann E. MORIN <yann.morin.1998@free.fr>
	Sun, 12 Apr 2020 20:21:02 +0000 (22:21 +0200)
commit	210ccaef5784011bc035d0ae13611cb4e76f389f
tree	0c2f06759677ece0058c4da1ef26f2a3f2bced47	tree
parent	8b14f6b49b962d4d8f7135d85afa15658ea8f94b	commit \| diff

package/libid3tag: switch to debian to fix CVEs

Upstream libid3tag is dead since 2004 so switch to debian to get two
patches that fix the following CVEs:
- CVE-2004-2779: id3_utf16_deserialize() in utf16.c in libid3tag
   through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd
   number of bytes, triggering an endless loop allocating memory until
   an OOM condition is reached, leading to denial-of-service (DoS).
- CVE-2017-11550: The id3_ucs4_length function in ucs4.c in libid3tag
   0.15.1b allows remote attackers to cause a denial of service (NULL
   Pointer Dereference and application crash) via a crafted mp3 file.
- CVE-2017-11551: The id3_field_parse function in field.c in libid3tag
   0.15.1b allows remote attackers to cause a denial of service (OOM)
   via a crafted MP3 file.

Moreover, drop patch (replaced by add-m4-directory.patch debian patch)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libid3tag/0001-configure-automake-foreign.patch	[deleted file]	blob \| history
package/libid3tag/libid3tag.hash		diff \| blob \| history
package/libid3tag/libid3tag.mk		diff \| blob \| history