git.libre-soc.org Git - buildroot.git/commit

author	Jörg Krause <joerg.krause@embedded.rocks>
	Sun, 11 Aug 2019 09:41:11 +0000 (11:41 +0200)
committer	Thomas Petazzoni <thomas.petazzoni@bootlin.com>
	Sun, 11 Aug 2019 12:17:28 +0000 (14:17 +0200)
commit	7291360fd8fa5ca63e7a304fa6e1e75f4ea99258
tree	55ee859f15d23a1539325be2b0aa133007f657cf	tree
parent	a565917046fee3a45180c132f311d1d573536eef	commit \| diff

package/mpg123: security bump to version 1.25.11

>From https://www.mpg123.de/cgi-bin/news.cgi:

Fixes a number of bugs found by OSS-Fuzz:
* Fix out-of-bounds reads in ID3 parser for unsynced frames.
   (oss-fuzz-bug 15852)
* Fix out-of-bounds read for RVA2 frames with non-delimited identifier.
   (oss-fuzz-bug 15852)
* Fix implementation-defined parsing of RVA2 values.
   (oss-fuzz-bug 15862)
* Fix undefined parsing of APE header for skipping. Also prevent endless loop
   on premature end of supposed APE header. (oss-fuzz-bug 15864)
* Fix some syntax to make pedantic compiler happy.

The serious bugs trigger Denial of Service either via the nasty endless loop in
supposed APE tags or by crashes if the invalid reads hit a diagnostic by the OS
or, more likely, a security mechanism like the sanitizer instrumentation that
enabled finding the bugs.

I do not have CVE numbers for these bugs. I rather fix the bugs than name them.
Just update, will you?

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/mpg123/mpg123.hash		diff \| blob \| history
package/mpg123/mpg123.mk		diff \| blob \| history