libmad: add security patch from debian

Fixes:

CVE-2017-8372 - The mad_layer_III function in layer3.c in Underbit MAD
libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to cause a
denial of service (assertion failure and application exit) via a crafted
audio file.

CVE-2017-8373 - The mad_layer_III function in layer3.c in Underbit MAD
libmad 0.15.1b allows remote attackers to cause a denial of service
(heap-based buffer overflow and application crash) or possibly have
unspecified other impact via a crafted audio file.

CVE-2017-8374 - The mad_bit_skip function in bit.c in Underbit MAD libmad
0.15.1b allows remote attackers to cause a denial of service (heap-based
buffer over-read and application crash) via a crafted audio file.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

diff --git a/package/libmad/libmad.hash b/package/libmad/libmad.hash
index 1e555568feb9113c7f4aa36ff9e5c583fc5f3b99..173399f7ff97829a6dbc1e86b2cc1954f8555d60 100644 (file)
--- a/package/libmad/libmad.hash
+++ b/package/libmad/libmad.hash
@@ -1,2 +1,3 @@
 # Locally computed:
 sha256  bbfac3ed6bfbc2823d3775ebb931087371e142bb0e9bb1bee51a76a6e0078690  libmad-0.15.1b.tar.gz
+sha256  0e21f2c6b19337d0b237dacc04f7b90a56be7f359f4c9a2ee0b202d9af0cfa69  frame_length.diff

diff --git a/package/libmad/libmad.mk b/package/libmad/libmad.mk
index 0bb64da2f785b41c98867750fd08b004f330aafb..0729b1e6d44b91f2e19a86e4fb55f6edba1b4f2a 100644 (file)
--- a/package/libmad/libmad.mk
+++ b/package/libmad/libmad.mk
@@ -10,6 +10,8 @@ LIBMAD_INSTALL_STAGING = YES
 LIBMAD_LIBTOOL_PATCH = NO
 LIBMAD_LICENSE = GPL-2.0+
 LIBMAD_LICENSE_FILES = COPYING
+LIBMAD_PATCH = \
+       https://sources.debian.net/data/main/libm/libmad/0.15.1b-8/debian/patches/frame_length.diff
 
 define LIBMAD_PREVENT_AUTOMAKE
        # Prevent automake from running.