From 6369a06150b9a2991807c0418a7f0a865ef6c084 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Tue, 4 Jul 2017 10:42:11 +0200 Subject: [PATCH] libmad: add security patch from debian Fixes: CVE-2017-8372 - The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted audio file. CVE-2017-8373 - The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file. CVE-2017-8374 - The mad_bit_skip function in bit.c in Underbit MAD libmad 0.15.1b allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file. Signed-off-by: Peter Korsgaard --- package/libmad/libmad.hash | 1 + package/libmad/libmad.mk | 2 ++ 2 files changed, 3 insertions(+) diff --git a/package/libmad/libmad.hash b/package/libmad/libmad.hash index 1e555568fe..173399f7ff 100644 --- a/package/libmad/libmad.hash +++ b/package/libmad/libmad.hash @@ -1,2 +1,3 @@ # Locally computed: sha256 bbfac3ed6bfbc2823d3775ebb931087371e142bb0e9bb1bee51a76a6e0078690 libmad-0.15.1b.tar.gz +sha256 0e21f2c6b19337d0b237dacc04f7b90a56be7f359f4c9a2ee0b202d9af0cfa69 frame_length.diff diff --git a/package/libmad/libmad.mk b/package/libmad/libmad.mk index 0bb64da2f7..0729b1e6d4 100644 --- a/package/libmad/libmad.mk +++ b/package/libmad/libmad.mk @@ -10,6 +10,8 @@ LIBMAD_INSTALL_STAGING = YES LIBMAD_LIBTOOL_PATCH = NO LIBMAD_LICENSE = GPL-2.0+ LIBMAD_LICENSE_FILES = COPYING +LIBMAD_PATCH = \ + https://sources.debian.net/data/main/libm/libmad/0.15.1b-8/debian/patches/frame_length.diff define LIBMAD_PREVENT_AUTOMAKE # Prevent automake from running. -- 2.30.2