| Message ID | 20170704084211.8696-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Commit | 6369a06150b9a2991807c0418a7f0a865ef6c084 |
| Headers | show |
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes: > CVE-2017-8372 - The mad_layer_III function in layer3.c in Underbit MAD > libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to cause a > denial of service (assertion failure and application exit) via a crafted > audio file. > CVE-2017-8373 - The mad_layer_III function in layer3.c in Underbit MAD > libmad 0.15.1b allows remote attackers to cause a denial of service > (heap-based buffer overflow and application crash) or possibly have > unspecified other impact via a crafted audio file. > CVE-2017-8374 - The mad_bit_skip function in bit.c in Underbit MAD libmad > 0.15.1b allows remote attackers to cause a denial of service (heap-based > buffer over-read and application crash) via a crafted audio file. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed, thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes: > CVE-2017-8372 - The mad_layer_III function in layer3.c in Underbit MAD > libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to cause a > denial of service (assertion failure and application exit) via a crafted > audio file. > CVE-2017-8373 - The mad_layer_III function in layer3.c in Underbit MAD > libmad 0.15.1b allows remote attackers to cause a denial of service > (heap-based buffer overflow and application crash) or possibly have > unspecified other impact via a crafted audio file. > CVE-2017-8374 - The mad_bit_skip function in bit.c in Underbit MAD libmad > 0.15.1b allows remote attackers to cause a denial of service (heap-based > buffer over-read and application crash) via a crafted audio file. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2017.02.x and 2017.05.x, thanks.
diff --git a/package/libmad/libmad.hash b/package/libmad/libmad.hash index 1e555568fe..173399f7ff 100644 --- a/package/libmad/libmad.hash +++ b/package/libmad/libmad.hash @@ -1,2 +1,3 @@ # Locally computed: sha256 bbfac3ed6bfbc2823d3775ebb931087371e142bb0e9bb1bee51a76a6e0078690 libmad-0.15.1b.tar.gz +sha256 0e21f2c6b19337d0b237dacc04f7b90a56be7f359f4c9a2ee0b202d9af0cfa69 frame_length.diff diff --git a/package/libmad/libmad.mk b/package/libmad/libmad.mk index 0bb64da2f7..0729b1e6d4 100644 --- a/package/libmad/libmad.mk +++ b/package/libmad/libmad.mk @@ -10,6 +10,8 @@ LIBMAD_INSTALL_STAGING = YES LIBMAD_LIBTOOL_PATCH = NO LIBMAD_LICENSE = GPL-2.0+ LIBMAD_LICENSE_FILES = COPYING +LIBMAD_PATCH = \ + https://sources.debian.net/data/main/libm/libmad/0.15.1b-8/debian/patches/frame_length.diff define LIBMAD_PREVENT_AUTOMAKE # Prevent automake from running.
Fixes: CVE-2017-8372 - The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted audio file. CVE-2017-8373 - The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file. CVE-2017-8374 - The mad_bit_skip function in bit.c in Underbit MAD libmad 0.15.1b allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/libmad/libmad.hash | 1 + package/libmad/libmad.mk | 2 ++ 2 files changed, 3 insertions(+)