From patchwork Tue Jul 11 10:28:57 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Korsgaard <peter@korsgaard.com>
X-Patchwork-Id: 786541
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3x6JGg3pPSz9s7C
	for <incoming@patchwork.ozlabs.org>;
	Tue, 11 Jul 2017 20:29:15 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="LjCf3TNE"; dkim-atps=neutral
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id 1067D30183;
	Tue, 11 Jul 2017 10:29:10 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id gJJt8a2ToX8S; Tue, 11 Jul 2017 10:29:08 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by silver.osuosl.org (Postfix) with ESMTP id 765C930184;
	Tue, 11 Jul 2017 10:29:08 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	by ash.osuosl.org (Postfix) with ESMTP id B161A1C2082
	for <buildroot@lists.busybox.net>;
	Tue, 11 Jul 2017 10:29:06 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 91A2A865E9
	for <buildroot@lists.busybox.net>;
	Tue, 11 Jul 2017 10:29:06 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id kX9gYpfbeuVf for <buildroot@lists.busybox.net>;
	Tue, 11 Jul 2017 10:29:05 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wr0-f179.google.com (mail-wr0-f179.google.com
	[209.85.128.179])
	by fraxinus.osuosl.org (Postfix) with ESMTPS id 83B5286A1F
	for <buildroot@buildroot.org>; Tue, 11 Jul 2017 10:29:05 +0000 (UTC)
Received: by mail-wr0-f179.google.com with SMTP id r103so177161171wrb.0
	for <buildroot@buildroot.org>; Tue, 11 Jul 2017 03:29:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id;
	bh=Uz0gQZdKkbXc7f51lydfb6F+KZNg4ikgYeCBnjzffJY=;
	b=LjCf3TNEGkAKglYWK4aIVRH4CeVJXaA0Tq9qUGr765hlcOo6PqlDfyz6FtCj0gglMM
	EiB5iww9pSgE15PYzNstV2iQS5mNgdMAtn7asET+nY9XIPqUEn7W9KsiUC3PTFJ9Q985
	xRBJwEXCuIR+TPOaNlNvhLRFuqVfmT2XgFGxa0HtdtW5JRCxstPqMehTGvleluSKWqr/
	3jgscsUaCcEukxSVmdJXjKqkSy+qj6xjwxv9gSkXAwfXJA4lsUXsBbP0oEQqCz/f71fW
	bLlKOpjaGLwKioObozjaVsD9H6U+3dRH/VElqi+CNUXbWZXobekqJ9m5A0D9a4UJy3vR
	dFrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
	bh=Uz0gQZdKkbXc7f51lydfb6F+KZNg4ikgYeCBnjzffJY=;
	b=F3g2FORHjsNuQdeUfu0h55yL5c31+NozT2ltp2dz4RE5ITKLFSJVCUzIS7HO9vPgG6
	qH90nqx3pSMHvow+RfPLNR4z7mlw1MC/ga9X896uTZjxYKRkk9s6Rbg4ciMQh9Ox1aJ6
	idASzkMxGVDcCmUfh0WZ1t7zt2jK+LYjqOJxKX+Cd9CytNYDzthwtvBtX3FM5OvTivHZ
	2UyikJQK5S9vybryQGQcu1PcBpVT/9mr5juPZHwir0aBTfJCZJ77J7J1P9RALGWqOgnn
	Do1GHeYDjFg6kBvQa7yc9jPwWxpKqEhfp8DrIzBIH1wx+xtHBoDFu/wYHr+zkTOh2ea7
	VqmA==
X-Gm-Message-State: AIVw112egrYtVEasNwBh4vJLy8/LqPbKStwSmo6kdvLmUWQuojUEOYOa
	ES8tXQ5UchfkanJ9tao=
X-Received: by 10.28.66.67 with SMTP id p64mr2126952wma.93.1499768943667;
	Tue, 11 Jul 2017 03:29:03 -0700 (PDT)
Received: from dell.be.48ers.dk ([91.183.172.93])
	by smtp.gmail.com with ESMTPSA id
	e31sm21814143wre.54.2017.07.11.03.29.02
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Tue, 11 Jul 2017 03:29:03 -0700 (PDT)
Received: from peko by dell.be.48ers.dk with local (Exim 4.88)
	(envelope-from <peko@dell.be.48ers.dk>)
	id 1dUsPe-0006SH-5D; Tue, 11 Jul 2017 12:29:02 +0200
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Date: Tue, 11 Jul 2017 12:28:57 +0200
Message-Id: <20170711102857.24770-1-peter@korsgaard.com>
X-Mailer: git-send-email 2.11.0
Subject: [Buildroot] [PATCH] mpg123: security bump to version 1.25.2
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

From the release notes:

 - Extend pow tables for layer III to properly handle files with i-stereo and
   5-bit scalefactors. Never observed them for real, just as fuzzed input to
   trigger the read overflow. Note: This one goes on record as CVE-2017-11126,
   calling remote denial of service. While the accesses are out of bounds for
   the pow tables, they still are safely within libmpg123's memory (other
   static tables). Just wrong values are used for computation, no actual crash
   unless you use something like GCC's AddressSanitizer, nor any information
   disclosure.
 - Avoid left-shifts of negative integers in layer I decoding.

While we're at it, add a hash for the license file.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/mpg123/mpg123.hash | 5 ++++-
 package/mpg123/mpg123.mk   | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/package/mpg123/mpg123.hash b/package/mpg123/mpg123.hash
index 69fbef36c2..cbab6f3ee9 100644
--- a/package/mpg123/mpg123.hash
+++ b/package/mpg123/mpg123.hash
@@ -1,2 +1,5 @@
 # Locally calculated after checking pgp signature
-sha256	0fe7270a4071367f97a7c1fb45fb2ef3cfef73509c205124e080ea569217b05f	mpg123-1.25.1.tar.bz2
+sha256	5314b0fb8ad291bfc79ff4c5c321b971916819a65233ec065434358fcf8aee38	mpg123-1.25.2.tar.bz2
+
+# License file
+sha256  f40e0dd86b27b52e429b693a87b3ca63ae0a98a4d142e77207aa6bdf1db7a295  COPYING
diff --git a/package/mpg123/mpg123.mk b/package/mpg123/mpg123.mk
index 7fc6d7ab00..01923d7990 100644
--- a/package/mpg123/mpg123.mk
+++ b/package/mpg123/mpg123.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-MPG123_VERSION = 1.25.1
+MPG123_VERSION = 1.25.2
 MPG123_SOURCE = mpg123-$(MPG123_VERSION).tar.bz2
 MPG123_SITE = http://downloads.sourceforge.net/project/mpg123/mpg123/$(MPG123_VERSION)
 MPG123_CONF_OPTS = --disable-lfs-alias