From patchwork Sun Aug 11 09:41:11 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?J=C3=B6rg_Krause?=
 <joerg.krause@embedded.rocks>
X-Patchwork-Id: 1145265
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=busybox.net
	(client-ip=140.211.166.138; helo=whitealder.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=embedded.rocks
Authentication-Results: ozlabs.org;
	dkim=fail reason="key not found in DNS" (0-bit key;
	unprotected) header.d=embedded.rocks header.i=@embedded.rocks
	header.b="Iayn06ZI"; dkim-atps=neutral
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 465vBS2lZWz9sN1
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Sun, 11 Aug 2019 19:41:33 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id 16A8686130;
	Sun, 11 Aug 2019 09:41:28 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id bJULwHYj6keo; Sun, 11 Aug 2019 09:41:24 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by whitealder.osuosl.org (Postfix) with ESMTP id AE84686224;
	Sun, 11 Aug 2019 09:41:24 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	by ash.osuosl.org (Postfix) with ESMTP id 748C01BF576
	for <buildroot@lists.busybox.net>;
	Sun, 11 Aug 2019 09:41:23 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 6E9A085472
	for <buildroot@lists.busybox.net>;
	Sun, 11 Aug 2019 09:41:23 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id hUlbyQ5711kI for <buildroot@lists.busybox.net>;
	Sun, 11 Aug 2019 09:41:22 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.141])
	by hemlock.osuosl.org (Postfix) with ESMTPS id 33C1D85459
	for <buildroot@buildroot.org>; Sun, 11 Aug 2019 09:41:22 +0000 (UTC)
Received: from submission (posteo.de [89.146.220.130])
	by mout01.posteo.de (Postfix) with ESMTPS id E3D6A160086
	for <buildroot@buildroot.org>; Sun, 11 Aug 2019 11:41:17 +0200 (CEST)
Received: from customer (localhost [127.0.0.1])
	by submission (posteo.de) with ESMTPSA id 465vB41MHhz6tm8
	for <buildroot@buildroot.org>; Sun, 11 Aug 2019 11:41:15 +0200 (CEST)
Authentication-Results: mail.embedded.rocks (amavisd-new); dkim=pass
	reason="pass (just generated, assumed good)" header.d=embedded.rocks
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=embedded.rocks;
	h=content-transfer-encoding:content-type:content-type
	:mime-version:x-mailer:message-id:date:date:subject:subject:from
	:from:received:received; s=default; t=1565516474; x=1566121275;
	bh=H+kBvVy/S7LtDKPsK8fsFOwkAAJd3J1Jx5qEljm2avM=; b=Iayn06ZIaR7T
	ob8pt3A9Lqyfe+9X51fn7RF8m9h7XV8I1u0Dy8e54UOOI7HjPeGLOeBsETWOpKUM
	JII96x2po8yjNkv8nUTQY3fKqEFr7DD3K4X7CFEsL/MLC/GBrmWyLfbl3iG1TMCj
	lBBU0pX0N66KxlfccNxdF7myNIP1N8wtTeLU0N5pA8nVeulCUvEE4e1zbuzFSlXX
	hCcwvOwjRVQrukrGNO1iWTFmuGIby5NWqXwi4D08BFXXZ01v+InJGpRUbJoKqT8z
	NIS70A9y7p72P2tKMccnEc6fMIQIIm+jouqyJ2aj6wE7gUGkGavtVVG7xTsDRqgn
	XBkKMEAmbw==
Received: from mail.embedded.rocks ([127.0.0.1])
	by localhost (mail.embedded.rocks [127.0.0.1]) (amavisd-new,
	port 10025)
	with ESMTP id sxG7Ib8nBSTu; Sun, 11 Aug 2019 11:41:14 +0200 (CEST)
Received: from nzxt.fritz.box (port-92-193-154-28.dynamic.qsc.de
	[92.193.154.28]) (Authenticated sender: joerg.krause@embedded.rocks)
	by mail.embedded.rocks (Postfix) with ESMTPSA;
	Sun, 11 Aug 2019 11:41:13 +0200 (CEST)
From: =?utf-8?q?J=C3=B6rg_Krause?= <joerg.krause@embedded.rocks>
To: buildroot@buildroot.org
Date: Sun, 11 Aug 2019 11:41:11 +0200
Message-Id: <20190811094111.11814-1-joerg.krause@embedded.rocks>
X-Mailer: git-send-email 2.22.0
MIME-Version: 1.0
Subject: [Buildroot] [PATCH] package/mpg123: security bump to version 1.25.11
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

From https://www.mpg123.de/cgi-bin/news.cgi:

Fixes a number of bugs found by OSS-Fuzz:
 * Fix out-of-bounds reads in ID3 parser for unsynced frames.
   (oss-fuzz-bug 15852)
 * Fix out-of-bounds read for RVA2 frames with non-delimited identifier.
   (oss-fuzz-bug 15852)
 * Fix implementation-defined parsing of RVA2 values.
   (oss-fuzz-bug 15862)
 * Fix undefined parsing of APE header for skipping. Also prevent endless loop
   on premature end of supposed APE header. (oss-fuzz-bug 15864)
 * Fix some syntax to make pedantic compiler happy.

The serious bugs trigger Denial of Service either via the nasty endless loop in
supposed APE tags or by crashes if the invalid reads hit a diagnostic by the OS
or, more likely, a security mechanism like the sanitizer instrumentation that
enabled finding the bugs.

I do not have CVE numbers for these bugs. I rather fix the bugs than name them.
Just update, will you?

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
---
 package/mpg123/mpg123.hash | 8 ++++----
 package/mpg123/mpg123.mk   | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/mpg123/mpg123.hash b/package/mpg123/mpg123.hash
index 22db5bca3c..687662b4cf 100644
--- a/package/mpg123/mpg123.hash
+++ b/package/mpg123/mpg123.hash
@@ -1,7 +1,7 @@
-# From https://sourceforge.net/projects/mpg123/files/mpg123/1.25.10/
-sha1 604784ddbcfe282bffdc595d1d45c677c7cf381f  mpg123-1.25.10.tar.bz2
-md5 ea32caa61d41d8be797f0b04a1b43ad9  mpg123-1.25.10.tar.bz2
+# From https://sourceforge.net/projects/mpg123/files/mpg123/1.25.11/
+sha1 25f3e8f8599d3ffc480858799ea6f8620f48543d  mpg123-1.25.11.tar.bz2
+md5 64749512a6fdc117227abe13fee4cc36  mpg123-1.25.11.tar.bz2
 # Locally calculated
-sha256 6c1337aee2e4bf993299851c70b7db11faec785303cfca3a5c3eb5f329ba7023  mpg123-1.25.10.tar.bz2
+sha256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  mpg123-1.25.11.tar.bz2
 # License file
 sha256  f40e0dd86b27b52e429b693a87b3ca63ae0a98a4d142e77207aa6bdf1db7a295  COPYING
diff --git a/package/mpg123/mpg123.mk b/package/mpg123/mpg123.mk
index dd2d39d978..9cac5fe722 100644
--- a/package/mpg123/mpg123.mk
+++ b/package/mpg123/mpg123.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-MPG123_VERSION = 1.25.10
+MPG123_VERSION = 1.25.11
 MPG123_SOURCE = mpg123-$(MPG123_VERSION).tar.bz2
 MPG123_SITE = http://downloads.sourceforge.net/project/mpg123/mpg123/$(MPG123_VERSION)
 MPG123_CONF_OPTS = --disable-lfs-alias