buildroot/package/mpg123, branch 2019.02-op-build

package/mpg123: security bump to version 1.25.10

2018-06-10T12:14:34+00:00

Version 1.25.4 fixes CVE-2017-9545, for details see release notes: http://www.mpg123.org/cgi-bin/news.cgi Added upstream hashes. Signed-off-by: Bernd Kuhls Signed-off-by: Thomas Petazzoni

package/*/Config.in: fix help text check-package warnings

2017-12-18T08:22:54+00:00

This commit fixes the warnings reported by check-package on the help text of all package Config.in files, related to the formatting of the help text: should start with a tab, then 2 spaces, then at most 62 characters. The vast majority of warnings fixed were caused by too long lines. A few warnings were related to spaces being used instead of a tab to indent the help text. Signed-off-by: Thomas Petazzoni

mpg123: security bump to version 1.25.2

2017-07-11T19:31:07+00:00

>From the release notes: - Extend pow tables for layer III to properly handle files with i-stereo and 5-bit scalefactors. Never observed them for real, just as fuzzed input to trigger the read overflow. Note: This one goes on record as CVE-2017-11126, calling remote denial of service. While the accesses are out of bounds for the pow tables, they still are safely within libmpg123's memory (other static tables). Just wrong values are used for computation, no actual crash unless you use something like GCC's AddressSanitizer, nor any information disclosure. - Avoid left-shifts of negative integers in layer I decoding. While we're at it, add a hash for the license file. Signed-off-by: Peter Korsgaard

mpg123: security bump to version 1.25.1

2017-07-03T19:59:51+00:00

>From the release notes: - Avoid memset(NULL, 0, 0) to calm down the paranoid. - Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten offset from the frame flag bytes (unnoticed in practice for a long time). Fuzzers are in the house again. This one got CVE-2017-10683. https://sourceforge.net/p/mpg123/bugs/252/ - Avoid a mostly harmless conditional jump depending on uninitialised fr->lay in compute_bpf() (mpg123_position()) when track is not ready yet. - Fix undefined shifts on signed long mask in layer3.c (worked in practice, never right in theory). Code might be a bit faster now, even. Thanks to Agostino Sarubbo for reporting. dlopen() is now directly used to load output modules (and the --with-modules-suffix option has been removed), so adjust the modules logic to match. Signed-off-by: Peter Korsgaard

boot, package: use SPDX short identifier for LGPLv2.1/LGPLv2.1+

2017-04-01T13:18:10+00:00

We want to use SPDX identifier for license string as much as possible. SPDX short identifier for LGPLv2.1/LGPLv2.1+ is LGPL-2.1/LGPL-2.1+. This change is done using following command. find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/LGPLv2.1(\+)?/LGPL-2.1\1/g' Signed-off-by: Rahul Bedarkar Signed-off-by: Thomas Petazzoni

mpg123: security bump to version 1.23.8

2016-09-27T14:59:40+00:00

Fixes an out-of-bounds memory read in the ID3v2 parser for tags that claim an unrealistically small length. This crashes mpg123 or any application using libmpg123 with activated ID3v2 parsing. Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard

mpg123: bump to version 1.23.7

2016-09-25T21:13:30+00:00

Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni

mpg123: bump to version 1.23.6

2016-06-30T22:01:34+00:00

Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni

mpg123: bump to version 1.23.5

2016-06-26T20:25:02+00:00

Drop upstreamed patch and related autoreconf. Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni

Merge branch 'next'

2016-06-01T15:55:16+00:00

Signed-off-by: Peter Korsgaard