[Buildroot] [PATCH] mpg123: security bump to version 1.25.1
Peter Korsgaard
peter at korsgaard.com
Mon Jul 3 20:00:34 UTC 2017
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> From the release notes:
> - Avoid memset(NULL, 0, 0) to calm down the paranoid.
> - Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten
> offset from the frame flag bytes (unnoticed in practice for a long time).
> Fuzzers are in the house again. This one got CVE-2017-10683.
> https://sourceforge.net/p/mpg123/bugs/252/
> - Avoid a mostly harmless conditional jump depending on uninitialised
> fr-> lay in compute_bpf() (mpg123_position()) when track is not ready yet.
> - Fix undefined shifts on signed long mask in layer3.c (worked in practice,
> never right in theory). Code might be a bit faster now, even. Thanks to
> Agostino Sarubbo for reporting.
> dlopen() is now directly used to load output modules (and the
> --with-modules-suffix option has been removed), so adjust the modules logic
> to match.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list