[Buildroot] [PATCH] mpg123: security bump to version 1.25.2
Peter Korsgaard
peter at korsgaard.com
Wed Jul 19 14:03:55 UTC 2017
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> From the release notes:
> - Extend pow tables for layer III to properly handle files with i-stereo and
> 5-bit scalefactors. Never observed them for real, just as fuzzed input to
> trigger the read overflow. Note: This one goes on record as CVE-2017-11126,
> calling remote denial of service. While the accesses are out of bounds for
> the pow tables, they still are safely within libmpg123's memory (other
> static tables). Just wrong values are used for computation, no actual crash
> unless you use something like GCC's AddressSanitizer, nor any information
> disclosure.
> - Avoid left-shifts of negative integers in layer I decoding.
> While we're at it, add a hash for the license file.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2017.02.x and 2017.05.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list