[Buildroot] [git commit branch/2025.08.x] package/shairport-sync: security bump version to 4.3.7

Arnout Vandecappelle arnout at rnout.be
Thu Oct 30 08:18:18 UTC 2025 

commit: https://git.buildroot.net/buildroot/commit/?id=c75b49ad5cc692bc568092ec6ea006773ddb0767
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2025.08.x

Drop all the patches (already in version).  Works on Pi 4b and 0W.

https://github.com/mikebrady/shairport-sync/releases/tag/4.3.7

Since version 3.3.9, two versions were marked upstream as including
security fixes. No CVE are referenced in those release notes.
https://github.com/mikebrady/shairport-sync/releases/tag/4.3
https://github.com/mikebrady/shairport-sync/releases/tag/4.3.1

Signed-off-by: Trammell Hudson <hudson at trmm.net>
[Julien: mark the commit as "security" in commit log title]
Signed-off-by: Julien Olivain <ju.o at free.fr>
(cherry picked from commit 879c9f0fc60ca3036c1ec115904d9441bf9e72a2)
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
 ...figure.ac-find-sndfile-through-pkg-config.patch |  45 ---------
 .../0002-mbedtls-add-support-to-mbedtls3.patch     | 105 ---------------------
 package/shairport-sync/shairport-sync.hash         |   2 +-
 package/shairport-sync/shairport-sync.mk           |   2 +-
 4 files changed, 2 insertions(+), 152 deletions(-)

diff --git a/package/shairport-sync/0001-configure.ac-find-sndfile-through-pkg-config.patch b/package/shairport-sync/0001-configure.ac-find-sndfile-through-pkg-config.patch
deleted file mode 100644
index b593703a2a..0000000000
--- a/package/shairport-sync/0001-configure.ac-find-sndfile-through-pkg-config.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 900b1827c55cc6020b3242640075174c2e6b12a5 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice at gmail.com>
-Date: Wed, 4 Aug 2021 22:16:40 +0200
-Subject: [PATCH] configure.ac: find sndfile through pkg-config
-
-Find sndfile through pkg-config to retrieve sndfile dependencies such as
-flac and avoid the following static build failure:
-
-/tmp/instance-3/output-1/host/lib/gcc/xtensa-buildroot-linux-uclibc/10.3.0/../../../../xtensa-buildroot-linux-uclibc/bin/ld: /tmp/instance-3/output-1/host/bin/../xtensa-buildroot-linux-uclibc/sysroot/usr/lib/libsndfile.a(libsndfile_la-flac.o): in function `flac_byterate':
-flac.c:(.text+0xfc): undefined reference to `FLAC__StreamDecoderErrorStatusString'
-
-Fixes:
- - http://autobuild.buildroot.org/results/92ed30a6855ca11800b779718822bcba4a69c9a3
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
-Upstream: https://github.com/mikebrady/shairport-sync/pull/1263
-[Dario: make the patch to be applied with fuzz factor 0]
-Signed-off-by: Dario Binacchi <dario.binacchi at amarulasolutions.com>
----
- configure.ac | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index f77087c5..9b982c51 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -303,7 +303,14 @@
- AC_ARG_WITH(convolution, [AS_HELP_STRING([--with-convolution],[choose audio DSP convolution support])])
- if test "x$with_convolution" = "xyes" ; then
-   AC_DEFINE([CONFIG_CONVOLUTION], 1, [Include audio DSP convolution support.])
--  AC_CHECK_LIB([sndfile], [sf_open], , AC_MSG_ERROR(Convolution support requires the sndfile library -- libsndfile1-dev suggested!))
-+  if  test "x${with_pkg_config}" = xyes ; then
-+    PKG_CHECK_MODULES(
-+      [sndfile], [sndfile],
-+      [CFLAGS="${sndfile_CFLAGS} ${CFLAGS}"
-+      LIBS="${sndfile_LIBS} ${LIBS}"], AC_MSG_ERROR(Convolution support requires the sndfile library -- libsndfile1-dev suggested!))
-+  else
-+    AC_CHECK_LIB([sndfile], [sf_open], , AC_MSG_ERROR(Convolution support requires the sndfile library -- libsndfile1-dev suggested!))
-+  fi
- fi
- AM_CONDITIONAL([USE_CONVOLUTION], [test "x$with_convolution" = "xyes"])
- 
--- 
-2.30.2
-
diff --git a/package/shairport-sync/0002-mbedtls-add-support-to-mbedtls3.patch b/package/shairport-sync/0002-mbedtls-add-support-to-mbedtls3.patch
deleted file mode 100644
index e0e8ea53de..0000000000
--- a/package/shairport-sync/0002-mbedtls-add-support-to-mbedtls3.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From d73b585c6f6d9136ae7a04243a54d734fa57d779 Mon Sep 17 00:00:00 2001
-From: Seo Suchan <tjtncks at gmail.com>
-Date: Thu, 9 May 2024 19:10:59 +0900
-Subject: [PATCH] mbedtls: add support to mbedtls3
-
-Signed-off-by: Seo Suchan <tjtncks at gmail.com>
-Upstream: https://github.com/mikebrady/shairport-sync/commit/d73b585c6f6d9136ae7a04243a54d734fa57d779
-[thomas: backport the line numbers]
-Signed-off-by: Thomas Perale <thomas.perale at mind.be>
----
- common.c | 30 ++++++++++++++++++++++++++----
- player.c |  1 -
- player.h |  1 -
- 3 files changed, 26 insertions(+), 6 deletions(-)
-
-diff --git a/common.c b/common.c
-index 4dc75bc7f..0e2a07243 100644
---- a/common.c
-+++ b/common.c
-@@ -77,6 +77,12 @@
- #include <mbedtls/md.h>
- #include <mbedtls/version.h>
- #include <mbedtls/x509.h>
-+
-+#if MBEDTLS_VERSION_MAJOR == 3
-+#define MBEDTLS_PRIVATE_V3_ONLY(_q) MBEDTLS_PRIVATE(_q)
-+#else
-+#define MBEDTLS_PRIVATE_V3_ONLY(_q) _q
-+#endif
- #endif
- 
- #ifdef CONFIG_LIBDAEMON
-@@ -691,8 +697,14 @@ uint8_t *rsa_apply(uint8_t *input, int inlen, int *outlen, int mode) {
- 
-   mbedtls_pk_init(&pkctx);
- 
-+#if MBEDTLS_VERSION_MAJOR == 3
-   rc = mbedtls_pk_parse_key(&pkctx, (unsigned char *)super_secret_key, sizeof(super_secret_key),
-+                            NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg);
-+#else
-+  rc = mbedtls_pk_parse_key(&pkctx, (unsigned char *)super_secret_key, sizeof(super_secret_key), 
-                             NULL, 0);
-+
-+#endif
-   if (rc != 0)
-     debug(1, "Error %d reading the private key.", rc);
- 
-@@ -701,19 +713,29 @@ uint8_t *rsa_apply(uint8_t *input, int inlen, int *outlen, int mode) {
- 
-   switch (mode) {
-   case RSA_MODE_AUTH:
--    mbedtls_rsa_set_padding(trsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE);
--    outbuf = malloc(trsa->len);
-+    mbedtls_rsa_set_padding(trsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE);    
-+    outbuf = malloc(trsa->MBEDTLS_PRIVATE_V3_ONLY(len));
-+#if MBEDTLS_VERSION_MAJOR == 3
-+    rc = mbedtls_rsa_pkcs1_encrypt(trsa, mbedtls_ctr_drbg_random, &ctr_drbg,
-+                                   inlen, input, outbuf);
-+#else
-     rc = mbedtls_rsa_pkcs1_encrypt(trsa, mbedtls_ctr_drbg_random, &ctr_drbg, MBEDTLS_RSA_PRIVATE,
-                                    inlen, input, outbuf);
-+#endif
-     if (rc != 0)
-       debug(1, "mbedtls_pk_encrypt error %d.", rc);
--    *outlen = trsa->len;
-+    *outlen = trsa->MBEDTLS_PRIVATE_V3_ONLY(len);
-     break;
-   case RSA_MODE_KEY:
-     mbedtls_rsa_set_padding(trsa, MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA1);
--    outbuf = malloc(trsa->len);
-+    outbuf = malloc(trsa->MBEDTLS_PRIVATE_V3_ONLY(len));
-+#if MBEDTLS_VERSION_MAJOR == 3
-+    rc = mbedtls_rsa_pkcs1_decrypt(trsa, mbedtls_ctr_drbg_random, &ctr_drbg,
-+                                   &olen, input, outbuf, trsa->MBEDTLS_PRIVATE_V3_ONLY(len));
-+#else
-     rc = mbedtls_rsa_pkcs1_decrypt(trsa, mbedtls_ctr_drbg_random, &ctr_drbg, MBEDTLS_RSA_PRIVATE,
-                                    &olen, input, outbuf, trsa->len);
-+#endif
-     if (rc != 0)
-       debug(1, "mbedtls_pk_decrypt error %d.", rc);
-     *outlen = olen;
-diff --git a/player.c b/player.c
-index 8c1752722..d023d269c 100644
---- a/player.c
-+++ b/player.c
-@@ -47,7 +47,6 @@
- 
- #ifdef CONFIG_MBEDTLS
- #include <mbedtls/aes.h>
--#include <mbedtls/havege.h>
- #endif
- 
- #ifdef CONFIG_POLARSSL
-diff --git a/player.h b/player.h
-index 11435bf91..b35eb7652 100644
---- a/player.h
-+++ b/player.h
-@@ -9,7 +9,6 @@
- 
- #ifdef CONFIG_MBEDTLS
- #include <mbedtls/aes.h>
--#include <mbedtls/havege.h>
- #endif
- 
- #ifdef CONFIG_POLARSSL
diff --git a/package/shairport-sync/shairport-sync.hash b/package/shairport-sync/shairport-sync.hash
index 331866a379..dc7c7eee5b 100644
--- a/package/shairport-sync/shairport-sync.hash
+++ b/package/shairport-sync/shairport-sync.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  17990cb2620551caa07a1c3b371889e55803071eaada04e958c356547a7e1795  shairport-sync-3.3.9.tar.gz
+sha256  a1242d100b61fe1fffbbf706e919ed51d6a341c9fb8293fb42046e32ae2b3338  shairport-sync-4.3.7.tar.gz
 sha256  1daaa904985807b7f9f2fa91f6b19f3faadf8df4e813f7451a691f89a6965e3f  LICENSES
diff --git a/package/shairport-sync/shairport-sync.mk b/package/shairport-sync/shairport-sync.mk
index 5d01ab042e..493eefbd6f 100644
--- a/package/shairport-sync/shairport-sync.mk
+++ b/package/shairport-sync/shairport-sync.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SHAIRPORT_SYNC_VERSION = 3.3.9
+SHAIRPORT_SYNC_VERSION = 4.3.7
 SHAIRPORT_SYNC_SITE = $(call github,mikebrady,shairport-sync,$(SHAIRPORT_SYNC_VERSION))
 
 SHAIRPORT_SYNC_LICENSE = MIT, BSD-3-Clause

More information about the buildroot mailing list