[Buildroot] [PATCH] package/mpg123: security bump to version 1.25.11
Peter Korsgaard
peter at korsgaard.com
Mon Sep 2 11:46:56 UTC 2019
>>>>> "Jörg" == Jörg Krause <joerg.krause at embedded.rocks> writes:
> From https://www.mpg123.de/cgi-bin/news.cgi:
> Fixes a number of bugs found by OSS-Fuzz:
> * Fix out-of-bounds reads in ID3 parser for unsynced frames.
> (oss-fuzz-bug 15852)
> * Fix out-of-bounds read for RVA2 frames with non-delimited identifier.
> (oss-fuzz-bug 15852)
> * Fix implementation-defined parsing of RVA2 values.
> (oss-fuzz-bug 15862)
> * Fix undefined parsing of APE header for skipping. Also prevent endless loop
> on premature end of supposed APE header. (oss-fuzz-bug 15864)
> * Fix some syntax to make pedantic compiler happy.
> The serious bugs trigger Denial of Service either via the nasty endless loop in
> supposed APE tags or by crashes if the invalid reads hit a diagnostic by the OS
> or, more likely, a security mechanism like the sanitizer instrumentation that
> enabled finding the bugs.
> I do not have CVE numbers for these bugs. I rather fix the bugs than name them.
> Just update, will you?
> Signed-off-by: Jörg Krause <joerg.krause at embedded.rocks>
Committed to 2019.02.x and 2019.05.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list