kumquat-buildroot/package/libsndfile/libsndfile.mk

################################################################################
#
# libsndfile
#
################################################################################

LIBSNDFILE_VERSION = 1.0.28
LIBSNDFILE_SITE = http://www.mega-nerd.com/libsndfile/files
LIBSNDFILE_INSTALL_STAGING = YES
LIBSNDFILE_LICENSE = LGPL-2.1+
LIBSNDFILE_LICENSE_FILES = COPYING

# 0001-double64_init-Check-psf-sf.channels-against-upper-bo.patch
LIBSNDFILE_IGNORE_CVES += CVE-2017-14634
# 0002-Check-MAX_CHANNELS-in-sndfile-deinterleave.patch
LIBSNDFILE_IGNORE_CVES += CVE-2018-13139 CVE-2018-19432
# 0003-a-ulaw-fix-multiple-buffer-overflows-432.patch
LIBSNDFILE_IGNORE_CVES += \
	CVE-2017-14245 CVE-2017-14246 CVE-2017-17456 CVE-2017-17457 \
	CVE-2018-19661 CVE-2018-19662
# disputed, https://github.com/erikd/libsndfile/issues/398
LIBSNDFILE_IGNORE_CVES += CVE-2018-13419
# 0004-src-wav.c-Fix-heap-read-overflow.patch
LIBSNDFILE_IGNORE_CVES += CVE-2018-19758
# 0005-wav_write_header-don-t-read-past-the-array-end.patch
LIBSNDFILE_IGNORE_CVES += CVE-2019-3832
# 0006-src-aiff.c-Fix-a-buffer-read-overflow.patch
LIBSNDFILE_IGNORE_CVES += CVE-2017-6892
# 0007-FLAC-Fix-a-buffer-read-overrun.patch
LIBSNDFILE_IGNORE_CVES += CVE-2017-8361
# 0008-src-flac.c-Fix-a-buffer-read-overflow.patch
LIBSNDFILE_IGNORE_CVES += CVE-2017-8362 CVE-2017-8365
# 0009-src-flac-c-Fix-another-memory-leak.patch
LIBSNDFILE_IGNORE_CVES += CVE-2017-8363
# 0010-src-common-c-Fix-heap-buffer-overflows-when-writing-strings-in.patch
LIBSNDFILE_IGNORE_CVES += CVE-2017-12562

LIBSNDFILE_CONF_OPTS = \
	--disable-sqlite \
	--disable-alsa \
	--disable-external-libs \
	--disable-full-suite

$(eval $(autotools-package))
Normalize separator size to 80 Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2013-06-06 01:53:30 +02:00			`################################################################################`
libsndfile package. Closes #1325 2007-04-24 15:43:15 +02:00			`#`
			`# libsndfile`
			`#`
Normalize separator size to 80 Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2013-06-06 01:53:30 +02:00			`################################################################################`
libsndfile: bump to version 1.0.23 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2011-01-18 17:54:32 +01:00
libsndfile: security bump to version 1.0.28 Fixes: CVE-2017-7585 - In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file. CVE-2017-7586 - In libsndfile before 1.0.28, an error in the "header_read()" function (common.c) when handling ID3 tags can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file. CVE-2017-7741 - In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with write memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. CVE-2017-7742 - In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with read memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. Dop undocumented patch adjusting SUBDIRS in Makefile.in as it no longer applies. Instead pass --disable-full-suite to disable man pages, documentation and programs, as that was presumably the reason for the patch. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-04-26 13:52:14 +02:00			`LIBSNDFILE_VERSION = 1.0.28`
libsndfile: bump to version 1.0.23 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> 2011-01-18 17:54:32 +01:00			`LIBSNDFILE_SITE = http://www.mega-nerd.com/libsndfile/files`
			`LIBSNDFILE_INSTALL_STAGING = YES`
boot, package: use SPDX short identifier for LGPLv2.1/LGPLv2.1+ We want to use SPDX identifier for license string as much as possible. SPDX short identifier for LGPLv2.1/LGPLv2.1+ is LGPL-2.1/LGPL-2.1+. This change is done using following command. find . -name "*.mk" \| xargs sed -ri '/LICENSE( )?[\+:]?=/s/LGPLv2.1(\+)?/LGPL-2.1\1/g' Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-03-30 15:43:34 +02:00			`LIBSNDFILE_LICENSE = LGPL-2.1+`
libsndfile: add licensing info Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2013-12-11 14:23:34 +01:00			`LIBSNDFILE_LICENSE_FILES = COPYING`
libsndfile package. Closes #1325 2007-04-24 15:43:15 +02:00
package/libsndfile: annotate _IGNORE_CVES for the included security patches Also mark CVE-2018-13419 as disputed. [Peter: add dispute link as suggested by Thomas] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2020-02-19 17:01:59 +01:00			`# 0001-double64_init-Check-psf-sf.channels-against-upper-bo.patch`
			`LIBSNDFILE_IGNORE_CVES += CVE-2017-14634`
			`# 0002-Check-MAX_CHANNELS-in-sndfile-deinterleave.patch`
			`LIBSNDFILE_IGNORE_CVES += CVE-2018-13139 CVE-2018-19432`
			`# 0003-a-ulaw-fix-multiple-buffer-overflows-432.patch`
			`LIBSNDFILE_IGNORE_CVES += \`
			`CVE-2017-14245 CVE-2017-14246 CVE-2017-17456 CVE-2017-17457 \`
			`CVE-2018-19661 CVE-2018-19662`
			`# disputed, https://github.com/erikd/libsndfile/issues/398`
			`LIBSNDFILE_IGNORE_CVES += CVE-2018-13419`
package/libsndfile: fix CVE-2018-19758 There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2020-03-04 23:21:02 +01:00			`# 0004-src-wav.c-Fix-heap-read-overflow.patch`
			`LIBSNDFILE_IGNORE_CVES += CVE-2018-19758`
package/libsndfile: fix CVE-2019-3832 It was discovered the fix for CVE-2018-19758 (libsndfile) was not complete and still allows a read beyond the limits of a buffer in wav_write_header() function in wav.c. A local attacker may use this flaw to make the application crash. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2020-03-04 23:21:03 +01:00			`# 0005-wav_write_header-don-t-read-past-the-array-end.patch`
			`LIBSNDFILE_IGNORE_CVES += CVE-2019-3832`
package/libsndfile: add upstream security fixes - Fix CVE-2017-6892: In libsndfile version 1.0.28, an error in the "aiff_read_chanmap()" function (aiff.c) can be exploited to cause an out-of-bounds read memory access via a specially crafted AIFF file. - Fix CVE-2017-8361: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file. - Fix CVE-2017-8362: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file. - Fix CVE-2017-8363: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file. - Fix CVE-2017-8365: The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file. - Fix CVE-2017-12562: Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2020-03-31 00:17:19 +02:00			`# 0006-src-aiff.c-Fix-a-buffer-read-overflow.patch`
			`LIBSNDFILE_IGNORE_CVES += CVE-2017-6892`
			`# 0007-FLAC-Fix-a-buffer-read-overrun.patch`
			`LIBSNDFILE_IGNORE_CVES += CVE-2017-8361`
			`# 0008-src-flac.c-Fix-a-buffer-read-overflow.patch`
			`LIBSNDFILE_IGNORE_CVES += CVE-2017-8362 CVE-2017-8365`
			`# 0009-src-flac-c-Fix-another-memory-leak.patch`
			`LIBSNDFILE_IGNORE_CVES += CVE-2017-8363`
			`# 0010-src-common-c-Fix-heap-buffer-overflows-when-writing-strings-in.patch`
			`LIBSNDFILE_IGNORE_CVES += CVE-2017-12562`
package/libsndfile: annotate _IGNORE_CVES for the included security patches Also mark CVE-2018-13419 as disputed. [Peter: add dispute link as suggested by Thomas] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2020-02-19 17:01:59 +01:00
libsndfile: disable external library dependencies Fixes static linking of pifmrds [1]: host/usr/bin/arm-linux-gcc -static -o pi_fm_rds rds.o waveforms.o pi_fm_rds.o fm_mpx.o control_pipe.o -lsndfile -lm .../host/usr/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libsndfile.a(flac.o): In function `sf_flac_error_callback': flac.c:(.text+0x44c): undefined reference to `FLAC__StreamDecoderErrorStatusString' host/usr/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libsndfile.a(ogg.o): In function `ogg_close': ogg.c:(.text+0x10): undefined reference to `ogg_sync_clear' host/usr/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libsndfile.a(ogg_vorbis.o): In function `vorbis_read_sample': ogg_vorbis.c:(.text+0x26c): undefined reference to `vorbis_synthesis_pcmout' [1] http://autobuild.buildroot.net/results/9b7/9b7638caa8f3e82e38fb68b0321cb649618a0131 Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-01-19 21:11:32 +01:00			`LIBSNDFILE_CONF_OPTS = \`
			`--disable-sqlite \`
			`--disable-alsa \`
libsndfile: security bump to version 1.0.28 Fixes: CVE-2017-7585 - In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file. CVE-2017-7586 - In libsndfile before 1.0.28, an error in the "header_read()" function (common.c) when handling ID3 tags can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file. CVE-2017-7741 - In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with write memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. CVE-2017-7742 - In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with read memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. Dop undocumented patch adjusting SUBDIRS in Makefile.in as it no longer applies. Instead pass --disable-full-suite to disable man pages, documentation and programs, as that was presumably the reason for the patch. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-04-26 13:52:14 +02:00			`--disable-external-libs \`
			`--disable-full-suite`
libsndfile: disable external library dependencies Fixes static linking of pifmrds [1]: host/usr/bin/arm-linux-gcc -static -o pi_fm_rds rds.o waveforms.o pi_fm_rds.o fm_mpx.o control_pipe.o -lsndfile -lm .../host/usr/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libsndfile.a(flac.o): In function `sf_flac_error_callback': flac.c:(.text+0x44c): undefined reference to `FLAC__StreamDecoderErrorStatusString' host/usr/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libsndfile.a(ogg.o): In function `ogg_close': ogg.c:(.text+0x10): undefined reference to `ogg_sync_clear' host/usr/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libsndfile.a(ogg_vorbis.o): In function `vorbis_read_sample': ogg_vorbis.c:(.text+0x26c): undefined reference to `vorbis_synthesis_pcmout' [1] http://autobuild.buildroot.net/results/9b7/9b7638caa8f3e82e38fb68b0321cb649618a0131 Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2017-01-19 21:11:32 +01:00
all packages: rename XXXTARGETS to xxx-package Also remove the redundant $(call ...). This is a purely mechanical change, performed with find package linux toolchain boot -name \*.mk \| \ xargs sed -i -e 's/$(eval $(call GENTARGETS))/$(eval $(generic-package))/' \ -e 's/$(eval $(call AUTOTARGETS))/$(eval $(autotools-package))/' \ -e 's/$(eval $(call CMAKETARGETS))/$(eval $(cmake-package))/' Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2012-07-03 00:07:32 +02:00			`$(eval $(autotools-package))`