NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/mp4v2: security bump to version 4.1.3

Browse Source 
- Switch site to an active fork
- Send patch upstream
- Update indentation in hash file (two spaces)
- Fix the following CVEs:
  - CVE-2018-14054: A double free exists in the MP4StringProperty class
    in mp4property.cpp in MP4v2 2.0.0. A dangling pointer is freed again
    in the destructor once an exception is triggered.
    Fixed by
    f09cceeee5
  - CVE-2018-14325: In MP4v2 2.0.0, there is an integer underflow (with
    resultant memory corruption) when parsing MP4Atom in mp4atom.cpp.
    Fixed by
    e475013c6e
  - CVE-2018-14326: In MP4v2 2.0.0, there is an integer overflow (with
    resultant memory corruption) when resizing MP4Array for the ftyp
    atom in mp4array.h.
    Fixed by
    70d823ccd8
  - CVE-2018-14379: MP4Atom::factory in mp4atom.cpp in MP4v2 2.0.0
    incorrectly uses the MP4ItemAtom data type in a certain case where
    MP4DataAtom is required, which allows remote attackers to cause a
    denial of service (memory corruption) or possibly have unspecified
    other impact via a crafted MP4 file, because access to the data
    structure has different expectations about layout as a result of
    this type confusion.
    Fixed by
    73f38b4296
  - CVE-2018-14403: MP4NameFirstMatches in mp4util.cpp in MP4v2 2.0.0
    mishandles substrings of atom names, leading to use of an
    inappropriate data type for associated atoms. The resulting type
    confusion can cause out-of-bounds memory access.
    Fixed by
    51cb6b36f6

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Fabrice Fontaine 2020-05-15 23:13:27 +02:00 committed by Peter Korsgaard
parent e1af92592e
commit 0a860f21e1
4 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
package/mp4v2/0001-Fix-GCC7-build.patch
View File

@ -10,6 +10,7 @@ no encoding parameters ppEncodingParams will be returned as a pointer to
an empty string rather than as a null pointer
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Upstream status: https://github.com/TechSmith/mp4v2/pull/36]
---
src/rtphint.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

2
package/mp4v2/Config.in
View File

@ -5,7 +5,7 @@ config BR2_PACKAGE_MP4V2
The MP4v2 library provides functions to read, create, and
modify mp4 files.
https://code.google.com/archive/p/mp4v2/
https://github.com/TechSmith/mp4v2/
if BR2_PACKAGE_MP4V2

3
package/mp4v2/mp4v2.hash
View File

@ -1,4 +1,3 @@
# From https://code.google.com/p/mp4v2/downloads/detail?name=mp4v2-2.0.0.tar.bz2
sha1 193260cfb7201e6ec250137bcca1468d4d20e2f0 mp4v2-2.0.0.tar.bz2
# Locally computed
sha256 e3ad6c2dc451b0875dbe34bfe7f51f4fe278b391434c886083e6d3ecd5fa08c2 mp4v2-4.1.3.tar.gz
sha256 15e38684c940176e2fc76331a2299d2ab5115ac997078f768ef31b896af69fc5 COPYING

6
package/mp4v2/mp4v2.mk
View File

@ -4,9 +4,9 @@
#
################################################################################
MP4V2_VERSION = 2.0.0
MP4V2_SOURCE = mp4v2-$(MP4V2_VERSION).tar.bz2
MP4V2_SITE = https://mp4v2.googlecode.com/files
MP4V2_VERSION = 4.1.3
MP4V2_SITE = \
$(call github,TechSmith,mp4v2,Release-ThirdParty-MP4v2-$(MP4V2_VERSION))
MP4V2_INSTALL_STAGING = YES
MP4V2_LICENSE = MPL-1.1
MP4V2_LICENSE_FILES = COPYING