NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/libid3tag: switch to debian to fix CVEs

Browse Source 
Upstream libid3tag is dead since 2004 so switch to debian to get two
patches that fix the following CVEs:
 - CVE-2004-2779: id3_utf16_deserialize() in utf16.c in libid3tag
   through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd
   number of bytes, triggering an endless loop allocating memory until
   an OOM condition is reached, leading to denial-of-service (DoS).
 - CVE-2017-11550: The id3_ucs4_length function in ucs4.c in libid3tag
   0.15.1b allows remote attackers to cause a denial of service (NULL
   Pointer Dereference and application crash) via a crafted mp3 file.
 - CVE-2017-11551: The id3_field_parse function in field.c in libid3tag
   0.15.1b allows remote attackers to cause a denial of service (OOM)
   via a crafted MP3 file.

Moreover, drop patch (replaced by add-m4-directory.patch debian patch)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
Fabrice Fontaine 2020-04-12 12:18:44 +02:00 committed by Yann E. MORIN
parent 8b14f6b49b
commit 210ccaef57
3 changed files with 15 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
package/libid3tag/0001-configure-automake-foreign.patch
View File

@ -1,16 +0,0 @@
configure: don't require GNU-specific files when running automake
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
diff -durN libid3tag-0.15.1b.orig/configure.ac libid3tag-0.15.1b/configure.ac
--- libid3tag-0.15.1b.orig/configure.ac 2004-01-24 00:22:46.000000000 +0100
+++ libid3tag-0.15.1b/configure.ac 2018-11-25 15:31:04.184342212 +0100
@@ -26,7 +26,7 @@
AC_CONFIG_SRCDIR([id3tag.h])
-AM_INIT_AUTOMAKE
+AM_INIT_AUTOMAKE([foreign])
AM_CONFIG_HEADER([config.h])

7
package/libid3tag/libid3tag.hash
View File

@ -1,4 +1,7 @@
# Locally computed:
sha256 63da4f6e7997278f8a3fef4c6a372d342f705051d1eeb6a46a86b03610e26151 libid3tag-0.15.1b.tar.gz
# From http://snapshot.debian.org/archive/debian/20190310T213528Z/pool/main/libi/libid3tag/libid3tag_0.15.1b-14.dsc
sha256 63da4f6e7997278f8a3fef4c6a372d342f705051d1eeb6a46a86b03610e26151 libid3tag_0.15.1b.orig.tar.gz
sha256 f174cafe02bef25a9ad8cb7f9ce80119147297a7036f50878e85ac0d7ae09c62 libid3tag_0.15.1b-14.debian.tar.xz
# Hash for license files:
sha256 32b1062f7da84967e7019d01ab805935caa7ab7321a7ced0e30ebe75e5df1670 COPYING
sha256 7f12ad28dc075763e91b91bfa60fad04062380011ddad8f6bac21dd7b1f44367 COPYRIGHT

11
package/libid3tag/libid3tag.mk
View File

@ -5,12 +5,21 @@
################################################################################
LIBID3TAG_VERSION = 0.15.1b
LIBID3TAG_SITE = http://downloads.sourceforge.net/project/mad/libid3tag/$(LIBID3TAG_VERSION)
LIBID3TAG_PATCH = libid3tag_$(LIBID3TAG_VERSION)-14.debian.tar.xz
LIBID3TAG_SOURCE = libid3tag_$(LIBID3TAG_VERSION).orig.tar.gz
LIBID3TAG_SITE = \
http://snapshot.debian.org/archive/debian/20190310T213528Z/pool/main/libi/libid3tag
LIBID3TAG_LICENSE = GPL-2.0+
LIBID3TAG_LICENSE_FILES = COPYING COPYRIGHT
LIBID3TAG_INSTALL_STAGING = YES
LIBID3TAG_DEPENDENCIES = zlib
# debian/patches/10_utf16.dpatch
LIBID3TAG_IGNORE_CVES += CVE-2004-2779 CVE-2017-11551
# debian/patches/11_unknown_encoding.dpatch
LIBID3TAG_IGNORE_CVES += CVE-2017-11550
# Force autoreconf to be able to use a more recent libtool script, that
# is able to properly behave in the face of a missing C++ compiler.
LIBID3TAG_AUTORECONF = YES