kumquat-buildroot

NetCube-Systems-Austria/kumquat-buildroot

Fork 0

Commit Graph

Author	SHA1	Message	Date
Peter Korsgaard	7e3583dd55	lame: security bump to version 3.100 Fixes the following security issues: CVE-2017-9410: fill_buffer_resample function in libmp3lame/util.c heap-based buffer over-read and ap CVE-2017-9411: fill_buffer_resample function in libmp3lame/util.c invalid memory read and application crash CVE-2017-9412: unpack_read_samples function in frontend/get_audio.c invalid memory read and application crash Drop patches now upstream or no longer needed: 0001-configure.patch: Upstream as mentioned in patch description 0002-gtk1-ac-directives.patch: Upstream as mentioned in patch description/release notes: Resurrect Owen Taylor's code dated from 97-11-3 to properly deal with GTK1. This was transplanted back from aclocal.m4 with a patch provided by Andres Mejia. This change makes it easy to regenerate autotools' files with a simple invocation of autoconf -vfi. 0003-msse.patch: Not needed as -march <x86-variant-with-msse-support> nowadays implies -msse. With these removed, autoreconf is no longer needed. Also add a hash for the license file while we're at it. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>	2017-10-22 14:04:44 +02:00
Yann E. MORIN	2ced21f8f9	package: add hashes for SourceForge-hosted packages Since SourceForge sometimes serves us faulty tarballs, we can tons of autobuild failures: http://autobuild.buildroot.org/results/9fb/9fba5bf086a4e7a29e5f7156ec43847db7aacfc4/ http://autobuild.buildroot.org/results/6c8/6c837b244c45ac3b3a887734a371cd6d226cf216/ ... Fix that by adding hash files for all SourceForge-hosted packages (thos etht did not already have it). We normally prefer to use hashes published by upstream, but hunting them all one by one is a tedious task, so those hashes were all locally computed with a script that searched for SF-hosted packages, downloades the associated tarball, computed the hash, and stored it in the corresponding .hash file. Also, SF publishes sha1 hashes, while I used the stronger sha256, since sha1 is now considered to be relatively weak. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Peter Korsgaard <jacmet@uclibc.org> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com> Cc: Richard Braun <rbraun@sceen.net> Cc: Nathaniel Roach <nroach44@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>	2014-12-28 22:21:16 +01:00

Author

SHA1

Message

Date

Peter Korsgaard

7e3583dd55

lame: security bump to version 3.100

Fixes the following security issues:

CVE-2017-9410: fill_buffer_resample function in libmp3lame/util.c heap-based
buffer over-read and ap

CVE-2017-9411: fill_buffer_resample function in libmp3lame/util.c invalid
memory read and application crash

CVE-2017-9412: unpack_read_samples function in frontend/get_audio.c invalid
memory read and application crash

Drop patches now upstream or no longer needed:

0001-configure.patch: Upstream as mentioned in patch description

0002-gtk1-ac-directives.patch: Upstream as mentioned in patch
description/release notes:

Resurrect Owen Taylor's code dated from 97-11-3 to properly deal with GTK1.
This was transplanted back from aclocal.m4 with a patch provided by Andres
Mejia. This change makes it easy to regenerate autotools' files with a simple
invocation of autoconf -vfi.

0003-msse.patch: Not needed as -march <x86-variant-with-msse-support>
nowadays implies -msse.

With these removed, autoreconf is no longer needed.

Also add a hash for the license file while we're at it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

2017-10-22 14:04:44 +02:00

Yann E. MORIN

2ced21f8f9

package: add hashes for SourceForge-hosted packages

Since SourceForge sometimes serves us faulty tarballs, we can tons of
autobuild failures:
    http://autobuild.buildroot.org/results/9fb/9fba5bf086a4e7a29e5f7156ec43847db7aacfc4/
    http://autobuild.buildroot.org/results/6c8/6c837b244c45ac3b3a887734a371cd6d226cf216/
    ...

Fix that by adding hash files for all SourceForge-hosted packages (thos
etht did not already have it).

We normally prefer to use hashes published by upstream, but hunting them
all one by one is a tedious task, so those hashes were all locally
computed with a script that searched for SF-hosted packages, downloades
the associated tarball, computed the hash, and stored it in the
corresponding .hash file.

Also, SF publishes sha1 hashes, while I used the stronger sha256, since
sha1 is now considered to be relatively weak.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <jacmet@uclibc.org>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Cc: Richard Braun <rbraun@sceen.net>
Cc: Nathaniel Roach <nroach44@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

2014-12-28 22:21:16 +01:00

2 Commits