kumquat-buildroot/package/mpg123/mpg123.mk
Jörg Krause 7291360fd8 package/mpg123: security bump to version 1.25.11
>From https://www.mpg123.de/cgi-bin/news.cgi:

Fixes a number of bugs found by OSS-Fuzz:
 * Fix out-of-bounds reads in ID3 parser for unsynced frames.
   (oss-fuzz-bug 15852)
 * Fix out-of-bounds read for RVA2 frames with non-delimited identifier.
   (oss-fuzz-bug 15852)
 * Fix implementation-defined parsing of RVA2 values.
   (oss-fuzz-bug 15862)
 * Fix undefined parsing of APE header for skipping. Also prevent endless loop
   on premature end of supposed APE header. (oss-fuzz-bug 15864)
 * Fix some syntax to make pedantic compiler happy.

The serious bugs trigger Denial of Service either via the nasty endless loop in
supposed APE tags or by crashes if the invalid reads hit a diagnostic by the OS
or, more likely, a security mechanism like the sanitizer instrumentation that
enabled finding the bugs.

I do not have CVE numbers for these bugs. I rather fix the bugs than name them.
Just update, will you?

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-11 14:17:28 +02:00

85 lines
2.1 KiB
Makefile

################################################################################
#
# mpg123
#
################################################################################
MPG123_VERSION = 1.25.11
MPG123_SOURCE = mpg123-$(MPG123_VERSION).tar.bz2
MPG123_SITE = http://downloads.sourceforge.net/project/mpg123/mpg123/$(MPG123_VERSION)
MPG123_CONF_OPTS = --disable-lfs-alias
MPG123_INSTALL_STAGING = YES
MPG123_LICENSE = LGPL-2.1
MPG123_LICENSE_FILES = COPYING
MPG123_DEPENDENCIES = host-pkgconf
MPG123_CPU = $(if $(BR2_SOFT_FLOAT),generic_nofpu,generic_fpu)
ifeq ($(BR2_aarch64),y)
MPG123_CPU = aarch64
endif
ifeq ($(BR2_arm),y)
ifeq ($(or $(BR2_ARM_CPU_HAS_NEON),$(BR2_ARM_CPU_HAS_VFPV2)),y)
MPG123_CPU = arm_fpu
else
MPG123_CPU = arm_nofpu
endif
endif
ifeq ($(BR2_i386),y)
MPG123_CPU = x86
endif
ifeq ($(BR2_powerpc),y)
ifeq ($(BR2_POWERPC_CPU_HAS_ALTIVEC),y)
MPG123_CPU = altivec
endif
ifeq ($(BR2_SOFT_FLOAT),y)
MPG123_CPU = ppc_nofpu
endif
endif # powerpc
ifeq ($(BR2_x86_64),y)
MPG123_CPU = x86-64
endif
MPG123_CONF_OPTS += --with-cpu=$(MPG123_CPU)
MPG123_AUDIO = dummy oss
ifeq ($(BR2_PACKAGE_PORTAUDIO),y)
MPG123_AUDIO += portaudio
MPG123_CONF_OPTS += --with-default-audio=portaudio
MPG123_DEPENDENCIES += portaudio
# configure script does NOT use pkg-config to figure out how to link
# with portaudio, breaking static linking as portaudio uses pthreads
MPG123_CONF_ENV += LIBS="`$(PKG_CONFIG_HOST_BINARY) --libs portaudio-2.0`"
endif
ifeq ($(BR2_PACKAGE_SDL),y)
MPG123_AUDIO += sdl
MPG123_CONF_OPTS += --with-default-audio=sdl
MPG123_DEPENDENCIES += sdl
endif
ifeq ($(BR2_PACKAGE_ALSA_LIB),y)
MPG123_AUDIO += alsa
MPG123_CONF_OPTS += --with-default-audio=alsa
MPG123_DEPENDENCIES += alsa-lib
# configure script does NOT use pkg-config to figure out how to link
# with alsa, breaking static linking as alsa uses pthreads
MPG123_CONF_ENV += LIBS="`$(PKG_CONFIG_HOST_BINARY) --libs alsa`"
endif
MPG123_CONF_OPTS += --with-audio=$(subst $(space),$(comma),$(MPG123_AUDIO))
# output modules are loaded with dlopen()
ifeq ($(BR2_STATIC_LIBS),y)
MPG123_CONF_OPTS += --disable-modules
else
MPG123_CONF_OPTS += --enable-modules
endif
$(eval $(autotools-package))