Upstream libid3tag is dead since 2004 so switch to debian to get two
patches that fix the following CVEs:
- CVE-2004-2779: id3_utf16_deserialize() in utf16.c in libid3tag
through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd
number of bytes, triggering an endless loop allocating memory until
an OOM condition is reached, leading to denial-of-service (DoS).
- CVE-2017-11550: The id3_ucs4_length function in ucs4.c in libid3tag
0.15.1b allows remote attackers to cause a denial of service (NULL
Pointer Dereference and application crash) via a crafted mp3 file.
- CVE-2017-11551: The id3_field_parse function in field.c in libid3tag
0.15.1b allows remote attackers to cause a denial of service (OOM)
via a crafted MP3 file.
Moreover, drop patch (replaced by add-m4-directory.patch debian patch)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
210ccaef57