pkgsrc.se | The NetBSD package collection

./audio/mpg123, MPEG layer 1, 2, and 3 audio player

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: pkgsrc-2019Q2, Version: 1.25.12, Package name: mpg123-1.25.12, Maintainer: martin

mpg123 reads one or more files (or standard input if ``-'' is
specified) or URLs and plays them on the audio device (default) or
outputs them to stdout. file/URL is assumed to be an MPEG-1/2 audio
bit stream.

Required to build:
[pkgtools/cwrappers]

Package options: mpg123-fifo, mpg123-with-fpu

Master sites:

http://downloads.sourceforge.net/sourceforge/mpg123/ (Download)

SHA1: 4ece1ec124a6ca085e1d68f7ede6d5619fc587ff
RMD160: d6bb641bc56c7e5f83e7658c044b231b94f4886c
Filesize: 888.817 KB

Version history: (Expand)

(2019-09-03) Updated to version: mpg123-1.25.12
(2019-08-09) Updated to version: mpg123-1.25.11
(2019-07-04) Package added to pkgsrc.se, version mpg123-1.25.10nb2 (created)

CVS history: (Expand)

2019-09-03 11:33:05 by Benny Siegert | Files touched by this commit (2)

Log message:
Pullup ticket #6034 - requested by nia
audio/mpg123: security fix

Revisions pulled up:
- audio/mpg123/Makefile.common                                  1.50
- audio/mpg123/distinfo                                         1.50

---
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Sat Aug 31 14:24:19 UTC 2019

   Modified Files:
   	pkgsrc/audio/mpg123: Makefile.common distinfo

   Log message:
   mpg123: Update to 1.25.12

   libmpg123:

       Fix an out-of-bounds read of maximal two bytes for truncated RVA2 frames \ 
(oss-fuzz-bug 15975). The earlier fix around the same location needed one \ 
thought more. Actually, another though was needed, oss-fuzz-bug 16009 documents \ 
the incomplete fix.
       Fix an invalid write of one zero byte for empty ID3v2 frames that demand \ 
de-unsyncing (oss-fuzz-bug 16050).
       Correct preprocessor syntax in mangle.h, no #error in a #define line. \ 
(bug 273, thanks to nmlgc).

2019-08-09 15:11:05 by Benny Siegert | Files touched by this commit (3) | Package updated

Log message:
Pullup ticket #6014 - requested by nia
audio/mpg123: security fix

Revisions pulled up:
- audio/mpg123/Makefile                                         1.58
- audio/mpg123/Makefile.common                                  1.49
- audio/mpg123/distinfo                                         1.49

---
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Sat Jul 27 15:14:40 UTC 2019

   Modified Files:
   	pkgsrc/audio/mpg123: Makefile Makefile.common distinfo

   Log message:
   mpg123: Update to 1.25.11

   libmpg123:
   * Fix out-of-bounds reads in ID3 parser for unsynced frames. (oss-fuzz-bug 15852)
   * Fix out-of-bounds read for RVA2 frames with non-delimited identifier. \ 
(oss-fuzz-bug 15852)
   * Fix implementation-defined parsing of RVA2 values. (oss-fuzz-bug 15862)
   * Fix undefined parsing of APE header for skipping. Also prevent endless loop \ 
on premature end of supposed APE header. (oss-fuzz-bug 15864)
   * Fix some syntax to make pedantic compiler happy.

   The serious bugs trigger Denial of Service either via the nasty endless
   loop in supposed APE tags or by crashes if the invalid reads hit a
   diagnostic by the OS or, more likely, a security mechanism like the
   sanitizer instrumentation that enabled finding the bugs.

   I do not have CVE numbers for these bugs.
   I rather fix the bugs than name them. Just update, will you?