mpg123: update to 1.25.2
1.25.2
------
- libmpg123:
-- Extend pow tables for layer III to properly handle files with i-stereo and
5-bit scalefactors. Never observed them for real, just as fuzzed input to
trigger the read overflow. Note: This one goes on record as CVE-2017-11126,
calling remote denial of service. While the accesses are out of bounds for
the pow tables, they still are safely within libmpg123's memory (other
static tables). Just wrong values are used for computation, no actual crash
unless you use something like GCC's AddressSanitizer, nor any information
disclosure.
-- Avoid left-shifts of negative integers in layer I decoding.
1.25.1: Hot Fuzz
-------
- libmpg123:
-- Avoid memset(NULL, 0, 0) to calm down the paranoid.
-- Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten
offset from the frame flag bytes (unnoticed in practice for a long
time). Fuzzers are in the house again. This one got CVE-2017-10683.
-- Avoid a mostly harmless conditional jump depending on uninitialised
fr->lay in compute_bpf() (mpg123_position()) when track is not ready yet.
-- Fix undefined shifts on signed long mask in layer3.c (worked in practice,
never right in theory). Code might be a bit faster now, even.
Thanks to Agostino Sarubbo for reporting.
1.25.0: MP3 now patent-free worldwide!
-------
- Silence test for artsc-config if it is not there.
- Make sure -static-libgcc from LDFLAGS gets through libtool,
fixing 32 bit Windows builds (depend on libgcc DLL otherwise).
- Fix build with non-GNU make by using plain rm -f instead of silly $(RM)
in libout123/modules makefile fragment.
- Make build work on iOS, including coreaudio backend.
- libmpg123:
-- Finally provide position-independent code for x86 with assembly
optimisations.The textrels are gone thanks to Won Kyu Park and Taihei Momma.
-- Clarify some license language in files descending from the original MMX
optimisation.
-- Fix return value overflow check for MPG123_BUFFERFILL.
-- Introduced mpg123_getformat2() to enable the FORMAT command
for the generic control not stealing MPG123_NEW_FORMAT from the main
playback loop. The sequence LOADPAUSED-FORMAT-PAUSE (play) is supposed
to work now.
-- Enable aarch64 optimisations on *BSD by default, too. You can always
override that stupid OS whitelist using --with-optimization, anyway.
-- Use of the i486 decoder is now discouraged more prominently, in configure
output.
- out123: Fix stupid crash with verbose mode and tone generation (print
the string if the pointer is non-null, not if it is null).
- libout123: More consistent error messages for dynamic and legacy
(built-in) modules. Namely, you get a hint how if you choose a different
module than the built-in ones for a static libout123.
2017-07-14 07:46:46 +02:00
|
|
|
$NetBSD: distinfo,v 1.44 2017/07/14 05:46:46 maya Exp $
|
2001-04-17 12:22:24 +02:00
|
|
|
|
mpg123: update to 1.25.2
1.25.2
------
- libmpg123:
-- Extend pow tables for layer III to properly handle files with i-stereo and
5-bit scalefactors. Never observed them for real, just as fuzzed input to
trigger the read overflow. Note: This one goes on record as CVE-2017-11126,
calling remote denial of service. While the accesses are out of bounds for
the pow tables, they still are safely within libmpg123's memory (other
static tables). Just wrong values are used for computation, no actual crash
unless you use something like GCC's AddressSanitizer, nor any information
disclosure.
-- Avoid left-shifts of negative integers in layer I decoding.
1.25.1: Hot Fuzz
-------
- libmpg123:
-- Avoid memset(NULL, 0, 0) to calm down the paranoid.
-- Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten
offset from the frame flag bytes (unnoticed in practice for a long
time). Fuzzers are in the house again. This one got CVE-2017-10683.
-- Avoid a mostly harmless conditional jump depending on uninitialised
fr->lay in compute_bpf() (mpg123_position()) when track is not ready yet.
-- Fix undefined shifts on signed long mask in layer3.c (worked in practice,
never right in theory). Code might be a bit faster now, even.
Thanks to Agostino Sarubbo for reporting.
1.25.0: MP3 now patent-free worldwide!
-------
- Silence test for artsc-config if it is not there.
- Make sure -static-libgcc from LDFLAGS gets through libtool,
fixing 32 bit Windows builds (depend on libgcc DLL otherwise).
- Fix build with non-GNU make by using plain rm -f instead of silly $(RM)
in libout123/modules makefile fragment.
- Make build work on iOS, including coreaudio backend.
- libmpg123:
-- Finally provide position-independent code for x86 with assembly
optimisations.The textrels are gone thanks to Won Kyu Park and Taihei Momma.
-- Clarify some license language in files descending from the original MMX
optimisation.
-- Fix return value overflow check for MPG123_BUFFERFILL.
-- Introduced mpg123_getformat2() to enable the FORMAT command
for the generic control not stealing MPG123_NEW_FORMAT from the main
playback loop. The sequence LOADPAUSED-FORMAT-PAUSE (play) is supposed
to work now.
-- Enable aarch64 optimisations on *BSD by default, too. You can always
override that stupid OS whitelist using --with-optimization, anyway.
-- Use of the i486 decoder is now discouraged more prominently, in configure
output.
- out123: Fix stupid crash with verbose mode and tone generation (print
the string if the pointer is non-null, not if it is null).
- libout123: More consistent error messages for dynamic and legacy
(built-in) modules. Namely, you get a hint how if you choose a different
module than the built-in ones for a static libout123.
2017-07-14 07:46:46 +02:00
|
|
|
SHA1 (mpg123-1.25.2.tar.bz2) = efdcd085c8ef7de422e5cd34c861b8302e1cc35a
|
|
|
|
RMD160 (mpg123-1.25.2.tar.bz2) = fe79cbca7e21de36cc2bb50d83ae4e5992876968
|
|
|
|
SHA512 (mpg123-1.25.2.tar.bz2) = 1b063a7a497d6f643b43a0e0db0e1a8951bf110cabf8f3dc63d7ed1b8e47ef4a42649622a5e4efb582479beacd7d3872b4f061716a5f6970b3f5bed7ef4f3fe9
|
|
|
|
Size (mpg123-1.25.2.tar.bz2) = 918024 bytes
|
|
|
|
SHA1 (patch-Makefile.in) = e1b529e9468994e25c2567df7e64a2905b0cf529
|
2016-12-18 23:58:34 +01:00
|
|
|
SHA1 (patch-aa) = 4b2761219dd8fb92079d7f96872e56beb702696a
|
|
|
|
SHA1 (patch-ad) = f07b637c3fc1d3ea0426013fc25bca8e3aecba56
|
|
|
|
SHA1 (patch-af) = ba9ccddda15f0e711675b1bbad72b082b34b15f5
|