pkgsrc/audio/mpg123/distinfo

11 lines
654 B
Text
Raw Normal View History

mpg123: update to 1.25.2 1.25.2 ------ - libmpg123: -- Extend pow tables for layer III to properly handle files with i-stereo and 5-bit scalefactors. Never observed them for real, just as fuzzed input to trigger the read overflow. Note: This one goes on record as CVE-2017-11126, calling remote denial of service. While the accesses are out of bounds for the pow tables, they still are safely within libmpg123's memory (other static tables). Just wrong values are used for computation, no actual crash unless you use something like GCC's AddressSanitizer, nor any information disclosure. -- Avoid left-shifts of negative integers in layer I decoding. 1.25.1: Hot Fuzz ------- - libmpg123: -- Avoid memset(NULL, 0, 0) to calm down the paranoid. -- Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten offset from the frame flag bytes (unnoticed in practice for a long time). Fuzzers are in the house again. This one got CVE-2017-10683. -- Avoid a mostly harmless conditional jump depending on uninitialised fr->lay in compute_bpf() (mpg123_position()) when track is not ready yet. -- Fix undefined shifts on signed long mask in layer3.c (worked in practice, never right in theory). Code might be a bit faster now, even. Thanks to Agostino Sarubbo for reporting. 1.25.0: MP3 now patent-free worldwide! ------- - Silence test for artsc-config if it is not there. - Make sure -static-libgcc from LDFLAGS gets through libtool, fixing 32 bit Windows builds (depend on libgcc DLL otherwise). - Fix build with non-GNU make by using plain rm -f instead of silly $(RM) in libout123/modules makefile fragment. - Make build work on iOS, including coreaudio backend. - libmpg123: -- Finally provide position-independent code for x86 with assembly optimisations.The textrels are gone thanks to Won Kyu Park and Taihei Momma. -- Clarify some license language in files descending from the original MMX optimisation. -- Fix return value overflow check for MPG123_BUFFERFILL. -- Introduced mpg123_getformat2() to enable the FORMAT command for the generic control not stealing MPG123_NEW_FORMAT from the main playback loop. The sequence LOADPAUSED-FORMAT-PAUSE (play) is supposed to work now. -- Enable aarch64 optimisations on *BSD by default, too. You can always override that stupid OS whitelist using --with-optimization, anyway. -- Use of the i486 decoder is now discouraged more prominently, in configure output. - out123: Fix stupid crash with verbose mode and tone generation (print the string if the pointer is non-null, not if it is null). - libout123: More consistent error messages for dynamic and legacy (built-in) modules. Namely, you get a hint how if you choose a different module than the built-in ones for a static libout123.
2017-07-14 07:46:46 +02:00
$NetBSD: distinfo,v 1.44 2017/07/14 05:46:46 maya Exp $
mpg123: update to 1.25.2 1.25.2 ------ - libmpg123: -- Extend pow tables for layer III to properly handle files with i-stereo and 5-bit scalefactors. Never observed them for real, just as fuzzed input to trigger the read overflow. Note: This one goes on record as CVE-2017-11126, calling remote denial of service. While the accesses are out of bounds for the pow tables, they still are safely within libmpg123's memory (other static tables). Just wrong values are used for computation, no actual crash unless you use something like GCC's AddressSanitizer, nor any information disclosure. -- Avoid left-shifts of negative integers in layer I decoding. 1.25.1: Hot Fuzz ------- - libmpg123: -- Avoid memset(NULL, 0, 0) to calm down the paranoid. -- Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten offset from the frame flag bytes (unnoticed in practice for a long time). Fuzzers are in the house again. This one got CVE-2017-10683. -- Avoid a mostly harmless conditional jump depending on uninitialised fr->lay in compute_bpf() (mpg123_position()) when track is not ready yet. -- Fix undefined shifts on signed long mask in layer3.c (worked in practice, never right in theory). Code might be a bit faster now, even. Thanks to Agostino Sarubbo for reporting. 1.25.0: MP3 now patent-free worldwide! ------- - Silence test for artsc-config if it is not there. - Make sure -static-libgcc from LDFLAGS gets through libtool, fixing 32 bit Windows builds (depend on libgcc DLL otherwise). - Fix build with non-GNU make by using plain rm -f instead of silly $(RM) in libout123/modules makefile fragment. - Make build work on iOS, including coreaudio backend. - libmpg123: -- Finally provide position-independent code for x86 with assembly optimisations.The textrels are gone thanks to Won Kyu Park and Taihei Momma. -- Clarify some license language in files descending from the original MMX optimisation. -- Fix return value overflow check for MPG123_BUFFERFILL. -- Introduced mpg123_getformat2() to enable the FORMAT command for the generic control not stealing MPG123_NEW_FORMAT from the main playback loop. The sequence LOADPAUSED-FORMAT-PAUSE (play) is supposed to work now. -- Enable aarch64 optimisations on *BSD by default, too. You can always override that stupid OS whitelist using --with-optimization, anyway. -- Use of the i486 decoder is now discouraged more prominently, in configure output. - out123: Fix stupid crash with verbose mode and tone generation (print the string if the pointer is non-null, not if it is null). - libout123: More consistent error messages for dynamic and legacy (built-in) modules. Namely, you get a hint how if you choose a different module than the built-in ones for a static libout123.
2017-07-14 07:46:46 +02:00
SHA1 (mpg123-1.25.2.tar.bz2) = efdcd085c8ef7de422e5cd34c861b8302e1cc35a
RMD160 (mpg123-1.25.2.tar.bz2) = fe79cbca7e21de36cc2bb50d83ae4e5992876968
SHA512 (mpg123-1.25.2.tar.bz2) = 1b063a7a497d6f643b43a0e0db0e1a8951bf110cabf8f3dc63d7ed1b8e47ef4a42649622a5e4efb582479beacd7d3872b4f061716a5f6970b3f5bed7ef4f3fe9
Size (mpg123-1.25.2.tar.bz2) = 918024 bytes
SHA1 (patch-Makefile.in) = e1b529e9468994e25c2567df7e64a2905b0cf529
SHA1 (patch-aa) = 4b2761219dd8fb92079d7f96872e56beb702696a
SHA1 (patch-ad) = f07b637c3fc1d3ea0426013fc25bca8e3aecba56
SHA1 (patch-af) = ba9ccddda15f0e711675b1bbad72b082b34b15f5