[Buildroot] [PATCH 2/2] package/libmad: switch to debian to fix CVEs
Peter Korsgaard
peter at korsgaard.com
Tue Apr 21 09:11:53 UTC 2020
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:
> Upstream libmad is dead since 2004 so switch to debian package to get
> two patches that fix the following CVEs:
> - CVE-2017-8372: The mad_layer_III function in layer3.c in Underbit MAD
> libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to
> cause a denial of service (assertion failure and application exit)
> via a crafted audio file.
> - CVE-2017-8373: The mad_layer_III function in layer3.c in Underbit MAD
> libmad 0.15.1b allows remote attackers to cause a denial of service
> (heap-based buffer overflow and application crash) or possibly have
> unspecified other impact via a crafted audio file.
> - CVE-2017-8374: The mad_bit_skip function in bit.c in Underbit MAD
> libmad 0.15.1b allows remote attackers to cause a denial of service
> (heap-based buffer over-read and application crash) via a crafted
> audio file.
> Moreover:
> - Remove third patch (replaced by optimize.diff debian patch)
> - Remove fourth patch (same patch than
> Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff)
> - Remove fifth patch (same patch than libmad.thumb.diff)
The patch is fine, but maybe we should consider getting rid of these
old/dead packages when there are other maintained alternatives
available?
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list