CVE-2024-10573:
An out-of-bounds write flaw was found in mpg123 when handling crafted streams.
When decoding PCM, the libmpg123 may write past the end of a heap-located buffer.
Consequently, heap corruption may happen, and arbitrary code execution is not
discarded. The complexity required to exploit this flaw is considered high as
the payload must be validated by the MPEG decoder and the PCM synth before execution.
Additionally, to successfully execute the attack, the user must scan through the
stream, making web live stream content (such as web radios) a very unlikely attack vector.
Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-10573]
Upstream patches: [svn://scm.orgis.org/mpg123/branches/1.31-fixes@5442]
(From OE-Core rev: a227b80e29c5ba5d963acaa4ddb4b9ad45483bd5)
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
====================
libmpg123: Catch more NULL pointer arguments in LFS wrappers
(most prominently: mpg123_feedseek(), bug 328).
mpg123:
-Fix regression that did _not_ enable --remote-err on -s anymore.
-Fix typos in man page.
-Drop mixed-up value limits on remote control SEQ command.
It is up to you if you want to distort your sound.
-Add note about equalizer frequency bands to man page.
-build: add BUILD_PROGRAMS option to ports/cmake
(From OE-Core rev: e4e84d295f774136900e0a09001d19cbeab1a157)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes:
build:
* Fix up the build to actually build all library objects with libtool
consistently, also ensuring no pointless static archives for output modules.
* Adapted things to autoconf 2.71, requiring 2.69 now (the latter tested on
Debian, with their patches).
* Improved configure to be more useful --with-default-audio to define the
search order, fix static build for --with-audio being a list (just choosing
the first one).
* Ensure consistent use of LINK_MPG123_DLL in headers.
build (ports/cmake):
* Thanks to Evgeni Poberezhnikov for working with us on that.
* Fix up ports/cmake to really work in MSVC also for users of the lib (tested
in vcpkg, bug 310).
* Hardcode ports/cmake CPU detection for x64 and ARM as CMAKE_SYSTEM_PROCESSOR
is useless crap (bug 298 for real).
* Add missing io.h for _setmode() MSVC warned about (bug 311).
* Added BUILD_NO_LARGENAME define to be used by MSVC builds. Note that an
MSVC build of libmpg123 does not support 64 bit file offsets. That would
need more morting to the explicit API. Thanks to MS for making off_t even
more messy and less useful.
* Added JACK output, fixed handling of compat_str there and in win32_wasapi.
libsyn123:
* Fix syn123_mix() to actually do intermediate conversion when input
and output encoding are the same but non-float. This makes out123 --mix work
with s16 input and output, which is not that special!
libmpg123:
* Fix misguided handling of part2_3_length checks in III_get_scale_factors_1()
and III_get_scale_factors_2() which invalidated decoding of a mono source
encoded as ms+i-stereo (bug 312). This was a regression introduced with
version 1.25.7.
libout123:
* Print basic module loading errors only for last one in list. This enables
use of an output module search list that anticipates module files not
installed with the main package.
* Fixes for win32_wasapi build with MSVC.
(From OE-Core rev: a4308b8959041a63896a01a5d79847805be5808d)
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Support added to configure mpg123 for FPU-less targets. Building for
fixed-point arithmetic increases performance on such devices.
(From OE-Core rev: 55a65571d19407befd3c2d152680573d7318c279)
Signed-off-by: Robert Rosengren <robert.rosengren@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libsdl 1.2 is dead upstream, so change mpg123 to use libsdl2. Luckily the APIs
that mpg123 use haven't changed, so this is just a matter of changing the
pkg-config name.
(From OE-Core rev: 1aa947a60b0eb31c367b1e9818218ee74d388eea)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
No need to skip textrel QA for x86 as it has
been fixed in 1.25.0
(From OE-Core rev: f635c097d0d43c88b00a00073b93712f1cc90fe0)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The recipe is updated to latest upstream release.
Also audiofile dependency is dropped as it's not actually used anywhere.
[YOCTO #6020]
(From OE-Core rev: e136525f3443f365ecbfdb8bb618f89c3f38da5b)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
