[Buildroot] [PATCH 1/2] package/libid3tag: switch to debian to fix CVEs

[Buildroot] [PATCH 1/2] package/libid3tag: switch to debian to fix CVEs

[Fabrice Fontaine]

Upstream libid3tag is dead since 2004 so switch to debian to get two
patches that fix the following CVEs:
 - CVE-2004-2779: id3_utf16_deserialize() in utf16.c in libid3tag
   through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd
   number of bytes, triggering an endless loop allocating memory until
   an OOM condition is reached, leading to denial-of-service (DoS).
 - CVE-2017-11550: The id3_ucs4_length function in ucs4.c in libid3tag
   0.15.1b allows remote attackers to cause a denial of service (NULL
   Pointer Dereference and application crash) via a crafted mp3 file.
 - CVE-2017-11551: The id3_field_parse function in field.c in libid3tag
   0.15.1b allows remote attackers to cause a denial of service (OOM)
   via a crafted MP3 file.

Moreover, drop patch (replaced by add-m4-directory.patch debian patch)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 .../0001-configure-automake-foreign.patch        | 16 ----------------
 package/libid3tag/libid3tag.hash                 |  7 +++++--
 package/libid3tag/libid3tag.mk                   | 11 ++++++++++-
 3 files changed, 15 insertions(+), 19 deletions(-)
 delete mode 100644 package/libid3tag/0001-configure-automake-foreign.patch

diff --git a/package/libid3tag/0001-configure-automake-foreign.patch b/package/libid3tag/0001-configure-automake-foreign.patch
deleted file mode 100644
index 8521d559f2..0000000000
--- a/package/libid3tag/0001-configure-automake-foreign.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-configure: don't require GNU-specific files when running automake
-
-Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
-
-diff -durN libid3tag-0.15.1b.orig/configure.ac libid3tag-0.15.1b/configure.ac
---- libid3tag-0.15.1b.orig/configure.ac	2004-01-24 00:22:46.000000000 +0100
-+++ libid3tag-0.15.1b/configure.ac	2018-11-25 15:31:04.184342212 +0100
-@@ -26,7 +26,7 @@
- 
- AC_CONFIG_SRCDIR([id3tag.h])
- 
--AM_INIT_AUTOMAKE
-+AM_INIT_AUTOMAKE([foreign])
- 
- AM_CONFIG_HEADER([config.h])
- 
diff --git a/package/libid3tag/libid3tag.hash b/package/libid3tag/libid3tag.hash
index 82ad59d9ac..9aa1d00270 100644
--- a/package/libid3tag/libid3tag.hash
+++ b/package/libid3tag/libid3tag.hash
@@ -1,4 +1,7 @@
-# Locally computed:
-sha256  63da4f6e7997278f8a3fef4c6a372d342f705051d1eeb6a46a86b03610e26151  libid3tag-0.15.1b.tar.gz
+# From http://snapshot.debian.org/archive/debian/20190310T213528Z/pool/main/libi/libid3tag/libid3tag_0.15.1b-14.dsc
+sha256  63da4f6e7997278f8a3fef4c6a372d342f705051d1eeb6a46a86b03610e26151  libid3tag_0.15.1b.orig.tar.gz
+sha256  f174cafe02bef25a9ad8cb7f9ce80119147297a7036f50878e85ac0d7ae09c62  libid3tag_0.15.1b-14.debian.tar.xz
+
+# Hash for license files:
 sha256  32b1062f7da84967e7019d01ab805935caa7ab7321a7ced0e30ebe75e5df1670  COPYING
 sha256  7f12ad28dc075763e91b91bfa60fad04062380011ddad8f6bac21dd7b1f44367  COPYRIGHT
diff --git a/package/libid3tag/libid3tag.mk b/package/libid3tag/libid3tag.mk
index 3ec145725f..14a7f3f938 100644
--- a/package/libid3tag/libid3tag.mk
+++ b/package/libid3tag/libid3tag.mk
@@ -5,12 +5,21 @@
 ################################################################################
 
 LIBID3TAG_VERSION = 0.15.1b
-LIBID3TAG_SITE = http://downloads.sourceforge.net/project/mad/libid3tag/$(LIBID3TAG_VERSION)
+LIBID3TAG_PATCH = libid3tag_$(LIBID3TAG_VERSION)-14.debian.tar.xz
+LIBID3TAG_SOURCE = libid3tag_$(LIBID3TAG_VERSION).orig.tar.gz
+LIBID3TAG_SITE = \
+	http://snapshot.debian.org/archive/debian/20190310T213528Z/pool/main/libi/libid3tag
 LIBID3TAG_LICENSE = GPL-2.0+
 LIBID3TAG_LICENSE_FILES = COPYING COPYRIGHT
 LIBID3TAG_INSTALL_STAGING = YES
 LIBID3TAG_DEPENDENCIES = zlib
 
+# debian/patches/10_utf16.dpatch
+LIBID3TAG_IGNORE_CVES += CVE-2004-2779 CVE-2017-11551
+
+# debian/patches/11_unknown_encoding.dpatch
+LIBID3TAG_IGNORE_CVES += CVE-2017-11550
+
 # Force autoreconf to be able to use a more recent libtool script, that
 # is able to properly behave in the face of a missing C++ compiler.
 LIBID3TAG_AUTORECONF = YES
-- 
2.25.1

[Buildroot] [PATCH 2/2] package/libmad: switch to debian to fix CVEs

[Fabrice Fontaine]

Upstream libmad is dead since 2004 so switch to debian package to get
two patches that fix the following CVEs:
 - CVE-2017-8372: The mad_layer_III function in layer3.c in Underbit MAD
   libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to
   cause a denial of service (assertion failure and application exit)
   via a crafted audio file.
 - CVE-2017-8373: The mad_layer_III function in layer3.c in Underbit MAD
   libmad 0.15.1b allows remote attackers to cause a denial of service
   (heap-based buffer overflow and application crash) or possibly have
   unspecified other impact via a crafted audio file.
 - CVE-2017-8374: The mad_bit_skip function in bit.c in Underbit MAD
   libmad 0.15.1b allows remote attackers to cause a denial of service
   (heap-based buffer over-read and application crash) via a crafted
   audio file.

Moreover:
 - Remove third patch (replaced by optimize.diff debian patch)
 - Remove fourth patch (same patch than
   Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff)
 - Remove fifth patch (same patch than libmad.thumb.diff)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ... 0002-configure-ac-automake-foreign.patch} |  0
 .../0003-remove-deprecated-cflags.patch       | 33 ---------------
 package/libmad/0004-thumb2-fixed-arm.patch    | 40 -------------------
 package/libmad/0005-thumb2-imdct-arm.patch    | 20 ----------
 package/libmad/libmad.hash                    |  8 ++--
 package/libmad/libmad.mk                      | 21 ++++++++--
 6 files changed, 23 insertions(+), 99 deletions(-)
 rename package/libmad/{0006-configure-ac-automake-foreign.patch => 0002-configure-ac-automake-foreign.patch} (100%)
 delete mode 100644 package/libmad/0003-remove-deprecated-cflags.patch
 delete mode 100644 package/libmad/0004-thumb2-fixed-arm.patch
 delete mode 100644 package/libmad/0005-thumb2-imdct-arm.patch

diff --git a/package/libmad/0006-configure-ac-automake-foreign.patch b/package/libmad/0002-configure-ac-automake-foreign.patch
similarity index 100%
rename from package/libmad/0006-configure-ac-automake-foreign.patch
rename to package/libmad/0002-configure-ac-automake-foreign.patch
diff --git a/package/libmad/0003-remove-deprecated-cflags.patch b/package/libmad/0003-remove-deprecated-cflags.patch
deleted file mode 100644
index e5040830f9..0000000000
--- a/package/libmad/0003-remove-deprecated-cflags.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-libmad: remove deprecated cflags (-fforce-mem)
-
-fforce-mem has long been deprecated, and is completely removed from
-gcc 4.3.x on.
----
- configure    |    1 -
- configure.ac |    1 -
- 2 files changed, 2 deletions(-)
-
-Index: libmad-0.15.1b/configure.ac
-===================================================================
---- libmad-0.15.1b.orig/configure.ac
-+++ libmad-0.15.1b/configure.ac
-@@ -140,7 +140,6 @@
-     case "$optimize" in
- 	-O|"-O "*)
- 	    optimize="-O"
--	    optimize="$optimize -fforce-mem"
- 	    optimize="$optimize -fforce-addr"
- 	    : #x optimize="$optimize -finline-functions"
- 	    : #- optimize="$optimize -fstrength-reduce"
-Index: libmad-0.15.1b/configure
-===================================================================
---- libmad-0.15.1b.orig/configure
-+++ libmad-0.15.1b/configure
-@@ -19099,7 +19099,6 @@
-     case "$optimize" in
- 	-O|"-O "*)
- 	    optimize="-O"
--	    optimize="$optimize -fforce-mem"
- 	    optimize="$optimize -fforce-addr"
- 	    : #x optimize="$optimize -finline-functions"
- 	    : #- optimize="$optimize -fstrength-reduce"
diff --git a/package/libmad/0004-thumb2-fixed-arm.patch b/package/libmad/0004-thumb2-fixed-arm.patch
deleted file mode 100644
index befda48d7e..0000000000
--- a/package/libmad/0004-thumb2-fixed-arm.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Fixes Thumb2-related build failure
-
-Patch below comes from the Debian libmad package.
-
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-
-From: Dave Martin
-Subject: "rsc" doesnt exist anymore in thumb2
-
-diff --git a/fixed.h b/fixed.h
-index 4b58abf..ba4bc26 100644
---- a/fixed.h
-+++ b/fixed.h
-@@ -275,12 +275,25 @@ mad_fixed_t mad_f_mul_inline(mad_fixed_t x, mad_fixed_t y)
- 	 : "+r" (lo), "+r" (hi)  \
- 	 : "%r" (x), "r" (y))
- 
-+#ifdef __thumb__
-+/* In Thumb-2, the RSB-immediate instruction is only allowed with a zero
-+	operand.  If needed this code can also support Thumb-1 
-+	(simply append "s" to the end of the second two instructions). */
-+#  define MAD_F_MLN(hi, lo)  \
-+    asm ("rsbs        %0, %0, #0\n\t"  \
-+	 "sbc   %1, %1, %1\n\t"  \
-+	 "sub   %1, %1, %2"  \
-+	 : "+&r" (lo), "=&r" (hi)  \
-+	 : "r" (hi)  \
-+	 : "cc")
-+#else /* ! __thumb__ */
- #  define MAD_F_MLN(hi, lo)  \
-     asm ("rsbs	%0, %2, #0\n\t"  \
- 	 "rsc	%1, %3, #0"  \
--	 : "=r" (lo), "=r" (hi)  \
-+	 : "=&r" (lo), "=r" (hi)  \
- 	 : "0" (lo), "1" (hi)  \
- 	 : "cc")
-+#endif /* __thumb__ */
- 
- #  define mad_f_scale64(hi, lo)  \
-     ({ mad_fixed_t __result;  \
diff --git a/package/libmad/0005-thumb2-imdct-arm.patch b/package/libmad/0005-thumb2-imdct-arm.patch
deleted file mode 100644
index 414b9c8fcf..0000000000
--- a/package/libmad/0005-thumb2-imdct-arm.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Fixes Thumb2 related build failure
-
-Patch below comes from the Debian libmad package.
-
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-
-From: Konstantinos Margaritis <markos@debian.org>
-Subject: use "adr" instead of "add" to make code ready for thumb2
-
---- ./imdct_l_arm.S.orig	2010-02-25 13:25:23.000000000 +0100
-+++ ./imdct_l_arm.S	2010-02-25 13:27:26.000000000 +0100
-@@ -468,7 +468,7 @@
- 
-     @----
- 
--    add     r2, pc, #(imdct36_long_karray-.-8)  @ r2 = base address of Knn array (PIC safe ?)
-+    adr     r2, imdct36_long_karray
- 
- 
- loop:
diff --git a/package/libmad/libmad.hash b/package/libmad/libmad.hash
index 8b7859395f..2be1a8a3a8 100644
--- a/package/libmad/libmad.hash
+++ b/package/libmad/libmad.hash
@@ -1,4 +1,6 @@
-# Locally computed:
-sha256  bbfac3ed6bfbc2823d3775ebb931087371e142bb0e9bb1bee51a76a6e0078690  libmad-0.15.1b.tar.gz
-sha256  0e21f2c6b19337d0b237dacc04f7b90a56be7f359f4c9a2ee0b202d9af0cfa69  frame_length.diff
+# From http://snapshot.debian.org/archive/debian/20190310T213528Z/pool/main/libm/libmad/libmad_0.15.1b-10.dsc
+sha256  bbfac3ed6bfbc2823d3775ebb931087371e142bb0e9bb1bee51a76a6e0078690  libmad_0.15.1b.orig.tar.gz
+sha256  dfeabd5d2398bf902660edc31f87ad40600f0aa732b946f864d8ee6bbf56a99c  libmad_0.15.1b-10.diff.gz
+
+# Hash for license file:
 sha256  32b1062f7da84967e7019d01ab805935caa7ab7321a7ced0e30ebe75e5df1670  COPYING
diff --git a/package/libmad/libmad.mk b/package/libmad/libmad.mk
index b1c9cee5ac..33134e26d4 100644
--- a/package/libmad/libmad.mk
+++ b/package/libmad/libmad.mk
@@ -5,12 +5,27 @@
 ################################################################################
 
 LIBMAD_VERSION = 0.15.1b
-LIBMAD_SITE = http://downloads.sourceforge.net/project/mad/libmad/$(LIBMAD_VERSION)
+LIBMAD_PATCH = libmad_$(LIBMAD_VERSION)-10.diff.gz
+LIBMAD_SOURCE = libmad_$(LIBMAD_VERSION).orig.tar.gz
+LIBMAD_SITE = \
+	http://snapshot.debian.org/archive/debian/20190310T213528Z/pool/main/libm/libmad
 LIBMAD_INSTALL_STAGING = YES
 LIBMAD_LICENSE = GPL-2.0+
 LIBMAD_LICENSE_FILES = COPYING
-LIBMAD_PATCH = \
-	https://sources.debian.net/data/main/libm/libmad/0.15.1b-8/debian/patches/frame_length.diff
+
+define LIBMAD_APPLY_DEBIAN_PATCHES
+	if [ -d $(@D)/debian/patches ]; then \
+		$(APPLY_PATCHES) $(@D) $(@D)/debian/patches *.patch; \
+	fi
+endef
+
+LIBMAD_POST_PATCH_HOOKS += LIBMAD_APPLY_DEBIAN_PATCHES
+
+# debian/patches/md_size.diff
+LIBMAD_IGNORE_CVES += CVE-2017-8372 CVE-2017-8373
+
+# debian/patches/length-check.patch
+LIBMAD_IGNORE_CVES += CVE-2017-8374
 
 # Force autoreconf to be able to use a more recent libtool script, that
 # is able to properly behave in the face of a missing C++ compiler.
-- 
2.25.1

[Buildroot] [PATCH 1/2] package/libid3tag: switch to debian to fix CVEs

[Yann E. MORIN]

Fabrice, All,

On 2020-04-12 12:18 +0200, Fabrice Fontaine spake thusly:
> Upstream libid3tag is dead since 2004 so switch to debian to get two
> patches that fix the following CVEs:
>  - CVE-2004-2779: id3_utf16_deserialize() in utf16.c in libid3tag
>    through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd
>    number of bytes, triggering an endless loop allocating memory until
>    an OOM condition is reached, leading to denial-of-service (DoS).
>  - CVE-2017-11550: The id3_ucs4_length function in ucs4.c in libid3tag
>    0.15.1b allows remote attackers to cause a denial of service (NULL
>    Pointer Dereference and application crash) via a crafted mp3 file.
>  - CVE-2017-11551: The id3_field_parse function in field.c in libid3tag
>    0.15.1b allows remote attackers to cause a denial of service (OOM)
>    via a crafted MP3 file.
> 
> Moreover, drop patch (replaced by add-m4-directory.patch debian patch)
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Both applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  .../0001-configure-automake-foreign.patch        | 16 ----------------
>  package/libid3tag/libid3tag.hash                 |  7 +++++--
>  package/libid3tag/libid3tag.mk                   | 11 ++++++++++-
>  3 files changed, 15 insertions(+), 19 deletions(-)
>  delete mode 100644 package/libid3tag/0001-configure-automake-foreign.patch
> 
> diff --git a/package/libid3tag/0001-configure-automake-foreign.patch b/package/libid3tag/0001-configure-automake-foreign.patch
> deleted file mode 100644
> index 8521d559f2..0000000000
> --- a/package/libid3tag/0001-configure-automake-foreign.patch
> +++ /dev/null
> @@ -1,16 +0,0 @@
> -configure: don't require GNU-specific files when running automake
> -
> -Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
> -
> -diff -durN libid3tag-0.15.1b.orig/configure.ac libid3tag-0.15.1b/configure.ac
> ---- libid3tag-0.15.1b.orig/configure.ac	2004-01-24 00:22:46.000000000 +0100
> -+++ libid3tag-0.15.1b/configure.ac	2018-11-25 15:31:04.184342212 +0100
> -@@ -26,7 +26,7 @@
> - 
> - AC_CONFIG_SRCDIR([id3tag.h])
> - 
> --AM_INIT_AUTOMAKE
> -+AM_INIT_AUTOMAKE([foreign])
> - 
> - AM_CONFIG_HEADER([config.h])
> - 
> diff --git a/package/libid3tag/libid3tag.hash b/package/libid3tag/libid3tag.hash
> index 82ad59d9ac..9aa1d00270 100644
> --- a/package/libid3tag/libid3tag.hash
> +++ b/package/libid3tag/libid3tag.hash
> @@ -1,4 +1,7 @@
> -# Locally computed:
> -sha256  63da4f6e7997278f8a3fef4c6a372d342f705051d1eeb6a46a86b03610e26151  libid3tag-0.15.1b.tar.gz
> +# From http://snapshot.debian.org/archive/debian/20190310T213528Z/pool/main/libi/libid3tag/libid3tag_0.15.1b-14.dsc
> +sha256  63da4f6e7997278f8a3fef4c6a372d342f705051d1eeb6a46a86b03610e26151  libid3tag_0.15.1b.orig.tar.gz
> +sha256  f174cafe02bef25a9ad8cb7f9ce80119147297a7036f50878e85ac0d7ae09c62  libid3tag_0.15.1b-14.debian.tar.xz
> +
> +# Hash for license files:
>  sha256  32b1062f7da84967e7019d01ab805935caa7ab7321a7ced0e30ebe75e5df1670  COPYING
>  sha256  7f12ad28dc075763e91b91bfa60fad04062380011ddad8f6bac21dd7b1f44367  COPYRIGHT
> diff --git a/package/libid3tag/libid3tag.mk b/package/libid3tag/libid3tag.mk
> index 3ec145725f..14a7f3f938 100644
> --- a/package/libid3tag/libid3tag.mk
> +++ b/package/libid3tag/libid3tag.mk
> @@ -5,12 +5,21 @@
>  ################################################################################
>  
>  LIBID3TAG_VERSION = 0.15.1b
> -LIBID3TAG_SITE = http://downloads.sourceforge.net/project/mad/libid3tag/$(LIBID3TAG_VERSION)
> +LIBID3TAG_PATCH = libid3tag_$(LIBID3TAG_VERSION)-14.debian.tar.xz
> +LIBID3TAG_SOURCE = libid3tag_$(LIBID3TAG_VERSION).orig.tar.gz
> +LIBID3TAG_SITE = \
> +	http://snapshot.debian.org/archive/debian/20190310T213528Z/pool/main/libi/libid3tag
>  LIBID3TAG_LICENSE = GPL-2.0+
>  LIBID3TAG_LICENSE_FILES = COPYING COPYRIGHT
>  LIBID3TAG_INSTALL_STAGING = YES
>  LIBID3TAG_DEPENDENCIES = zlib
>  
> +# debian/patches/10_utf16.dpatch
> +LIBID3TAG_IGNORE_CVES += CVE-2004-2779 CVE-2017-11551
> +
> +# debian/patches/11_unknown_encoding.dpatch
> +LIBID3TAG_IGNORE_CVES += CVE-2017-11550
> +
>  # Force autoreconf to be able to use a more recent libtool script, that
>  # is able to properly behave in the face of a missing C++ compiler.
>  LIBID3TAG_AUTORECONF = YES
> -- 
> 2.25.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 2/2] package/libmad: switch to debian to fix CVEs

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Upstream libmad is dead since 2004 so switch to debian package to get
 > two patches that fix the following CVEs:
 >  - CVE-2017-8372: The mad_layer_III function in layer3.c in Underbit MAD
 >    libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to
 >    cause a denial of service (assertion failure and application exit)
 >    via a crafted audio file.
 >  - CVE-2017-8373: The mad_layer_III function in layer3.c in Underbit MAD
 >    libmad 0.15.1b allows remote attackers to cause a denial of service
 >    (heap-based buffer overflow and application crash) or possibly have
 >    unspecified other impact via a crafted audio file.
 >  - CVE-2017-8374: The mad_bit_skip function in bit.c in Underbit MAD
 >    libmad 0.15.1b allows remote attackers to cause a denial of service
 >    (heap-based buffer over-read and application crash) via a crafted
 >    audio file.

 > Moreover:
 >  - Remove third patch (replaced by optimize.diff debian patch)
 >  - Remove fourth patch (same patch than
 >    Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff)
 >  - Remove fifth patch (same patch than libmad.thumb.diff)

The patch is fine, but maybe we should consider getting rid of these
old/dead packages when there are other maintained alternatives
available?

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/2] package/libid3tag: switch to debian to fix CVEs

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Upstream libid3tag is dead since 2004 so switch to debian to get two
 > patches that fix the following CVEs:
 >  - CVE-2004-2779: id3_utf16_deserialize() in utf16.c in libid3tag
 >    through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd
 >    number of bytes, triggering an endless loop allocating memory until
 >    an OOM condition is reached, leading to denial-of-service (DoS).
 >  - CVE-2017-11550: The id3_ucs4_length function in ucs4.c in libid3tag
 >    0.15.1b allows remote attackers to cause a denial of service (NULL
 >    Pointer Dereference and application crash) via a crafted mp3 file.
 >  - CVE-2017-11551: The id3_field_parse function in field.c in libid3tag
 >    0.15.1b allows remote attackers to cause a denial of service (OOM)
 >    via a crafted MP3 file.

 > Moreover, drop patch (replaced by add-m4-directory.patch debian patch)

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2020.02.x, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 2/2] package/libmad: switch to debian to fix CVEs

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Upstream libmad is dead since 2004 so switch to debian package to get
 > two patches that fix the following CVEs:
 >  - CVE-2017-8372: The mad_layer_III function in layer3.c in Underbit MAD
 >    libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to
 >    cause a denial of service (assertion failure and application exit)
 >    via a crafted audio file.
 >  - CVE-2017-8373: The mad_layer_III function in layer3.c in Underbit MAD
 >    libmad 0.15.1b allows remote attackers to cause a denial of service
 >    (heap-based buffer overflow and application crash) or possibly have
 >    unspecified other impact via a crafted audio file.
 >  - CVE-2017-8374: The mad_bit_skip function in bit.c in Underbit MAD
 >    libmad 0.15.1b allows remote attackers to cause a denial of service
 >    (heap-based buffer over-read and application crash) via a crafted
 >    audio file.

 > Moreover:
 >  - Remove third patch (replaced by optimize.diff debian patch)
 >  - Remove fourth patch (same patch than
 >    Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff)
 >  - Remove fifth patch (same patch than libmad.thumb.diff)

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2020.02.x, thanks.

-- 
Bye, Peter Korsgaard