Hello community, here is the log from the commit of package mpg123 for openSUSE:Factory checked in at 2017-07-17 09:01:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mpg123 (Old) and /work/SRC/openSUSE:Factory/.mpg123.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mpg123" Mon Jul 17 09:01:23 2017 rev:4 rq:509420 version:1.25.2 Changes: -------- --- /work/SRC/openSUSE:Factory/mpg123/mpg123.changes 2017-07-10 10:59:47.808588201 +0200 +++ /work/SRC/openSUSE:Factory/.mpg123.new/mpg123.changes 2017-07-17 09:01:51.034586604 +0200 @@ -1,0 +2,17 @@ +Tue Jul 11 10:36:15 UTC 2017 - [email protected] + +- Update to version 1.25.2 + libmpg123: + * Extend pow tables for layer III to properly handle files + with i-stereo and 5-bit scalefactors. Never observed them + for real, just as fuzzed input to trigger the read overflow. + Note: This one goes on record as CVE-2017-11126, calling + remote denial of service. While the accesses are out of + bounds for the pow tables, they still are safely within + libmpg123's memory (other static tables). Just wrong values + are used for computation, no actual crash unless you use + something like GCC's AddressSanitizer, nor any information + disclosure. + * Avoid left-shifts of negative integers in layer I decoding. + +------------------------------------------------------------------- Old: ---- mpg123-1.25.1.tar.bz2 mpg123-1.25.1.tar.bz2.sig New: ---- mpg123-1.25.2.tar.bz2 mpg123-1.25.2.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mpg123.spec ++++++ --- /var/tmp/diff_new_pack.djQobD/_old 2017-07-17 09:01:51.606506070 +0200 +++ /var/tmp/diff_new_pack.djQobD/_new 2017-07-17 09:01:51.610505507 +0200 @@ -17,7 +17,7 @@ Name: mpg123 -Version: 1.25.1 +Version: 1.25.2 Release: 0 Summary: Console MPEG audio player and decoder library License: LGPL-2.1 ++++++ mpg123-1.25.1.tar.bz2 -> mpg123-1.25.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.1/NEWS new/mpg123-1.25.2/NEWS --- old/mpg123-1.25.1/NEWS 2017-07-03 01:19:16.000000000 +0200 +++ new/mpg123-1.25.2/NEWS 2017-07-11 11:36:46.000000000 +0200 @@ -1,3 +1,17 @@ +1.25.2 +------ + +- libmpg123: +-- Extend pow tables for layer III to properly handle files with i-stereo and + 5-bit scalefactors. Never observed them for real, just as fuzzed input to + trigger the read overflow. Note: This one goes on record as CVE-2017-11126, + calling remote denial of service. While the accesses are out of bounds for + the pow tables, they still are safely within libmpg123's memory (other + static tables). Just wrong values are used for computation, no actual crash + unless you use something like GCC's AddressSanitizer, nor any information + disclosure. +-- Avoid left-shifts of negative integers in layer I decoding. + 1.25.1: Hot Fuzz ------- - libmpg123: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.1/configure new/mpg123-1.25.2/configure --- old/mpg123-1.25.1/configure 2017-07-03 01:19:32.000000000 +0200 +++ new/mpg123-1.25.2/configure 2017-07-11 11:37:28.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for mpg123 1.25.1. +# Generated by GNU Autoconf 2.69 for mpg123 1.25.2. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='mpg123' PACKAGE_TARNAME='mpg123' -PACKAGE_VERSION='1.25.1' -PACKAGE_STRING='mpg123 1.25.1' +PACKAGE_VERSION='1.25.2' +PACKAGE_STRING='mpg123 1.25.2' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1567,7 +1567,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures mpg123 1.25.1 to adapt to many kinds of systems. +\`configure' configures mpg123 1.25.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1637,7 +1637,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of mpg123 1.25.1:";; + short | recursive ) echo "Configuration of mpg123 1.25.2:";; esac cat <<\_ACEOF @@ -1863,7 +1863,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -mpg123 configure 1.25.1 +mpg123 configure 1.25.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2469,7 +2469,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by mpg123 $as_me 1.25.1, which was +It was created by mpg123 $as_me 1.25.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2822,7 +2822,7 @@ API_VERSION=44 -LIB_PATCHLEVEL=1 +LIB_PATCHLEVEL=2 OUTAPI_VERSION=2 OUTLIB_PATCHLEVEL=1 @@ -3425,7 +3425,7 @@ # Define the identity of the package. PACKAGE='mpg123' - VERSION='1.25.1' + VERSION='1.25.2' cat >>confdefs.h <<_ACEOF @@ -20241,7 +20241,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by mpg123 $as_me 1.25.1, which was +This file was extended by mpg123 $as_me 1.25.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -20307,7 +20307,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -mpg123 config.status 1.25.1 +mpg123 config.status 1.25.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.1/configure.ac new/mpg123-1.25.2/configure.ac --- old/mpg123-1.25.1/configure.ac 2017-07-03 01:19:17.000000000 +0200 +++ new/mpg123-1.25.2/configure.ac 2017-07-11 11:28:42.000000000 +0200 @@ -8,12 +8,12 @@ AC_PREREQ(2.57) dnl ############# Initialisation -AC_INIT([mpg123], [1.25.1], [[email protected]]) +AC_INIT([mpg123], [1.25.2], [[email protected]]) dnl Increment API_VERSION when the API gets changes (new functions). dnl libmpg123 API_VERSION=44 -LIB_PATCHLEVEL=1 +LIB_PATCHLEVEL=2 dnl libout123 OUTAPI_VERSION=2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.1/mpg123.spec new/mpg123-1.25.2/mpg123.spec --- old/mpg123-1.25.1/mpg123.spec 2017-07-03 01:19:57.000000000 +0200 +++ new/mpg123-1.25.2/mpg123.spec 2017-07-11 11:39:09.000000000 +0200 @@ -3,7 +3,7 @@ # - devel packages for alsa, sdl, etc... to build the respective output modules. Summary: The fast console mpeg audio decoder/player. Name: mpg123 -Version: 1.25.1 +Version: 1.25.2 Release: 1 URL: http://www.mpg123.org/ License: GPL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.1/src/libmpg123/layer1.c new/mpg123-1.25.2/src/libmpg123/layer1.c --- old/mpg123-1.25.1/src/libmpg123/layer1.c 2017-07-03 01:19:17.000000000 +0200 +++ new/mpg123-1.25.2/src/libmpg123/layer1.c 2017-07-11 11:27:37.000000000 +0200 @@ -84,6 +84,9 @@ return 0; } +/* Something sane in place of undefined (-1)<<n. Well, not really. */ +#define MINUS_SHIFT(n) ( (int)(((unsigned int)-1)<<(n)) ) + static void I_step_two(real fraction[2][SBLIMIT],unsigned int balloc[2*SBLIMIT], unsigned int scale_index[2][SBLIMIT],mpg123_handle *fr) { int i,n; @@ -112,18 +115,18 @@ for(sample=smpb,i=0;i<jsbound;i++) { if((n=*ba++)) - *f0++ = REAL_MUL_SCALE_LAYER12(DOUBLE_TO_REAL_15( ((-1)<<n) + (*sample++) + 1), fr->muls[n+1][*sca++]); + *f0++ = REAL_MUL_SCALE_LAYER12(DOUBLE_TO_REAL_15(MINUS_SHIFT(n) + (*sample++) + 1), fr->muls[n+1][*sca++]); else *f0++ = DOUBLE_TO_REAL(0.0); if((n=*ba++)) - *f1++ = REAL_MUL_SCALE_LAYER12(DOUBLE_TO_REAL_15( ((-1)<<n) + (*sample++) + 1), fr->muls[n+1][*sca++]); + *f1++ = REAL_MUL_SCALE_LAYER12(DOUBLE_TO_REAL_15(MINUS_SHIFT(n) + (*sample++) + 1), fr->muls[n+1][*sca++]); else *f1++ = DOUBLE_TO_REAL(0.0); } for(i=jsbound;i<SBLIMIT;i++) { if((n=*ba++)) { - real samp = DOUBLE_TO_REAL_15( ((-1)<<n) + (*sample++) + 1); + real samp = DOUBLE_TO_REAL_15(MINUS_SHIFT(n) + (*sample++) + 1); *f0++ = REAL_MUL_SCALE_LAYER12(samp, fr->muls[n+1][*sca++]); *f1++ = REAL_MUL_SCALE_LAYER12(samp, fr->muls[n+1][*sca++]); } @@ -144,7 +147,7 @@ for(sample=smpb,i=0;i<SBLIMIT;i++) { if((n=*ba++)) - *f0++ = REAL_MUL_SCALE_LAYER12(DOUBLE_TO_REAL_15( ((-1)<<n) + (*sample++) + 1), fr->muls[n+1][*sca++]); + *f0++ = REAL_MUL_SCALE_LAYER12(DOUBLE_TO_REAL_15(MINUS_SHIFT(n) + (*sample++) + 1), fr->muls[n+1][*sca++]); else *f0++ = DOUBLE_TO_REAL(0.0); } for(i=fr->down_sample_sblimit;i<32;i++) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.1/src/libmpg123/layer3.c new/mpg123-1.25.2/src/libmpg123/layer3.c --- old/mpg123-1.25.1/src/libmpg123/layer3.c 2017-07-03 01:19:17.000000000 +0200 +++ new/mpg123-1.25.2/src/libmpg123/layer3.c 2017-07-11 11:27:37.000000000 +0200 @@ -47,7 +47,7 @@ #ifdef NEW_DCT9 static real cos9[3],cos18[3]; static real tan1_1[16],tan2_1[16],tan1_2[16],tan2_2[16]; -static real pow1_1[2][16],pow2_1[2][16],pow1_2[2][16],pow2_2[2][16]; +static real pow1_1[2][32],pow2_1[2][32],pow1_2[2][32],pow2_2[2][32]; #endif #endif @@ -245,7 +245,10 @@ tan2_1[i] = DOUBLE_TO_REAL_15(1.0 / (1.0 + t)); tan1_2[i] = DOUBLE_TO_REAL_15(M_SQRT2 * t / (1.0+t)); tan2_2[i] = DOUBLE_TO_REAL_15(M_SQRT2 / (1.0 + t)); + } + for(i=0;i<32;i++) + { for(j=0;j<2;j++) { double base = pow(2.0,-0.25*(j+1.0));
