Hello community, here is the log from the commit of package mpg123 for openSUSE:Factory checked in at 2019-08-27 10:10:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mpg123 (Old) and /work/SRC/openSUSE:Factory/.mpg123.new.7948 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mpg123" Tue Aug 27 10:10:44 2019 rev:13 rq:725861 version:1.25.12 Changes: -------- --- /work/SRC/openSUSE:Factory/mpg123/mpg123.changes 2019-07-21 11:30:49.684812942 +0200 +++ /work/SRC/openSUSE:Factory/.mpg123.new.7948/mpg123.changes 2019-08-27 10:10:46.535981970 +0200 @@ -1,0 +2,18 @@ +Sat Aug 24 19:01:13 UTC 2019 - Luigi Baldoni <[email protected]> + +- Update to version 1.25.12 + * Fix dynamic build with gcc -fsanitize=address (check for all + dl functions before deciding that separate -ldl is not + needed). + libmpg123: + * Fix an out-of-bounds read of maximal two bytes for truncated + RVA2 frames (oss-fuzz-bug 15975). The earlier fix around the + same location needed one thought more. Actually, another + though was needed, oss-fuzz-bug 16009 documents the + incomplete fix. + * Fix an invalid write of one zero byte for empty ID3v2 frames + that demand de-unsyncing (oss-fuzz-bug 16050). + * Correct preprocessor syntax in mangle.h, no #error in a + #define line. (bug 273, thanks to nmlgc). + +------------------------------------------------------------------- Old: ---- mpg123-1.25.11.tar.bz2 mpg123-1.25.11.tar.bz2.sig New: ---- mpg123-1.25.12.tar.bz2 mpg123-1.25.12.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mpg123.spec ++++++ --- /var/tmp/diff_new_pack.wjR0uf/_old 2019-08-27 10:10:47.043981936 +0200 +++ /var/tmp/diff_new_pack.wjR0uf/_new 2019-08-27 10:10:47.043981936 +0200 @@ -17,7 +17,7 @@ Name: mpg123 -Version: 1.25.11 +Version: 1.25.12 Release: 0 Summary: Console MPEG audio player and decoder library License: LGPL-2.1-only ++++++ mpg123-1.25.11.tar.bz2 -> mpg123-1.25.12.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.11/NEWS new/mpg123-1.25.12/NEWS --- old/mpg123-1.25.11/NEWS 2019-07-18 06:24:00.000000000 +0200 +++ new/mpg123-1.25.12/NEWS 2019-08-22 07:41:38.000000000 +0200 @@ -1,3 +1,27 @@ +1.25.12 +------- + +More credit to OSS-Fuzz. The ID3v2 parser code is not yet as hardened +as the actual MPEG decoder. The paranoid can disable it at build-time. +If you do not need it, this is a good idea, anyway: Code that is not +there, cannot be exploited. Speaking about exploits: The recent crop +of bugs trigger a denial of service (crash) worst-case, some invalid +ID3 data normally. Code injection maybe not totally ruled out (that one +write of a zero byte?), but does not seem easy. Update to be sure that +you are only suceptible to as of yet hidden bugs. + +- libmpg123 +-- Fix an out-of-bounds read of maximal two bytes for truncated RVA2 frames + (oss-fuzz-bug 15975). The earlier fix around the same location needed + one thought more. Actually, another though was needed, oss-fuzz-bug 16009 + documents the incomplete fix. +-- Fix an invalid write of one zero byte for empty ID3v2 frames that demand + de-unsyncing (oss-fuzz-bug 16050). +-- Correct preprocessor syntax in mangle.h, no #error in a #define line. + (bug 273, thanks to nmlgc). +- Fix dynamic build with gcc -fsanitize=address (check for all dl functions + before deciding that separate -ldl is not needed). + 1.25.11 ------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.11/configure new/mpg123-1.25.12/configure --- old/mpg123-1.25.11/configure 2019-07-18 07:06:54.000000000 +0200 +++ new/mpg123-1.25.12/configure 2019-08-22 07:49:28.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for mpg123 1.25.11. +# Generated by GNU Autoconf 2.69 for mpg123 1.25.12. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='mpg123' PACKAGE_TARNAME='mpg123' -PACKAGE_VERSION='1.25.11' -PACKAGE_STRING='mpg123 1.25.11' +PACKAGE_VERSION='1.25.12' +PACKAGE_STRING='mpg123 1.25.12' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1578,7 +1578,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures mpg123 1.25.11 to adapt to many kinds of systems. +\`configure' configures mpg123 1.25.12 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1649,7 +1649,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of mpg123 1.25.11:";; + short | recursive ) echo "Configuration of mpg123 1.25.12:";; esac cat <<\_ACEOF @@ -1875,7 +1875,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -mpg123 configure 1.25.11 +mpg123 configure 1.25.12 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2481,7 +2481,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by mpg123 $as_me 1.25.11, which was +It was created by mpg123 $as_me 1.25.12, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2834,7 +2834,7 @@ API_VERSION=44 -LIB_PATCHLEVEL=9 +LIB_PATCHLEVEL=10 OUTAPI_VERSION=2 OUTLIB_PATCHLEVEL=2 @@ -3437,7 +3437,7 @@ # Define the identity of the package. PACKAGE='mpg123' - VERSION='1.25.11' + VERSION='1.25.12' cat >>confdefs.h <<_ACEOF @@ -6497,6 +6497,7 @@ echo "Modules disabled, not checking for dynamic loading." else have_dl=no + dl_missing=no # The dlopen() API is either in libc or in libdl. if test x$ac_cv_header_windows_h = xyes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking if LoadLibrary should be used" >&5 @@ -6587,6 +6588,118 @@ fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlsym" >&5 +$as_echo_n "checking for library containing dlsym... " >&6; } +if ${ac_cv_search_dlsym+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlsym (); +int +main () +{ +return dlsym (); + ; + return 0; +} +_ACEOF +for ac_lib in '' dl; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_dlsym=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_dlsym+:} false; then : + break +fi +done +if ${ac_cv_search_dlsym+:} false; then : + +else + ac_cv_search_dlsym=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlsym" >&5 +$as_echo "$ac_cv_search_dlsym" >&6; } +ac_res=$ac_cv_search_dlsym +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlclose" >&5 +$as_echo_n "checking for library containing dlclose... " >&6; } +if ${ac_cv_search_dlclose+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlclose (); +int +main () +{ +return dlclose (); + ; + return 0; +} +_ACEOF +for ac_lib in '' dl; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_dlclose=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_dlclose+:} false; then : + break +fi +done +if ${ac_cv_search_dlclose+:} false; then : + +else + ac_cv_search_dlclose=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlclose" >&5 +$as_echo "$ac_cv_search_dlclose" >&6; } +ac_res=$ac_cv_search_dlclose +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + ac_fn_c_check_header_mongrel "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default" if test "x$ac_cv_header_dlfcn_h" = xyes; then : @@ -6602,10 +6715,17 @@ #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF have_dl=yes +else + dl_missing=yes fi done fi + if test x"$dl_missing" = xyes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Some dynamic loading functions missing." >&5 +$as_echo "$as_me: WARNING: Some dynamic loading functions missing." >&2;} + have_dl=no + fi if test x"$modules" = xenabled -a x"$have_dl" = xno; then as_fn_error $? "Modules enabled but no runtime loader found! This will not work..." "$LINENO" 5 fi @@ -20271,7 +20391,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by mpg123 $as_me 1.25.11, which was +This file was extended by mpg123 $as_me 1.25.12, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -20337,7 +20457,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -mpg123 config.status 1.25.11 +mpg123 config.status 1.25.12 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.11/configure.ac new/mpg123-1.25.12/configure.ac --- old/mpg123-1.25.11/configure.ac 2019-07-18 07:06:28.000000000 +0200 +++ new/mpg123-1.25.12/configure.ac 2019-08-22 07:48:37.000000000 +0200 @@ -8,12 +8,12 @@ AC_PREREQ(2.57) dnl ############# Initialisation -AC_INIT([mpg123], [1.25.11], [[email protected]]) +AC_INIT([mpg123], [1.25.12], [[email protected]]) dnl Increment API_VERSION when the API gets changes (new functions). dnl libmpg123 API_VERSION=44 -LIB_PATCHLEVEL=9 +LIB_PATCHLEVEL=10 dnl libout123 OUTAPI_VERSION=2 @@ -154,6 +154,7 @@ echo "Modules disabled, not checking for dynamic loading." else have_dl=no + dl_missing=no # The dlopen() API is either in libc or in libdl. if test x$ac_cv_header_windows_h = xyes; then AC_MSG_CHECKING([if LoadLibrary should be used]) @@ -177,8 +178,14 @@ [AC_MSG_RESULT([no])]) else AC_SEARCH_LIBS(dlopen, dl) + AC_SEARCH_LIBS(dlsym, dl) + AC_SEARCH_LIBS(dlclose, dl) AC_CHECK_HEADER(dlfcn.h) - AC_CHECK_FUNCS(dlopen dlsym dlclose, [ have_dl=yes ]) + AC_CHECK_FUNCS(dlopen dlsym dlclose, [ have_dl=yes ], [ dl_missing=yes] ) + fi + if test x"$dl_missing" = xyes; then + AC_MSG_WARN([Some dynamic loading functions missing.]) + have_dl=no fi if test x"$modules" = xenabled -a x"$have_dl" = xno; then AC_MSG_ERROR([Modules enabled but no runtime loader found! This will not work...]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.11/mpg123.spec new/mpg123-1.25.12/mpg123.spec --- old/mpg123-1.25.11/mpg123.spec 2019-07-18 07:07:20.000000000 +0200 +++ new/mpg123-1.25.12/mpg123.spec 2019-08-22 07:51:40.000000000 +0200 @@ -3,7 +3,7 @@ # - devel packages for alsa, sdl, etc... to build the respective output modules. Summary: The fast console mpeg audio decoder/player. Name: mpg123 -Version: 1.25.11 +Version: 1.25.12 Release: 1 URL: http://www.mpg123.org/ License: GPL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.11/src/libmpg123/id3.c new/mpg123-1.25.12/src/libmpg123/id3.c --- old/mpg123-1.25.11/src/libmpg123/id3.c 2019-07-18 06:21:27.000000000 +0200 +++ new/mpg123-1.25.12/src/libmpg123/id3.c 2019-08-21 21:31:26.000000000 +0200 @@ -884,7 +884,8 @@ int rva_mode = -1; /* mix / album */ unsigned long realsize = framesize; unsigned char* realdata = tagdata+pos; - if((flags & UNSYNC_FLAG) || (fflags & UNSYNC_FFLAG)) + unsigned char* unsyncbuffer = NULL; + if(((flags & UNSYNC_FLAG) || (fflags & UNSYNC_FFLAG)) && framesize > 0) { unsigned long ipos = 0; unsigned long opos = 0; @@ -892,7 +893,7 @@ /* de-unsync: FF00 -> FF; real FF00 is simply represented as FF0000 ... */ /* damn, that means I have to delete bytes from withing the data block... thus need temporal storage */ /* standard mandates that de-unsync should always be safe if flag is set */ - realdata = (unsigned char*) malloc(framesize+1); /* will need <= bytes, plus a safety zero */ + realdata = unsyncbuffer = malloc(framesize+1); /* will need <= bytes, plus a safety zero */ if(realdata == NULL) { if(NOQUIET) error("ID3v2: unable to allocate working buffer for de-unsync"); @@ -938,10 +939,12 @@ if(fr->rva.level[rva_mode] <= rva2+1) { pos += strlen((char*) realdata) + 1; - if(pos >= realsize) + // channel and two bytes for RVA value + // pos possibly just past the safety zero, so one more than realsize + if(pos > realsize || realsize-pos < 3) { if(NOQUIET) - error("bad RVA2 tag (non-terminated identification)"); + error("bad RVA2 tag (truncated?)"); } else if(realdata[pos] == 1) { @@ -974,7 +977,8 @@ break; default: if(NOQUIET) error1("ID3v2: unknown frame type %i", tt); } - if((flags & UNSYNC_FLAG) || (fflags & UNSYNC_FFLAG)) free(realdata); + if(unsyncbuffer) + free(unsyncbuffer); } #undef BAD_FFLAGS #undef PRES_TAG_FFLAG diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpg123-1.25.11/src/libmpg123/mangle.h new/mpg123-1.25.12/src/libmpg123/mangle.h --- old/mpg123-1.25.11/src/libmpg123/mangle.h 2019-07-18 05:31:39.000000000 +0200 +++ new/mpg123-1.25.12/src/libmpg123/mangle.h 2019-08-22 07:40:19.000000000 +0200 @@ -114,7 +114,7 @@ /* Mach-O binaries (OSX/iOS) */ #define LOCAL_VAR(a) a ## - Lpic_base(_EBX_) -#define GLOBAL_VAR(a) #error This ABI cannot access non-local symbols directly. +#define GLOBAL_VAR(a) .err This ABI cannot access non-local symbols directly. #define GLOBAL_VAR_PTR(a) L_ ## a ## - Lpic_base(_EBX_) #define FUNC(a) L_ ## a #define EXTERNAL_FUNC(a) L_ ## a @@ -130,7 +130,7 @@ /* Dummies for everyone else. */ #define LOCAL_VAR(a) a #define GLOBAL_VAR ASM_NAME -#define GLOBAL_VAR_PTR(a) #error Cannot use indirect addressing in non-PIC object. +#define GLOBAL_VAR_PTR(a) .err Cannot use indirect addressing in non-PIC object. #define FUNC ASM_NAME #define EXTERNAL_FUNC ASM_NAME #define GET_GOT
