diff options
| author | Kei Kebreau <kkebreau@posteo.net> | 2021-03-16 12:03:12 -0400 |
|---|---|---|
| committer | Léo Le Bouter <lle-bout@zaclys.net> | 2021-03-16 19:12:36 +0100 |
| commit | 109f58444beecd1b9b7c502f2a687a6b91c62dc0 (patch) | |
| tree | 2c9bb1d301f675703a11a01cf69be76b7be8ff29 | |
| parent | 82a9538ea01596a57bf642d729500f15bcd17f84 (diff) | |
| download | guix-109f58444beecd1b9b7c502f2a687a6b91c62dc0.tar guix-109f58444beecd1b9b7c502f2a687a6b91c62dc0.tar.gz | |
gnu: mpg321: Fix CVE-2019-14247.
* gnu/packages/patches/mpg321-CVE-2019-14247.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/mp3.scm (mpg321)[source]: Apply it.
Signed-off-by: Léo Le Bouter <lle-bout@zaclys.net>
Signed-off-by: Leo Famulari <leo@famulari.name>
| -rw-r--r-- | gnu/local.mk | 1 | ||||
| -rw-r--r-- | gnu/packages/mp3.scm | 4 | ||||
| -rw-r--r-- | gnu/packages/patches/mpg321-CVE-2019-14247.patch | 23 |
3 files changed, 27 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index cf8849cf59..abb1e2140d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1404,6 +1404,7 @@ dist_patch_DATA = \ %D%/packages/patches/mit-krb5-hurd.patch \ %D%/packages/patches/mit-krb5-qualify-short-hostnames.patch \ %D%/packages/patches/mpc123-initialize-ao.patch \ + %D%/packages/patches/mpg321-CVE-2019-14247.patch \ %D%/packages/patches/module-init-tools-moduledir.patch \ %D%/packages/patches/monero-use-system-miniupnpc.patch \ %D%/packages/patches/mono-mdoc-timestamping.patch \ diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm index 34390d3696..dba3e17558 100644 --- a/gnu/packages/mp3.scm +++ b/gnu/packages/mp3.scm @@ -408,7 +408,9 @@ command-line tool as well as a C library, libmpg123.") version "/mpg321-" version ".tar.gz")) (sha256 (base32 - "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5")))) + "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5")) + (patches + (search-patches "mpg321-CVE-2019-14247.patch")))) (build-system gnu-build-system) (arguments '(#:configure-flags '("--disable-alsa"))) (inputs diff --git a/gnu/packages/patches/mpg321-CVE-2019-14247.patch b/gnu/packages/patches/mpg321-CVE-2019-14247.patch new file mode 100644 index 0000000000..03afaccc67 --- /dev/null +++ b/gnu/packages/patches/mpg321-CVE-2019-14247.patch @@ -0,0 +1,23 @@ +This patch was downloaded from https://sourceforge.net/p/mpg321/bugs/51/ and +fixes CVE-2019-14247. + +Description: Handle illegal bitrate value +Author: Chrysostomos Nanakos <cnanakos@debian.org> +Bug-Debian: https://bugs.debian.org/870406 +Bug-Debian: https://bugs.debian.org/887057 + +--- mpg321-0.3.2.orig/mad.c ++++ mpg321-0.3.2/mad.c +@@ -574,6 +574,12 @@ void scan(void const *ptr, ssize_t len, + + if (!is_vbr) + { ++ if (header.bitrate <= 0) ++ { ++ fprintf(stderr, "Illegal bit allocation value\n"); ++ return; ++ } ++ + double time = (len * 8.0) / (header.bitrate); /* time in seconds */ + double timefrac = (double)time - ((long)(time)); + long nsamples = 32 * MAD_NSBSAMPLES(&header); /* samples per frame */ |