buildroot/package/libmad/libmad.mk
Fabrice Fontaine 858df3643f package/libmad: switch to debian to fix CVEs
Upstream libmad is dead since 2004 so switch to debian package to get
two patches that fix the following CVEs:
 - CVE-2017-8372: The mad_layer_III function in layer3.c in Underbit MAD
   libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to
   cause a denial of service (assertion failure and application exit)
   via a crafted audio file.
 - CVE-2017-8373: The mad_layer_III function in layer3.c in Underbit MAD
   libmad 0.15.1b allows remote attackers to cause a denial of service
   (heap-based buffer overflow and application crash) or possibly have
   unspecified other impact via a crafted audio file.
 - CVE-2017-8374: The mad_bit_skip function in bit.c in Underbit MAD
   libmad 0.15.1b allows remote attackers to cause a denial of service
   (heap-based buffer over-read and application crash) via a crafted
   audio file.

Moreover:
 - Remove third patch (replaced by optimize.diff debian patch)
 - Remove fourth patch (same patch than
   Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff)
 - Remove fifth patch (same patch than libmad.thumb.diff)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-04-12 22:21:02 +02:00

50 lines
1.5 KiB
Makefile

################################################################################
#
# libmad
#
################################################################################
LIBMAD_VERSION = 0.15.1b
LIBMAD_PATCH = libmad_$(LIBMAD_VERSION)-10.diff.gz
LIBMAD_SOURCE = libmad_$(LIBMAD_VERSION).orig.tar.gz
LIBMAD_SITE = \
http://snapshot.debian.org/archive/debian/20190310T213528Z/pool/main/libm/libmad
LIBMAD_INSTALL_STAGING = YES
LIBMAD_LICENSE = GPL-2.0+
LIBMAD_LICENSE_FILES = COPYING
define LIBMAD_APPLY_DEBIAN_PATCHES
if [ -d $(@D)/debian/patches ]; then \
$(APPLY_PATCHES) $(@D) $(@D)/debian/patches *.patch; \
fi
endef
LIBMAD_POST_PATCH_HOOKS += LIBMAD_APPLY_DEBIAN_PATCHES
# debian/patches/md_size.diff
LIBMAD_IGNORE_CVES += CVE-2017-8372 CVE-2017-8373
# debian/patches/length-check.patch
LIBMAD_IGNORE_CVES += CVE-2017-8374
# Force autoreconf to be able to use a more recent libtool script, that
# is able to properly behave in the face of a missing C++ compiler.
LIBMAD_AUTORECONF = YES
define LIBMAD_INSTALL_STAGING_PC
$(INSTALL) -D package/libmad/mad.pc \
$(STAGING_DIR)/usr/lib/pkgconfig/mad.pc
endef
LIBMAD_POST_INSTALL_STAGING_HOOKS += LIBMAD_INSTALL_STAGING_PC
LIBMAD_CONF_OPTS = \
--disable-debugging \
$(if $(BR2_PACKAGE_LIBMAD_OPTIMIZATION_SPEED),--enable-speed) \
$(if $(BR2_PACKAGE_LIBMAD_OPTIMIZATION_ACCURACY),--enable-accuracy) \
--$(if $(BR2_PACKAGE_LIBMAD_SSO),enable,disable)-sso \
--$(if $(BR2_PACKAGE_LIBMAD_ASO),enable,disable)-aso \
--$(if $(BR2_PACKAGE_LIBMAD_STRICT_ISO),enable,disable)-strict-iso
$(eval $(autotools-package))