Package Release Info

mpg123-1.25.7-2.1

Update Info: openSUSE-2017-1130
Available in Package Hub : 12 SP1-SP5

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

libmpg123-0
libout123-0
mpg123
mpg123-devel
mpg123-esound
mpg123-jack
mpg123-openal
mpg123-portaudio
mpg123-pulse
mpg123-sdl

Change Logs

* Tue Sep 26 2017 aloisio@gmx.com
- Update to version 1.25.7
  mpg123:
  * Do not play with cursor and inverse video for progress bar
    when TERM=dumb.
  * Fix parsing of host port for numerical IPv6 addresses (just did
    not work before, only for textual host names).
  libmpg123:
  * Proper fix for the xrpnt overflow problems by correctly
    initialising certain tables for MPEG 2.x layer III. The checks
    that catch the resulting overflow are still in place, but
    likely superfluous now. Note that this means certain valid
    files would have been misdecoded before, if anyone actually
    produced them. Thanks to Robert Hegemann for the fix!
  * Silently handle granules with part2_3_length == 0, but
    scalefac_compress != 0 (ignore the latter).
* Fri Aug 11 2017 aloisio@gmx.com
- Update to version 1.25.6
  * Hotfix for bug 255: Overflow reading frame data bits in layer
    II decoding. Now, all-zero data is returned if the frame data
    is exhausted. This might have a slight impact on performance,
    but not easily measurable so far.
* Tue Aug 08 2017 aloisio@gmx.com
- Update to version 1.25.5
  * Avoid another buffer read overflow in the ID3 parser on 32 bit
    platforms (bug 254).
* Mon Jul 24 2017 aloisio@gmx.com
- Update to version 1.25.4
  libmpg123:
  * Prevent harmless call to memcpy(NULL, NULL, 0).
  * More early checking of ID3v2 encoding values to avoid bogus
    text being stored.
* Tue Jul 18 2017 aloisio@gmx.com
- Update to version 1.25.3
  libmpg123:
  * Better checks for xrpnt overflow in III_dequantize_sample()
    before each use, avoiding false positives and catching cases
    that were rendered harmless by alignment-enlarged buffers.
* Tue Jul 11 2017 aloisio@gmx.com
- Update to version 1.25.2
  libmpg123:
  * Extend pow tables for layer III to properly handle files
    with i-stereo and 5-bit scalefactors. Never observed them
    for real, just as fuzzed input to trigger the read overflow.
    Note: This one goes on record as CVE-2017-11126, calling
    remote denial of service. While the accesses are out of
    bounds for the pow tables, they still are safely within
    libmpg123's memory (other static tables). Just wrong values
    are used for computation, no actual crash unless you use
    something like GCC's AddressSanitizer, nor any information
    disclosure.
  * Avoid left-shifts of negative integers in layer I decoding.
* Mon Jul 03 2017 aloisio@gmx.com
- Update to version 1.25.1
  * libmpg123:
    + Avoid memset(NULL, 0, 0) to calm down the paranoid.
    + Fix bug 252, invalid read of size 1 in ID3v2 parser due to
    forgotten offset from the frame flag bytes (unnoticed in
    practice for a long time). Fuzzers are in the house again.
    This one got CVE-2017-10683.
    + Avoid a mostly harmless conditional jump depending on
    uninitialised fr->lay in compute_bpf() (mpg123_position())
    when track is not ready yet.
    + Fix undefined shifts on signed long mask in layer3.c
    (worked in practice, never right in theory). Code might be
    a bit faster now, even. Thanks to Agostino Sarubbo for
    reporting.
  1.25.0:
  * Silence test for artsc-config if it is not there.
  * Make sure -static-libgcc from LDFLAGS gets through libtool,
    fixing 32 bit Windows builds (depend on libgcc DLL otherwise).
  * Fix build with non-GNU make by using plain rm -f instead of
    silly $(RM) in libout123/modules makefile fragment.
  * Make build work on iOS, including coreaudio backend.
  * libmpg123:
    + Finally provide position-independent code for x86 with
    assembly optimisations.The textrels are gone thanks to Won
    Kyu Park and Taihei Momma.
    + Clarify some license language in files descending from the
    original MMX optimisation.
    + Fix return value overflow check for MPG123_BUFFERFILL.
    + Introduced mpg123_getformat2() to enable the FORMAT command
    for the generic control not stealing MPG123_NEW_FORMAT from
    the main playback loop. The sequence LOADPAUSED-FORMAT-PAUSE
    (play) is supposed to work now.
    + Enable aarch64 optimisations on *BSD by default, too. You
    can always override that stupid OS whitelist using
  - -with-optimization, anyway.
    + Use of the i486 decoder is now discouraged more
    prominently, in configure output.
  * out123: Fix stupid crash with verbose mode and tone
    generation (print the string if the pointer is non-null, not if
    it is null).
  * libout123: More consistent error messages for dynamic and
    legacy (built-in) modules. Namely, you get a hint how if you
    choose a different module than the built-in ones for a static
    libout123.
- Fixes (boo#1046766)
* Tue May 16 2017 meissner@suse.com
- dont require mpg123-32bit, it is not present
* Tue May 16 2017 mpluskal@suse.com
- Update baselibs.conf
* Sun Apr 30 2017 meissner@suse.com
- add a baselibs.conf, so 32bit wine can use it or even
  build against it.
* Thu Mar 23 2017 aloisio@gmx.com
- Create mpg123-openal as separate package
- Added Supplements lines for some subpackages
* Fri Mar 17 2017 jengelh@inai.de
- Ensure neutrality of description
* Sun Mar 05 2017 aloisio@gmx.com
- Update to version 1.24.0
  * Avoid repeating genre in metadata printout for
    specifications like (144)Thrash Metal.
  * In remote control mode, only enforce --quiet if no
    verbosity was required.
  * Prevent --loop and --shuffle or --random from messing with
    the remote control LOADLIST command (printout of the list
    would loop without reason).
  * Fix the mpg123 command (esp. our provided binaries on
    Windows) to now find modules again relative to the
    executable directory, not the current working directory.
    This was a regression in 1.23 and might be security-relevant
    if you called mpg123 in working directories with untrusted
    content. Note that mpg123 1.23 looked for modules relative
    to the current working directory only if the installation
    prefix for modules did not exist. So, usage on an intact
    installation (with /usr/lib/mpg123 or the like) was safe.
    Nevertheless this new version fixes the search to be
    relative to the binary path as it was with 1.22 and before.
  * At least consistent behaviour of playlist code in the face
    of looping. Looping is about individual tracks, always.
    They are looped also in random mode. Jumping (prev/next
    keys) is between tracks and resets the loop counter.
    The display of currently playing track in the playlist is
    fixed for random and looped play now (bug 198).
  * Looping is now mentioned for a to-be-repeated track with
  - -verbose.
  * Move some compiler nagging from --enable-debug to
  - -enable-nagging, fix up some new build failures by adding
    some pesky feature test macros.
  * Try not to pollute the terminal buffer with old progress
    bars in inverse video. Only the currently live one shall
    be seen. That one is pretty. The others are not.
  * Using plain dlopen()/LoadLibrary() for opening modules
    instead of libltdl. This also means that
  - -with-module-suffix is gone in configure.
  * Windows builds only work when Unicode support is there
    (older than Windows 2000/XP will definitely not work
    anymore).
  * The out123 tool now features tone generation, with a mix
    of differing wave patterns. Makes sense to be able to test
    the audio  output by itself, and it's fun. See --wave-freq
    and related parameters.
  * libmpg123 version 43:
    + Add flags MPG123_NO_PEEK_END and MPG123_FORCE_SEEKABLE,
    as suggested by Bent Bisballe Nyeng.
    + Build fix for MSVC (consistent definition of ssize_t,
    spotted by manx, bug 243).
    + Build fix for --with-cpu=ppc_nofpu (thanks to Michael
    Kostylev, bug 244).
    + Add asm optimized MSVC++ Win32|x64 and UWP|x64 builds
    + Remove old, broken MSVC++ builds
  * libout123 version 2:
    + Added OUT123_BINDIR.
    + New search order for output plugin directory:
    MPG123_MODDIR, or (relative to executable directory
    OUT123_BINDIR) ../lib/mpg123, plugins
    libout123/modules/.libs, libout123/modules,
    ../libout123/modules/.libs, ../libout123/modules, and at
    last the installation prefix $libdir/mpg213/. This shall
    ensure that a build inside a source tree does not try to
    use old modules from the system prefix. The normal libtool
    wrapper deals with the shared libout123 or libmpg123 only,
    not modules. Note that if you set MPG123_MODDIR to a
    non-existing directory, no modules will be found (earlier
    versions fell back to other choices).
    + The OUT123_NAME parameter is now copied by
    out123_param_from(), as is the newly added OUT123_BINDIR.
    + Coreaudio: Use AudioComponents API on OSX >= 10.6 (thanks
    to Michael Weiser).
    + Coreaudio: Fix behaviour of out123_drop(), not killing
    the output anymore without re-opening the device (bug 236,
    thanks to Taihei for the fix).
- Build esound, pulse, jack, portaudio, sdl modules and created
  package for each of them.
* Fri Nov 11 2016 dimstar@opensuse.org
- Initial package for openSUSE Tumbleweed, version 1.23.8.
Version: 1.25.10-5.1
* Mon Mar 05 2018 aloisio@gmx.com
- Update to version 1.25.10
  * libout123: Fix error messages beginning from OUT123_ARG_ERROR
    (bug 261).
  version 1.25.9
  * mpg123: Fix --icy-interval handling to work with stream from
    stdin. (curl | mpg123 --icy-interval=n -)
  * libmpg123: Fix another invalid read and segfault on damaged
    (fuzzed) files with part2_3_length == 0 (set maxband=1, pulled
    from upcoming 1.26.0).
  version 1.25.8
  mpg123:
  * Also disable cursor/video games for empty TERM (not just unset
    and dumb).
  libmpg123:
  * Accept changing mode extension bits when looking for next
    header for detecting free-format streams (bug 257).
  * Fix compute_bpf() for free format streams (needed to estimate
    track length and working fuzzy seeking in absence of an Info
    tag).
* Wed Oct 04 2017 aloisio@gmx.com
- Update to version 1.25.7
  mpg123:
  * Do not play with cursor and inverse video for progress bar
    when TERM=dumb.
  * Fix parsing of host port for numerical IPv6 addresses (just did
    not work before, only for textual host names).
  libmpg123:
  * Proper fix for the xrpnt overflow problems by correctly
    initialising certain tables for MPEG 2.x layer III. The checks
    that catch the resulting overflow are still in place, but
    likely superfluous now. Note that this means certain valid
    files would have been misdecoded before, if anyone actually
    produced them. Thanks to Robert Hegemann for the fix!
  * Silently handle granules with part2_3_length == 0, but
    scalefac_compress != 0 (ignore the latter).