From 9ec4a4629db6b044b8f52f0b6383f3526012693a Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Fri, 25 Aug 2017 10:56:56 +0800
Subject: taglib: Security fix CVE-2017-12678

CVE-2017-12678: In TagLib 1.11.1, the rebuildAggregateFrames function in
id3v2framefactory.cpp has a pointer to cast vulnerability, which allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted audio file.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-12678

Patch from:
https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6

(From OE-Core rev: 24ac12ecb19efc7c131c9711ba32e298ba860eb7)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-support/taglib/taglib_1.11.1.bb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'meta/recipes-support/taglib/taglib_1.11.1.bb')

diff --git a/meta/recipes-support/taglib/taglib_1.11.1.bb b/meta/recipes-support/taglib/taglib_1.11.1.bb
index 54a92d94ec..50439bc14f 100644
--- a/meta/recipes-support/taglib/taglib_1.11.1.bb
+++ b/meta/recipes-support/taglib/taglib_1.11.1.bb
@@ -8,7 +8,10 @@ LIC_FILES_CHKSUM = "file://COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c \
 
 DEPENDS = "zlib"
 
-SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz"
+SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz \
+           file://CVE-2017-12678.patch \
+          "
+
 SRC_URI[md5sum] = "cee7be0ccfc892fa433d6c837df9522a"
 SRC_URI[sha256sum] = "b6d1a5a610aae6ff39d93de5efd0fdc787aa9e9dc1e7026fa4c961b26563526b"
 
-- 
cgit v1.2.3-54-g00ecf