[mpg123-devel] releasing mpg123-1.33.5 and 1.32.12 with serious regression fixes

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Dear people,

I am announcing the release of mpg123 1.33.5 and 1.32.12 to fix
breakage introduced in 1.32.0 with the largefile overhaul. Of course
that introduced issues, but only for

- users of remote control interface
- on 32 bit platforms with largefile support

A minor regression is proper handling of large files in mpg123-id3dump,
also fixed. While mpg123-strip is also not enabling large file support,
this does not seem to impact functionality on 32 bit Linux, as the I/O
is 64 bits inside libmpg123, anyway (for proper error messages about
invalid headers and certain offset).

I also release 1.32.12 to offer easy patching for distributions that
ride on 1.32.x. This absolutely should be patched!

1.33.5
------
- mpg123: Fix generic control mode for largefile-sensitive builds, where 32 bit
  off_t was used with mpg123 API calls expecting 64 bit off_t.
  I am appalled that it took a user on 32 bit ARM and a specific https stream
  to notice this (bug 385, regression since 1.32.0).
  The security impact of this could be serious, with memory corruption including
  segfault being observed.
- mpg123-id3dump, out123: Enable 64 bit offset usage on largefile-sensitive
  platforms (regression since 1.32.0).
- libmpg123:
-- Announce support for shadow stack / IBT in x86-64 assembly.
-- Also announce PAC/BTI for non-accurate neon64 (aarch64) synth.
- libout123: Add a safeguard to ensure variable-length records from buffer
  communication are always zero-terminated.
- libsyn123: Use union work buffer to avoid casts that may look like breaking
  strict aliasing.

1.32.12
------
- mpg123: Fix generic control mode for largefile-sensitive builds, where 32 bit
  off_t was used with mpg123 API calls expecting 64 bit off_t.
  I am appalled that it took a user on 32 bit ARM and a specific https stream
  to notice this (bug 385, regression since 1.32.0).
  The security impact of this could be serious, with memory corruption including
  segfault being observed.
- mpg123-id3dump, out123: Enable 64 bit offset usage on largefile-sensitive
  platforms (regression since 1.32.0).

I also updated the win32/win64 binaries this one time using a cross
build, without any functionality checking. We still do not have a
regular process in place to provide those, and I just do not want that
as a regular task.

Head over to 

	https://sourceforge.net/projects/mpg123/files/mpg123/
or
	https://mpg123.org/download.shtml

to get your stuff.

Alrighty then,

Thomas