Bug#839731: jessie-pu: package mpg123/1.20.1-2+deb8u1

James Cowgill jcowgill at debian.org
Tue Oct 4 11:01:30 UTC 2016 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-multimedia-maintainers at lists.alioth.debian.org

Hi,

A security issue was reported against mpg123 in bug #838960. Since it
was marked no-DSA by the security team, it needs a normal jessie-pu
update to fix it in jessie.

The debdiff is attached. I've tested it on jessie against the testcase
provided in the upstream bug report (https://mpg123.org/bugs/240).

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.0-36-generic (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
-------------- next part --------------
diff -Nru mpg123-1.20.1/debian/changelog mpg123-1.20.1/debian/changelog
--- mpg123-1.20.1/debian/changelog	2014-08-31 10:51:53.000000000 +0100
+++ mpg123-1.20.1/debian/changelog	2016-10-04 11:42:56.000000000 +0100
@@ -1,3 +1,10 @@
+mpg123 (1.20.1-2+deb8u1) jessie; urgency=high
+
+  * Team upload.
+  * Fix DoS with crafted ID3v2 tags. (Closes: #838960)
+
+ -- James Cowgill <jcowgill at debian.org>  Tue, 04 Oct 2016 11:42:56 +0100
+
 mpg123 (1.20.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch
--- mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch	1970-01-01 01:00:00.000000000 +0100
+++ mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch	2016-10-04 11:41:20.000000000 +0100
@@ -0,0 +1,18 @@
+Description: Fix DoS with crafted ID3v2 tags
+Author: Thomas Orgis <thomas-forum at orgis.org>
+Bug: https://sourceforge.net/p/mpg123/bugs/240/
+Bug-Debian: https://bugs.debian.org/838960
+Applied-Upstream: 1.23.8
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/libmpg123/id3.c
++++ b/src/libmpg123/id3.c
+@@ -752,7 +752,7 @@ int parse_new_id3(mpg123_handle *fr, uns
+ 					unsigned long fflags; /* need 16 bits, actually */
+ 					id[4] = 0;
+ 					/* pos now advanced after ext head, now a frame has to follow */
+-					while(tagpos < length-10) /* I want to read at least a full header */
++					while(length >= 10 && tagpos < length-10) /* I want to read at least a full header */
+ 					{
+ 						int i = 0;
+ 						unsigned long pos = tagpos;
diff -Nru mpg123-1.20.1/debian/patches/series mpg123-1.20.1/debian/patches/series
--- mpg123-1.20.1/debian/patches/series	2014-08-30 20:39:33.000000000 +0100
+++ mpg123-1.20.1/debian/patches/series	2016-10-04 11:41:20.000000000 +0100
@@ -1 +1,2 @@
 0001-disable_not_public_funcs.patch
+0002-dos-crafted-id3v2-tags.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20161004/53299f91/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list