Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60
James Cowgill
jcowgill at debian.org
Tue Sep 27 09:27:04 UTC 2016
Control: severity -1 grave
Control: tags -1 security fixed-upstream
Control: found -1 0.60-1
Hi,
On 27/09/16 06:47, Thomas Orgis wrote:
> Package: mpg123
>
> This is mpg123 upstream formally informing you of a vulnerability
> (crash on illegal memory read) in all mpg123 versions since 0.60, so
> very likely all debian versions of mpg123 and libmpg123 are affected.
>
> See more detail at http://mpg123.org/bugs/240 . A one-line fix for any
> version is this:
>
> perl -pi -e 's:(while\()(tagpos < length-10\)):${1}length >= 10 && $2:' $(find src -name id3.c)
Thanks for letting Debian know!
Does this have a CVE ID? If not it should get one.
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20160927/d8d13f9c/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list