Your message dated Sun, 06 Aug 2017 13:04:34 +0000
with message-id <e1deleq-000bq0...@fasolo.debian.org>
and subject line Bug#870799: fixed in mpg123 1.25.4-1
has caused the Debian Bug report #870799,
regarding mpg123: CVE-2017-9545
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
870799: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870799
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mpg123
Version: 1.23.8-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for mpg123.

CVE-2017-9545[0]:
| The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows
| remote attackers to cause a denial of service (buffer over-read) via a
| crafted mp3 file.

Not sure if the reporter has reported that upstream. 

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9545
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9545
[1] http://seclists.org/fulldisclosure/2017/Jul/65

Please adjust the affected versions in the BTS as needed, checked only
versions back to 1.23.8-1 in stretch.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: mpg123
Source-Version: 1.25.4-1

We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 870...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramac...@debian.org> (supplier of updated mpg123 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 06 Aug 2017 14:33:07 +0200
Source: mpg123
Binary: mpg123 libmpg123-0 libout123-0 libmpg123-dev
Architecture: source
Version: 1.25.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintain...@lists.alioth.debian.org>
Changed-By: Sebastian Ramacher <sramac...@debian.org>
Description:
 libmpg123-0 - MPEG layer 1/2/3 audio decoder (shared library)
 libmpg123-dev - MPEG layer 1/2/3 audio decoder (development files)
 libout123-0 - MPEG layer 1/2/3 audio decoder (libout123 shared library)
 mpg123     - MPEG layer 1/2/3 audio player
Closes: 870799
Changes:
 mpg123 (1.25.4-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release.
     - Fix buffer over-read. (CVE-2017-9545) (Closes: #870799)
   * debian/control: Bump Standards-Version.
Checksums-Sha1:
 7ccbcedfd60f859f7f82974edbd01630ca787965 2282 mpg123_1.25.4-1.dsc
 b204ec892d8b535ff7fa87fd6174f5df2fd287c0 918534 mpg123_1.25.4.orig.tar.bz2
 c23b583b46cad7de7149c498c61f7a442706ad14 23344 mpg123_1.25.4-1.debian.tar.xz
 e615e86af5658b62f3d2b2cb7d1bf61405935b5c 8516 mpg123_1.25.4-1_amd64.buildinfo
Checksums-Sha256:
 8cb39548532319e63f4bdb4f39149e29c1684ad7c4fdfc98e79439f19c28cfd9 2282 
mpg123_1.25.4-1.dsc
 cdb5620e8aab83f75a27dab3394a44b9cc4017fc77b2954b8425ca416db6b3e7 918534 
mpg123_1.25.4.orig.tar.bz2
 2c1ae4fb7da32c1e5e34938328a861d5f05858cfecd2ed107e7bc066450ab57e 23344 
mpg123_1.25.4-1.debian.tar.xz
 720461e1826f9dfd2fcd59256757cbd539a3cf8d25f5e356bb7032074db6e635 8516 
mpg123_1.25.4-1_amd64.buildinfo
Files:
 27970c8935bac0fa82fa89f94372fcb7 2282 sound optional mpg123_1.25.4-1.dsc
 810e9d00fd75c92c4afafa20245317b5 918534 sound optional 
mpg123_1.25.4.orig.tar.bz2
 cff5466e06dee6217e3246f6c6ce2b61 23344 sound optional 
mpg123_1.25.4-1.debian.tar.xz
 1dd26d57c48eadc8e695ed0cc48be40c 8516 sound optional 
mpg123_1.25.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAlmHDkkACgkQafL8UW6n
GZPbDRAAivSZgr/kKTwAx/XQHrQGpyBiPr3hZXXgd6z1GUwJA8CDxOfUKQ1vCiFG
UeP+idBIOpseIw49zYne99aQ5EPH57TRFXZkYUiqFn9tG8WqiyyNtiOUlSvzfJm3
YVaZ6QONkBuZYzdMQ+6+hs19AIz4ZpRMFboajrEJ+LA1NmN6VkLWlYF8snEr+6Wy
HhGgjDCmMU050cNoFOISl7hpdyEeXip1f8iL3UfTAcN5oAY/tepwMLO+wg3b2WZ9
DeHrJ46iWsR60F6Muc31Jtk5W0QM9gmvEt6+E5zlFyu1bUmhEScI0AWyxft9kKDO
bhl/icKF4VmIH6RSeP+EO4BQcWqbTzamDkfF7Nqo8fGVQguZT5Y//SMD7gEfXZrp
oWLjsiy5lgcDlUzT4adhee2AxeScftRdgntKRTR9nw9oSiHTbjJCjj9VeFT0TYA7
Gii5Xsnjq6SgL5AGtiP9Bi3rc5N/erAK4/X2BKSv3mXIcflWFwzEq0rWQrU+j4VO
2bqbym/e4fzWRdZXqmHdYEbE5SYgVC6oYXdzsCJMJhQNVMXtxyOSttWeD+INg7bL
WCvCuYyh1WRoWVzcWPpkY6/G3xoswchInQJLWY8FmkS62Z6NvHPLGc0ryZ30JIet
SOJXY4uH2FbhefMLIffZ0UiEFaF5E1+cnQC8nEo3DQfurB5MwsU=
=7VYu
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to