Your message dated Thu, 28 Sep 2006 06:55:45 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#377264: fixed in mpg123 0.60-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: mpg123
Version: 0.59r-20sarge1
When running mpg123 with a HTTP URL which sends any HTTP redirection,
mpg123 displays erratic behaviour due to a heap overflow in httpget.c:
$ mpg123 'http://patrimonium.amberfisharts.com/download.asp?lang=de&id=20'
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3.
Version 0.59r (1999/Jun/15). Written and copyrights by Michael Hipp.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
free(): invalid pointer 0x8085118!
Unknown host "downloads".
Segmentation fault
This heap overflow was introduced by Gentoo's
103_all_CAN-2004-0982.patch, written Jeremy Huddleston
([EMAIL PROTECTED]), which obviously has also been used in Debian's
mpg123_0.59r-20sarge1.diff. On Gentoo, this has already been fixed
lately (bug #133988, GLSA 200607-01).
For more details see the Gentoo Linux Security Advisory[1]
and my bug description[2], which also contains a corrected
103_all_CAN-2004-0982.patch.
[1] http://www.gentoo.org/security/en/glsa/glsa-200607-01.xml
[2] http://bugs.gentoo.org/show_bug.cgi?id=133988
--- End Message ---
--- Begin Message ---
Source: mpg123
Source-Version: 0.60-1
We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive:
mpg123-alsa_0.60-1_i386.deb
to pool/main/m/mpg123/mpg123-alsa_0.60-1_i386.deb
mpg123-esd_0.60-1_i386.deb
to pool/main/m/mpg123/mpg123-esd_0.60-1_i386.deb
mpg123-nas_0.60-1_i386.deb
to pool/main/m/mpg123/mpg123-nas_0.60-1_i386.deb
mpg123-oss-3dnow_0.60-1_i386.deb
to pool/main/m/mpg123/mpg123-oss-3dnow_0.60-1_i386.deb
mpg123-oss-i486_0.60-1_i386.deb
to pool/main/m/mpg123/mpg123-oss-i486_0.60-1_i386.deb
mpg123_0.60-1.diff.gz
to pool/main/m/mpg123/mpg123_0.60-1.diff.gz
mpg123_0.60-1.dsc
to pool/main/m/mpg123/mpg123_0.60-1.dsc
mpg123_0.60-1_i386.deb
to pool/main/m/mpg123/mpg123_0.60-1_i386.deb
mpg123_0.60.orig.tar.gz
to pool/main/m/mpg123/mpg123_0.60.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kobras <[EMAIL PROTECTED]> (supplier of updated mpg123 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 14 Sep 2006 13:49:03 +0200
Source: mpg123
Binary: mpg123-esd mpg123-oss-3dnow mpg123-nas mpg123-oss-i486 mpg123-alsa
mpg123
Architecture: source i386
Version: 0.60-1
Distribution: unstable
Urgency: low
Maintainer: Daniel Kobras <[EMAIL PROTECTED]>
Changed-By: Daniel Kobras <[EMAIL PROTECTED]>
Description:
mpg123 - MPEG layer 1/2/3 audio player
mpg123-alsa - MPEG layer 1/2/3 audio player with ALSA support
mpg123-esd - MPEG layer 1/2/3 audio player with Esound support
mpg123-nas - MPEG layer 1/2/3 audio player with NAS support
mpg123-oss-3dnow - MPEG layer 1/2/3 audio player for 3DNow! machines
mpg123-oss-i486 - MPEG layer 1/2/3 audio player for i486 machines
Closes: 292260 377264
Changes:
mpg123 (0.60-1) unstable; urgency=low
.
* New upstream release.
+ Includes security fix for a heap overflow in httpget.c
(CVE-2006-3355). Closes: #377264
* configure, configure.ac: Fix typo to make esd detection work.
* src/audio_esd.c: Always define audio_queueflush().
* debian/compat: Set to debhelper compatibility level 5.
* debian/control: Move from non-free to main. Closes: #292260
* debian/control: OSS versions depend on oss-compat now.
* debian/control: Build-depend on pkg-config. Configure script uses it.
* debian/control: Build-depend on dephelper and autotools-dev.
* debian/copyright: Download location now points to SourceForge site.
* debian/copyright: Document new copyright and license, and add pointer to
documentation of relicensing process.
* debian/mime: Require a terminal when called via mailcap.
* debian/rules: Debhelperize.
* debian/rules: Tweak rules for new configure-style build system.
* debian/rules: Add magic touches to prevent accidential rebuiling of
configure.
* debian/{control,rules}: Reinstate mpg123-alsa package now that current
ALSA versions are supported again.
Files:
43e8221d8bccd9be8e785b5cb489996b 756 sound optional mpg123_0.60-1.dsc
cb19b957c8eb539f055ed4f4a2c8521b 608911 sound optional mpg123_0.60.orig.tar.gz
e50952b2356e8c2534d4f259422a52a2 10940 sound optional mpg123_0.60-1.diff.gz
9106504cc92f21ed7a29ae467a1ff7e6 134470 sound optional mpg123_0.60-1_i386.deb
8133b274fca9e9392b0be09e8082f311 138456 sound optional
mpg123-oss-i486_0.60-1_i386.deb
6b9b42f6016d83fd7ca7b17f00a1b758 137460 sound optional
mpg123-oss-3dnow_0.60-1_i386.deb
667f050bba3698d271108ad688027ec3 134070 sound optional
mpg123-esd_0.60-1_i386.deb
a57dedbc48c4c7e2a89b1f83311a2464 135854 sound optional
mpg123-nas_0.60-1_i386.deb
6705d41e9481e0b9509b38ea64ee550e 135690 sound optional
mpg123-alsa_0.60-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFCWfVpOKIA4m/fisRAnLxAKCUQvVOSIptTq4QJXDyCkrTEYw7lACguAOL
0ZcGUx7HElTumIolB3tync8=
=BJ7d
-----END PGP SIGNATURE-----
--- End Message ---
