Your message dated Fri, 13 May 2005 01:38:40 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Reached sarge
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 10 May 2005 07:41:37 +0000
>From [EMAIL PROTECTED] Tue May 10 00:41:37 2005
Return-path: <[EMAIL PROTECTED]>
Received: from antares.tat.physik.uni-tuebingen.de [134.2.170.62]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DVPN3-0005Fc-00; Tue, 10 May 2005 00:41:37 -0700
Received: from localhost (localhost [127.0.0.1])
by antares.tat.physik.uni-tuebingen.de (Postfix) with ESMTP id
0D05C4A617
for <[EMAIL PROTECTED]>; Tue, 10 May 2005 09:41:36 +0200 (CEST)
Received: from antares.tat.physik.uni-tuebingen.de ([127.0.0.1])
by localhost (antares [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 19795-02 for <[EMAIL PROTECTED]>;
Tue, 10 May 2005 09:41:30 +0200 (CEST)
Received: by antares.tat.physik.uni-tuebingen.de (Postfix, from userid 1000)
id E6EF14AD85; Tue, 10 May 2005 09:41:29 +0200 (CEST)
Date: Tue, 10 May 2005 09:41:29 +0200
From: Daniel Kobras <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: mpg123: Integer overflows in http parser.
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="x+6KMIRAuhnl3hBn"
Content-Disposition: inline
X-Reportbug-Version: 3.11
User-Agent: Mutt/1.5.9i
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at
tat.physik.uni-tuebingen.de
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--x+6KMIRAuhnl3hBn
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: mpg123
Version: 0.59r-19
Severity: grave
Tags: security patch sarge pending
Justification: user security hole
[This problem is fixed already in 0.59r-20 (currently in unstable). I'm
filing this report so the issue can be tracked by the testing security team
more easily.]
The security patch to the http parser (httpget.c) applied in 0.59r-18
has introduced potential integer overflows in several places. They are
triggered when a playlist contains extremely long URL strings. As mpg123
allows to access playlists via http, this is a potential remote exploit.
I'm attaching the patch applied in 0.59r-20 to fix the integer overflow.
The only other change in 0.59r-20 with respect to the version in sarge
is a fix for a regression caused by the same security patch to 0.59r-18
(cf. #294801).
Daniel.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Versions of packages mpg123 depends on:
ii libc6 2.3.2.ds1-21 GNU C Library: Shared libraries an
-- no debconf information
--x+6KMIRAuhnl3hBn
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline; filename="220.patch"
---------------------
PatchSet 220
Date: 2005/05/08 18:38:50
Author: kobras
Branch: HEAD
Tag: (none)
Log:
Fix integer overflows in http parser. [dk]
Members:
httpget.c:1.14->1.15
debian/changelog:1.44->1.45
Index: debian/mpg123/httpget.c
diff -u debian/mpg123/httpget.c:1.14 debian/mpg123/httpget.c:1.15
--- debian/mpg123/httpget.c:1.14 Sun May 8 18:46:14 2005
+++ debian/mpg123/httpget.c Sun May 8 19:38:50 2005
@@ -13,6 +13,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
+#include <limits.h>
#include <netdb.h>
#include <sys/param.h>
#include <sys/types.h>
@@ -197,7 +198,7 @@
int http_open (char *url)
{
char *purl, *host, *request, *sptr;
- size_t linelength, linelengthbase;
+ size_t linelength, linelengthbase, tmp;
unsigned long myip;
unsigned int myport;
int sock;
@@ -227,6 +228,11 @@
/* The length of purl is upper bound by 3*strlen(url) + 1 if
* everything in it is a space */
+ if (strlen(url) >= ULONG_MAX/3) {
+ fprintf (stderr, "URL too long. Skipping...\n");
+ sock = -1;
+ goto exit;
+ }
purl = (char *)malloc(strlen(url)*3 + 1);
if (!purl) {
fprintf (stderr, "malloc() failed, out of memory.\n");
@@ -272,11 +278,27 @@
linelengthbase = 62 + strlen(prgName) + strlen(prgVersion)
+ strlen(ACCEPT_HEAD);
- if(httpauth)
- linelengthbase += (strlen(httpauth) + 1) * 4;
+ if(httpauth) {
+ tmp = (strlen(httpauth) + 1) * 4;
+ if (strlen(httpauth) >= ULONG_MAX/4 - 1 ||
+ linelengthbase + tmp < linelengthbase) {
+ fprintf(stderr, "HTTP authentication too long.
Skipping...\n");
+ sock = -1;
+ goto exit;
+ }
+ linelengthbase += tmp;
+ }
- if(httpauth1)
- linelengthbase += (strlen(httpauth1) + 1) * 4;
+ if(httpauth1) {
+ tmp = (strlen(httpauth1) + 1) * 4;
+ if (strlen(httpauth1) >= ULONG_MAX/4 - 1 ||
+ linelengthbase + tmp < linelengthbase) {
+ fprintf(stderr, "HTTP authentication too long.
Skipping...\n");
+ sock = -1;
+ goto exit;
+ }
+ linelengthbase += tmp;
+ }
do {
if (proxyip != INADDR_NONE) {
@@ -284,9 +306,23 @@
myip = proxyip;
linelength = linelengthbase + strlen(purl);
- if(host)
+ if (linelength < linelengthbase) {
+ fprintf(stderr, "URL too long. Skipping...\n");
+ sock = -1;
+ goto exit;
+ }
+
+ if(host) {
+ tmp = 9 + strlen(host) + 5;
+ if (strlen(host) >= ULONG_MAX - 14 ||
+ linelength + tmp < linelength) {
+ fprintf(stderr, "Hostname info too
long. Skipping...\n");
+ sock = -1;
+ goto exit;
+ }
/* "Host: <host>:<port>\r\n" */
- linelength += 9 + strlen(host) + 5;
+ linelength += tmp;
+ }
/* Buffer is reused for receiving later on, so ensure
* minimum size. */
@@ -316,9 +352,23 @@
}
linelength = linelengthbase + strlen(sptr);
- if (host)
+ if (linelength < linelengthbase) {
+ fprintf(stderr, "URL too long. Skipping...\n");
+ sock = -1;
+ goto exit;
+ }
+
+ if(host) {
+ tmp = 9 + strlen(host) + 5;
+ if (strlen(host) >= ULONG_MAX - 14 ||
+ linelength + tmp < linelength) {
+ fprintf(stderr, "Hostname info too
long. Skipping...\n");
+ sock = -1;
+ goto exit;
+ }
/* "Host: <host>:<port>\r\n" */
- linelength += 9 + strlen(host) + 5;
+ linelength += tmp;
+ }
/* Buffer is reused for receiving later on, so ensure
* minimum size. */
Index: debian/mpg123/debian/changelog
diff -u debian/mpg123/debian/changelog:1.44 debian/mpg123/debian/changelog:1.45
--- debian/mpg123/debian/changelog:1.44 Sun May 8 18:46:14 2005
+++ debian/mpg123/debian/changelog Sun May 8 19:38:50 2005
@@ -1,9 +1,11 @@
-mpg123 (0.59r-20) unstable; urgency=medium
+mpg123 (0.59r-20) unstable; urgency=high
+ * httpget.c: Fix integer overflows in http parser, introduced by
+ security patch for CAN-2004-0982.
* httpget.c: Ensure minimum size of receive buffer to fix regression
in 0.59r-18, caused by patch for CAN-2004-0982. Closes: #294801
- -- Daniel Kobras <[EMAIL PROTECTED]> Sun, 8 May 2005 18:43:18 +0200
+ -- Daniel Kobras <[EMAIL PROTECTED]> Sun, 8 May 2005 19:37:18 +0200
mpg123 (0.59r-19) unstable; urgency=high
--x+6KMIRAuhnl3hBn--
---------------------------------------
Received: (at 308436-done) by bugs.debian.org; 12 May 2005 23:38:43 +0000
>From [EMAIL PROTECTED] Thu May 12 16:38:43 2005
Return-path: <[EMAIL PROTECTED]>
Received: from higgs.djpig.de [213.133.98.126]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DWNGN-0006si-00; Thu, 12 May 2005 16:38:43 -0700
Received: from djpig by higgs.djpig.de with local (Exim 4.50)
id 1DWNGK-0004PV-RF; Fri, 13 May 2005 01:38:40 +0200
Date: Fri, 13 May 2005 01:38:40 +0200
From: Frank Lichtenheld <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Reached sarge
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,VALID_BTS_CONTROL
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
tags 308436 - sarge pending
thanks
Fixed package has reached testing
Gruesse,
--
Frank Lichtenheld <[EMAIL PROTECTED]>
www: http://www.djpig.de/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
