Your message dated Wed, 05 Sep 2012 15:32:42 +0000
with message-id <[email protected]>
and subject line Bug#677148: fixed in mpg123 1.14.4-1
has caused the Debian Bug report #677148,
regarding mpg123_getformat() hangs in endless loop
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
677148: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677148
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libmpg123-0
Version: 1.14.2-1
Severity: important
On (broken?) MP3 files, mpg123_getformat() hangs in an I/O loop that
reads one byte at a time, seeks back 64 kB, and repeats practically
forever. Example strace:
[...]
read(4, "\277", 1) = 1
read(4, "Y", 1) = 1
read(4, "\36", 1) = 1
read(4, "\v", 1) = 1
lseek(4, -65536, SEEK_CUR) = 19013
read(4, "\277", 1) = 1
read(4, "Y", 1) = 1
read(4, "\36", 1) = 1
read(4, "\v", 1) = 1
read(4, "\"", 1) = 1
read(4, "`", 1) = 1
[...]
MPD backtrace (there's no -dbg package):
#0 0x00007f843b9c218d in read () at ../sysdeps/unix/syscall-template.S:82
#1 0x00007f843fa89d9e in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0
#2 0x00007f843fa89e6c in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0
#3 0x00007f843fa7d9f3 in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0
#4 0x00007f843fa7e0e1 in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0
#5 0x00007f843fa8eafa in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0
#6 0x00007f843fa8f1ec in mpg123_getformat () from
/usr/lib/x86_64-linux-gnu/libmpg123.so.0
#7 0x0000000000432444 in mpd_mpg123_open (handle=handle@entry=0x1629270,
This causes the Music Player Daemon (when built with libmpg123) to go
in an endless busy loop upon starting playback, and becomes
irresponsive as soon as a client ask MPD to change playback. Severity
"important" (or more) because this bug is a remote DoS vulnerability
for MPD.
Due to copyright issues, I will provide a sample file demonstrating
the problem via private email only.
--- End Message ---
--- Begin Message ---
Source: mpg123
Source-Version: 1.14.4-1
We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Miguel A. Colón Vélez <[email protected]> (supplier of updated mpg123
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 05 Sep 2012 03:31:20 -0400
Source: mpg123
Binary: mpg123 libmpg123-0 libmpg123-dev
Architecture: source amd64
Version: 1.14.4-1
Distribution: unstable
Urgency: low
Maintainer: Debian Multimedia Maintainers
<[email protected]>
Changed-By: Miguel A. Colón Vélez <[email protected]>
Description:
libmpg123-0 - MPEG layer 1/2/3 audio decoder (shared library)
libmpg123-dev - MPEG layer 1/2/3 audio decoder (development files)
mpg123 - MPEG layer 1/2/3 audio player
Closes: 677148
Changes:
mpg123 (1.14.4-1) unstable; urgency=low
.
* New upstream release.
- Fix regression from 1.14.1 in parsing of bad free format streams.
(Closes: #677148)
- Fix resync logic to properly work again (used to prematurely end stream
on bad headers).
- Fix multiple seek regressions.
Checksums-Sha1:
dea973dc81297ca48d0043023018f25791843c6b 2234 mpg123_1.14.4-1.dsc
9f53e27bb40b8df3d3b6df25f5f9a8a83b1fccfe 797694 mpg123_1.14.4.orig.tar.bz2
363d6123d2b4d575dc7820a36da4fb0329e05605 18510 mpg123_1.14.4-1.debian.tar.gz
30efc6c4885c1019c548f946fa51d644b3ba67aa 159674 mpg123_1.14.4-1_amd64.deb
65cd575e6b3d8415c6b23246e1f4a6f0f975b38f 157958 libmpg123-0_1.14.4-1_amd64.deb
45dd796c642f41a8c81c4c54b2288e4164043d94 44730 libmpg123-dev_1.14.4-1_amd64.deb
Checksums-Sha256:
5a6f78d315e41f91aa8e696b6dfee463f7c7fc5d0fec470f3a7eee015f9bcc98 2234
mpg123_1.14.4-1.dsc
9ca189f24eb4ec6b5046b64d72c3c8439fd9ea300ce1b8b91a05cd6a9d3e5c12 797694
mpg123_1.14.4.orig.tar.bz2
67755e09396450733085e578b244a0fae1eb6a6dc93c53e175d12b0952e953b9 18510
mpg123_1.14.4-1.debian.tar.gz
42608ed236150ce0575ce0956b0175030fac156f821e71cf089188db36a6effc 159674
mpg123_1.14.4-1_amd64.deb
46cc631afc071093d0262ceaebf5220bb79de201396e8ee160ae5e8201f4559c 157958
libmpg123-0_1.14.4-1_amd64.deb
e50a56356399b7872853eee8107650878d5a96f8f711d0067d4f205b481b28c1 44730
libmpg123-dev_1.14.4-1_amd64.deb
Files:
f68660e94392999b4c84c2b4235fa34a 2234 sound optional mpg123_1.14.4-1.dsc
a72d0c60a1d7dbec7cfe966bc11672bf 797694 sound optional
mpg123_1.14.4.orig.tar.bz2
1f0e51bd3dc7c9de7a9c2c24f0e8ea72 18510 sound optional
mpg123_1.14.4-1.debian.tar.gz
8382cde424064b4a24a7e77b5eab292e 159674 sound optional
mpg123_1.14.4-1_amd64.deb
ee3a32e615c54ef0b98ae3696d346676 157958 libs optional
libmpg123-0_1.14.4-1_amd64.deb
48d6dbf789b9bb97b8a937b2ca8a4f46 44730 libdevel optional
libmpg123-dev_1.14.4-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJQR29QAAoJEOikiuUxHXZaBo4QAJcxT4q/eSpvF9ISAH12P3ww
t6mZpPg/JqE+M5Ln0hm/2/iCf6F3kyGwlTiAVg+8V8CZuPwxZU0zqbO9yr/U3eUR
ODjpNq7kKxg8VvkmKTsarZc6tvZwQ7AQRHTaCQ4M41Q/O1zGQmHWbzrkFIckWaQb
aw4NRw6f7ofCqVvQ+KYJq+wVaDcu4btNA6gEdpVyjTgkCZ+lTgL23mWJZgYceSBE
w2qxOSnWRFsiF65CJKZwDknupd6Rgno53Obq6hIWUHudgamQ0DAQdsw176ub5GEP
Xs8+9SHiKjUtbNkvGD2tAqxoSuMhjvX/yabAtBn4NHm1dBVqV8NwQZAedc0lI8Wd
LQKXsAk52ZGiFLYYAJVl8+4MR9h1BODxfUQ9V+cVZ6aPM+tt6WlD6UF345iXMWnZ
0lvV8QeTLQRtCjDq2nO4V8BzSiJiOQJVnJNnwArF65rdO4gKSxfI0WSY/KCvUtlX
+KeRrMb2pEHedcqEvET+/d9vc7UZHhXLdyGdyyZz4CbJdDjU9/Jj79SAoxbbXmGV
E9O3gyoLzufEATHxfVmSRFmBxLdJfE263Su8omSg+xDbS+cyH6+V2/QQipHPx74y
g+pgk6g3voTrTKFK9kUtBmlNQsSlJUTmWT0S1ivk5ooc977bKpIN96X5xsv4umGz
LS8uD1NNUBR5VxXu/Bwz
=ezPz
-----END PGP SIGNATURE-----
--- End Message ---
