Your message dated Wed, 20 Sep 2006 04:17:07 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#382842: fixed in alsaplayer 0.99.76-9
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: alsaplayer
Severity: grave
Tags: security patch
Justification: user security hole
The following security issues were reported by Luigi Auriemma.
"""
Luigi Auriemma has reported some vulnerabilities in AlsaPlayer, which
potentially can be exploited by malicious people to compromise a user's system.
1) A boundary error exists in the "reconnect()" function in reader/http/http.c
during the handling of HTTP connections. This can be exploited to cause a
stack-based buffer overflow when receiving a specially crafted "Location" HTTP
response header.
Successful exploitation may allow execution of arbitrary code, but requires
that the client connects to a malicious server.
2) A boundary error in the functions used for adding items to the playlist can
be exploited to cause a buffer overflow via e.g. an overly long URL.
Successful exploitation may allow execution of arbitrary code, but requires
that the GTK interface is used.
3) Two boundary errors exist in the "cddb_lookup()" function in
input/ccda/cdda_engine.c when performing a query to a CDDB server. This can be
exploited to cause stack-based buffer overflows when receiving a specially
crafted CDDB response.
Successful exploitation may allow execution of arbitrary code when querying a
malicious CDDB server.
The vulnerabilities have been reported in version 0.99.76. Other versions may
also be affected.
"""
http://secunia.com/advisories/21422/
http://aluigi.altervista.org/adv/alsapbof-adv.txt
Hubert Chan wrote the attached patch which fix these three issues.
Thanks to Stefan Fritsch for informing us on this issue.
Cheers, Paul
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: powerpc (ppc)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-1-powerpc
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: alsaplayer
Source-Version: 0.99.76-9
We believe that the bug you reported is fixed in the latest version of
alsaplayer, which is due to be installed in the Debian FTP archive:
alsaplayer-alsa_0.99.76-9_powerpc.deb
to pool/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9_powerpc.deb
alsaplayer-common_0.99.76-9_powerpc.deb
to pool/main/a/alsaplayer/alsaplayer-common_0.99.76-9_powerpc.deb
alsaplayer-daemon_0.99.76-9_powerpc.deb
to pool/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9_powerpc.deb
alsaplayer-esd_0.99.76-9_powerpc.deb
to pool/main/a/alsaplayer/alsaplayer-esd_0.99.76-9_powerpc.deb
alsaplayer-gtk_0.99.76-9_powerpc.deb
to pool/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9_powerpc.deb
alsaplayer-jack_0.99.76-9_powerpc.deb
to pool/main/a/alsaplayer/alsaplayer-jack_0.99.76-9_powerpc.deb
alsaplayer-nas_0.99.76-9_powerpc.deb
to pool/main/a/alsaplayer/alsaplayer-nas_0.99.76-9_powerpc.deb
alsaplayer-oss_0.99.76-9_powerpc.deb
to pool/main/a/alsaplayer/alsaplayer-oss_0.99.76-9_powerpc.deb
alsaplayer-text_0.99.76-9_powerpc.deb
to pool/main/a/alsaplayer/alsaplayer-text_0.99.76-9_powerpc.deb
alsaplayer-xosd_0.99.76-9_powerpc.deb
to pool/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9_powerpc.deb
alsaplayer_0.99.76-9.diff.gz
to pool/main/a/alsaplayer/alsaplayer_0.99.76-9.diff.gz
alsaplayer_0.99.76-9.dsc
to pool/main/a/alsaplayer/alsaplayer_0.99.76-9.dsc
libalsaplayer-dev_0.99.76-9_powerpc.deb
to pool/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9_powerpc.deb
libalsaplayer0_0.99.76-9_powerpc.deb
to pool/main/a/alsaplayer/libalsaplayer0_0.99.76-9_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Brossier <[EMAIL PROTECTED]> (supplier of updated alsaplayer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 20 Sep 2006 00:35:25 +0200
Source: alsaplayer
Binary: alsaplayer-daemon alsaplayer-xosd libalsaplayer-dev alsaplayer-jack
alsaplayer-esd alsaplayer-text alsaplayer-nas alsaplayer-oss alsaplayer-alsa
alsaplayer-gtk libalsaplayer0 alsaplayer-common
Architecture: source powerpc
Version: 0.99.76-9
Distribution: unstable
Urgency: high
Maintainer: Hubert Chan <[EMAIL PROTECTED]>
Changed-By: Paul Brossier <[EMAIL PROTECTED]>
Description:
alsaplayer-alsa - PCM player designed for ALSA (ALSA output module)
alsaplayer-common - PCM player designed for ALSA (common files)
alsaplayer-daemon - PCM player designed for ALSA (non-interactive version)
alsaplayer-esd - PCM player designed for ALSA (EsounD output module)
alsaplayer-gtk - PCM player designed for ALSA (GTK version)
alsaplayer-jack - PCM player designed for ALSA (JACK output module)
alsaplayer-nas - PCM player designed for ALSA (NAS output module)
alsaplayer-oss - PCM player designed for ALSA (OSS output module)
alsaplayer-text - PCM player designed for ALSA (text version)
alsaplayer-xosd - PCM player designed for ALSA (osd version)
libalsaplayer-dev - PCM player designed for ALSA (interface library,
development file
libalsaplayer0 - PCM player designed for ALSA (interface library)
Closes: 382842
Changes:
alsaplayer (0.99.76-9) unstable; urgency=high
.
* 01_security_SA21422: patch from Hubert Chan to fix some buffer overflow
bugs. (see: http://secunia.com/advisories/21422/) (closes: #382842)
Upload with urgency high (fixes security issues).
Files:
8e823bec9d89d95305c143a45a02b419 1107 sound optional alsaplayer_0.99.76-9.dsc
0f2e7c85a6c577607dee1bd18b0d518f 155806 sound optional
alsaplayer_0.99.76-9.diff.gz
604be218179060dd30840ca1874cbcca 181544 sound optional
alsaplayer-common_0.99.76-9_powerpc.deb
8f83faabbb616d2acada4cf168dd0576 131036 sound optional
alsaplayer-gtk_0.99.76-9_powerpc.deb
4319161c63a983fc3bfc6ab60e662e77 29560 sound optional
alsaplayer-text_0.99.76-9_powerpc.deb
1d84445358765bef20a4a6f56d6395b7 28642 sound optional
alsaplayer-daemon_0.99.76-9_powerpc.deb
9dc2366c78536e799b02146e810772a6 29282 sound optional
alsaplayer-xosd_0.99.76-9_powerpc.deb
d1d1c044e28f7283f793d5d98390d96d 27050 sound optional
alsaplayer-oss_0.99.76-9_powerpc.deb
536b2b878fda065f00ce50fa4974ed3a 28644 sound optional
alsaplayer-alsa_0.99.76-9_powerpc.deb
0799a124f7beeea7f4bcc9ecf8a92265 26814 sound optional
alsaplayer-esd_0.99.76-9_powerpc.deb
410d11c1e61468ed2ff5de1d42ffcc6a 28850 sound optional
alsaplayer-nas_0.99.76-9_powerpc.deb
15619b91d4c2e60ac6fd6e58f97b617f 31176 sound optional
alsaplayer-jack_0.99.76-9_powerpc.deb
5bb835ab23a27fb6079ea1a756bca441 31604 libs optional
libalsaplayer0_0.99.76-9_powerpc.deb
2866145d33e0181c872a12c733c833d9 78178 libdevel optional
libalsaplayer-dev_0.99.76-9_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFESIc2PLmgVuXpdIRAi3iAJ99pJIfWM+/y473jCMogrpOFU8emgCfVw2r
CmvRXkBCP3unlHnqo7Fo0Gk=
=0V0f
-----END PGP SIGNATURE-----
--- End Message ---
