Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.ca...@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #839731,
regarding jessie-pu: package mpg123/1.20.1-2+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
839731: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839731
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-multimedia-maintain...@lists.alioth.debian.org
Hi,
A security issue was reported against mpg123 in bug #838960. Since it
was marked no-DSA by the security team, it needs a normal jessie-pu
update to fix it in jessie.
The debdiff is attached. I've tested it on jessie against the testcase
provided in the upstream bug report (https://mpg123.org/bugs/240).
Thanks,
James
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.0-36-generic (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru mpg123-1.20.1/debian/changelog mpg123-1.20.1/debian/changelog
--- mpg123-1.20.1/debian/changelog 2014-08-31 10:51:53.000000000 +0100
+++ mpg123-1.20.1/debian/changelog 2016-10-04 11:42:56.000000000 +0100
@@ -1,3 +1,10 @@
+mpg123 (1.20.1-2+deb8u1) jessie; urgency=high
+
+ * Team upload.
+ * Fix DoS with crafted ID3v2 tags. (Closes: #838960)
+
+ -- James Cowgill <jcowg...@debian.org> Tue, 04 Oct 2016 11:42:56 +0100
+
mpg123 (1.20.1-2) unstable; urgency=medium
* Team upload.
diff -Nru mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch
mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch
--- mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch
1970-01-01 01:00:00.000000000 +0100
+++ mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch
2016-10-04 11:41:20.000000000 +0100
@@ -0,0 +1,18 @@
+Description: Fix DoS with crafted ID3v2 tags
+Author: Thomas Orgis <thomas-fo...@orgis.org>
+Bug: https://sourceforge.net/p/mpg123/bugs/240/
+Bug-Debian: https://bugs.debian.org/838960
+Applied-Upstream: 1.23.8
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/libmpg123/id3.c
++++ b/src/libmpg123/id3.c
+@@ -752,7 +752,7 @@ int parse_new_id3(mpg123_handle *fr, uns
+ unsigned long fflags; /* need 16 bits,
actually */
+ id[4] = 0;
+ /* pos now advanced after ext head, now
a frame has to follow */
+- while(tagpos < length-10) /* I want to
read at least a full header */
++ while(length >= 10 && tagpos <
length-10) /* I want to read at least a full header */
+ {
+ int i = 0;
+ unsigned long pos = tagpos;
diff -Nru mpg123-1.20.1/debian/patches/series
mpg123-1.20.1/debian/patches/series
--- mpg123-1.20.1/debian/patches/series 2014-08-30 20:39:33.000000000 +0100
+++ mpg123-1.20.1/debian/patches/series 2016-10-04 11:41:20.000000000 +0100
@@ -1 +1,2 @@
0001-disable_not_public_funcs.patch
+0002-dos-crafted-id3v2-tags.patch
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Version: 8.7
Hi,
Each of these bugs refers to an update that was included in today's 8.7
point release.
Regards,
Adam
--- End Message ---
