Hi! mpg123 made use of a feature in libltdl3 that was removed to fix CVE-2009-3736. As a result, mpg123 in stable can no longer load any output plugins. I'd like to ask for approval of an upload to stable (debdiff attached) to fix this regression.
Regards, Daniel.
diff -u mpg123-1.4.3/debian/changelog mpg123-1.4.3/debian/changelog --- mpg123-1.4.3/debian/changelog +++ mpg123-1.4.3/debian/changelog @@ -1,3 +1,11 @@ +mpg123 (1.4.3-4lenny1) stable; urgency=medium + + * src/module.c: Backport upstream patch to fix regression in module + loading when a libltdl with a fix for CVE-2009-3736 is in place. + Closes: #572920 + + -- Daniel Kobras <[email protected]> Mon, 29 Mar 2010 11:56:52 +0200 + mpg123 (1.4.3-4) unstable; urgency=medium * src/wav.c: Backport upstream patch for writing WAV output to stdout only in patch2: unchanged: --- mpg123-1.4.3.orig/src/module.c +++ mpg123-1.4.3/src/module.c @@ -93,13 +93,14 @@ chdir(moddir); /* Work out the path of the module to open */ - module_path_len = strlen(type) + 1 + strlen(name) + strlen(MODULE_FILE_SUFFIX) + 1; + /* Note that we need to open ./file, not just file! */ + module_path_len = 2 + strlen(type) + 1 + strlen(name) + strlen(MODULE_FILE_SUFFIX) + 1; module_path = malloc( module_path_len ); if (module_path == NULL) { error1( "Failed to allocate memory for module name: %s", strerror(errno) ); goto om_bad; } - snprintf( module_path, module_path_len, "%s_%s%s", type, name, MODULE_FILE_SUFFIX ); + snprintf( module_path, module_path_len, "./%s_%s%s", type, name, MODULE_FILE_SUFFIX ); /* Display the path of the module created */ debug1( "Module path: %s", module_path );
