Processed: Re: Bug#839731: jessie-pu: package mpg123/1.20.1-2+deb8u1

2016-10-12 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + pending
Bug #839731 [release.debian.org] jessie-pu: package mpg123/1.20.1-2+deb8u1
Added tag(s) pending.

-- 
839731: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839731
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#839731: jessie-pu: package mpg123/1.20.1-2+deb8u1

2016-10-12 Thread Adam D. Barratt 
Control: tags -1 + pending

On Sat, 2016-10-08 at 21:21 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Tue, 2016-10-04 at 12:01 +0100, James Cowgill wrote:
> > A security issue was reported against mpg123 in bug #838960. Since it
> > was marked no-DSA by the security team, it needs a normal jessie-pu
> > update to fix it in jessie.
> > 
> > The debdiff is attached. I've tested it on jessie against the testcase
> > provided in the upstream bug report (https://mpg123.org/bugs/240).
> 
> Please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#839731: jessie-pu: package mpg123/1.20.1-2+deb8u1

2016-10-08 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #839731 [release.debian.org] jessie-pu: package mpg123/1.20.1-2+deb8u1
Added tag(s) confirmed.

-- 
839731: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839731
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#839731: jessie-pu: package mpg123/1.20.1-2+deb8u1

2016-10-08 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Tue, 2016-10-04 at 12:01 +0100, James Cowgill wrote:
> A security issue was reported against mpg123 in bug #838960. Since it
> was marked no-DSA by the security team, it needs a normal jessie-pu
> update to fix it in jessie.
> 
> The debdiff is attached. I've tested it on jessie against the testcase
> provided in the upstream bug report (https://mpg123.org/bugs/240).

Please go ahead.

Regards,

Adam

Bug#839731: jessie-pu: package mpg123/1.20.1-2+deb8u1

2016-10-04 Thread James Cowgill 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-multimedia-maintain...@lists.alioth.debian.org

Hi,

A security issue was reported against mpg123 in bug #838960. Since it
was marked no-DSA by the security team, it needs a normal jessie-pu
update to fix it in jessie.

The debdiff is attached. I've tested it on jessie against the testcase
provided in the upstream bug report (https://mpg123.org/bugs/240).

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.0-36-generic (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru mpg123-1.20.1/debian/changelog mpg123-1.20.1/debian/changelog
--- mpg123-1.20.1/debian/changelog  2014-08-31 10:51:53.0 +0100
+++ mpg123-1.20.1/debian/changelog  2016-10-04 11:42:56.0 +0100
@@ -1,3 +1,10 @@
+mpg123 (1.20.1-2+deb8u1) jessie; urgency=high
+
+  * Team upload.
+  * Fix DoS with crafted ID3v2 tags. (Closes: #838960)
+
+ -- James Cowgill   Tue, 04 Oct 2016 11:42:56 +0100
+
 mpg123 (1.20.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch 
mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch
--- mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch  
1970-01-01 01:00:00.0 +0100
+++ mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch  
2016-10-04 11:41:20.0 +0100
@@ -0,0 +1,18 @@
+Description: Fix DoS with crafted ID3v2 tags
+Author: Thomas Orgis 
+Bug: https://sourceforge.net/p/mpg123/bugs/240/
+Bug-Debian: https://bugs.debian.org/838960
+Applied-Upstream: 1.23.8
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/libmpg123/id3.c
 b/src/libmpg123/id3.c
+@@ -752,7 +752,7 @@ int parse_new_id3(mpg123_handle *fr, uns
+   unsigned long fflags; /* need 16 bits, 
actually */
+   id[4] = 0;
+   /* pos now advanced after ext head, now 
a frame has to follow */
+-  while(tagpos < length-10) /* I want to 
read at least a full header */
++  while(length >= 10 && tagpos < 
length-10) /* I want to read at least a full header */
+   {
+   int i = 0;
+   unsigned long pos = tagpos;
diff -Nru mpg123-1.20.1/debian/patches/series 
mpg123-1.20.1/debian/patches/series
--- mpg123-1.20.1/debian/patches/series 2014-08-30 20:39:33.0 +0100
+++ mpg123-1.20.1/debian/patches/series 2016-10-04 11:41:20.0 +0100
@@ -1 +1,2 @@
 0001-disable_not_public_funcs.patch
+0002-dos-crafted-id3v2-tags.patch


signature.asc
Description: OpenPGP digital signature