Debian Bug report logs - #270542
CAN-2004-0805: Buffer overflow in layer2 decoder.

version graph

Package: mpg123; Maintainer for mpg123 is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>; Source for mpg123 is src:mpg123.

Reported by: Daniel Kobras <kobras@debian.org>

Date: Tue, 7 Sep 2004 20:48:03 UTC

Severity: grave

Tags: security, woody

Found in version 0.59r-16

Done: Daniel Kobras <kobras@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#270542; Package mpg123. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
New Bug report received and forwarded. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2004-0805: Buffer overflow in layer2 decoder.
Date: Tue, 7 Sep 2004 22:38:27 +0200
Package: mpg123
Version: 0.59r-16
Severity: grave
Tags: security sarge woody
Justification: user security hole

Insufficient input validation allows a malicious mpeg audio file to
cause a buffer overflow in the layer2 decoding routines. This is
CAN-2004-0805, see also eg.
http://article.gmane.org/gmane.comp.security.full-disclosure/25471

Packages in sid are fixed already. Woody and sarge are still affected.

Daniel.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.4.22
Locale: LANG=C, LC_CTYPE=de_DE

Versions of packages mpg123 depends on:
ii  libc6                       2.3.2.ds1-16 GNU C Library: Shared libraries an

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#270542; Package mpg123. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. Full text and rfc822 format available.

Message #10 received at 270542@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 270542@bugs.debian.org
Subject: Re: CAN-2004-0805: Buffer overflow in layer2 decoder.
Date: Fri, 1 Oct 2004 22:10:21 -0700
[Message part 1 (text/plain, inline)]
tags 270542 -sarge
thanks

A fixed mpg123 package has been built on arm now, and the fix has
propagated to testing, leaving this a woody-only issue.

Thanks,
-- 
Steve Langasek
postmodern programmer
[signature.asc (application/pgp-signature, inline)]

Tags removed: sarge Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Daniel Kobras <kobras@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Daniel Kobras <kobras@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 270542-done@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 270542-done@bugs.debian.org
Subject: Fixed in mpg123_0.59r-13woody3.
Date: Wed, 13 Oct 2004 17:54:02 +0200
DSA-564 addresses the mpg123 security issue for woody. Bug closed.

Daniel.




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 11:23:34 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.