Debian Bug report logs - #378091
libtunepimp: buffer overflow

version graph

Package: libtunepimp; Maintainer for libtunepimp is Adam Cécile (Le_Vert) <gandalf@le-vert.net>;

Reported by: Martin Pitt <martin.pitt@ubuntu.com>

Date: Thu, 13 Jul 2006 09:33:02 UTC

Severity: grave

Tags: fixed, patch, security

Found in version 0.3.0-3

Fixed in versions 0.4.2-3.0etch1, libtunepimp/0.4.2-4

Done: Robert Jordens <jordens@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Robert Jordens <jordens@debian.org>:
Bug#378091; Package libtunepimp. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Robert Jordens <jordens@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: Debian BTS Submit <submit@bugs.debian.org>
Subject: libtunepimp: buffer overflow
Date: Thu, 13 Jul 2006 11:07:47 +0200
[Message part 1 (text/plain, inline)]
Package: libtunepimp
Version: 0.4.2-3
Version: 0.3.0-3
Severity: grave
Tags: security patch

Hi!

http://bugs.musicbrainz.org/ticket/1764 describes some buffer
overflows in libtunepimp. For your convenience, these are the ubuntu
debdiffs for 0.4.2 and 0.3.0 (for sarge-security):

  http://people.ubuntu.com/patches/libtunepimp-0.4.2.buffer-overflow.diff
  http://people.ubuntu.com/patches/libtunepimp-0.3.0.buffer-overflow.diff

I asked for a CVE on vendor-sec, will forward it here as soon as it is
assigned.

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Tags added: pending Request was from Adeodato Simó <dato@net.com.org.es> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Robert Jordens <jordens@debian.org>:
Bug#378091; Package libtunepimp. Full text and rfc822 format available.

Acknowledgement sent to 378091@bugs.debian.org, Adeodato Simó <dato@net.com.org.es>:
Extra info received and forwarded to list. Copy sent to Robert Jordens <jordens@debian.org>. Full text and rfc822 format available.

Message #12 received at 378091@bugs.debian.org (full text, mbox):

From: Adeodato Simó <dato@net.com.org.es>
To: 378091@bugs.debian.org, control@bugs.debian.org
Subject: NMU diff for libtunepimp 0.4.2-3.0etch1
Date: Sat, 22 Jul 2006 21:02:45 +0200
[Message part 1 (text/plain, inline)]
tag 378091 + patch
thanks

Hi,

Attached is the diff for my libtunepimp 0.4.2-3.0etch1 NMU.

The reason for uploading to t-p-u is that migration from unstable is
blocked by perl.

-- 
Adeodato Simó                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
A conference is a gathering of important people who singly can do nothing
but together can decide that nothing can be done.
                -- Fred Allen
[libtunepimp-0.4.2-3.0etch1-nmu.diff (text/plain, attachment)]

Tags added: fixed Request was from Adeodato Simó <dato@net.com.org.es> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch Request was from Adeodato Simó <dato@net.com.org.es> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Robert Jordens <jordens@debian.org>:
Bug#378091; Package libtunepimp. Full text and rfc822 format available.

Acknowledgement sent to Robert Jordens <robertjo@phys.ethz.ch>:
Extra info received and forwarded to list. Copy sent to Robert Jordens <jordens@debian.org>. Full text and rfc822 format available.

Message #21 received at 378091@bugs.debian.org (full text, mbox):

From: Robert Jordens <robertjo@phys.ethz.ch>
To: Martin Schulze <joey@infodrom.org>
Cc: Debian Security Team <team@security.debian.org>, Adeodato Simó <dato@net.com.org.es>
Subject: Re: CVE-2006-3600: Buffer overflow in libtunepimp
Date: Sun, 23 Jul 2006 21:48:32 +0200
Hello!

Thanks for the patch, the stable NMU and the testing NMU (CCing
Adeodato)!
Sorry for not getting at this earlier.

[Sun, 23 Jul 2006] Martin Schulze wrote:
>  . tell me the version number of the fixed package

Will be 0.4.2-4. My patch (incorporating not the submitter's patch but
the upstream changeset) for unstable is attached.

> +libtunepimp (0.3.0-3sarge1) stable-security; urgency=high

A note though:

> -    char           error[255], data[255], trackURI[256],
> +    char           error[255], data[256], trackURI[256],

In the original patch at
http://bugs.musicbrainz.org/attachment/ticket/1764/libtunepimp-0.4.2-lookuptools.cpp-fix-buffer-overflow.diff and the final upstream changeset at http://bugs.musicbrainz.org/changeset/7935, that's:

-    char           error[255], data[255], trackURI[256],
+    char           error[256], data[256], trackURI[256],

And in the latter, there is also another s/255/256/ hunk further down.
AFAICT for stable, testing and ubuntu the latter changeset should be
better (and also apply cleanly).

        Robert.

-- 
The bugs you have to avoid are the ones that give the user not only
the inclination to get on a plane, but also the time.
		-- Kay Bostic



Bug marked as fixed in version 0.4.2-3.0etch1, send any further explanations to Martin Pitt <martin.pitt@ubuntu.com> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Martin Pitt <martin.pitt@ubuntu.com>:
Bug#378091. Full text and rfc822 format available.

Message #26 received at 378091-submitter@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 370031-submitter@bugs.debian.org, 370147-submitter@bugs.debian.org, 370178-submitter@bugs.debian.org, 370193-submitter@bugs.debian.org, 370232-submitter@bugs.debian.org, 370233-submitter@bugs.debian.org, 370244-submitter@bugs.debian.org, 370438-submitter@bugs.debian.org, 370447-submitter@bugs.debian.org, 370451-submitter@bugs.debian.org, 370504-submitter@bugs.debian.org, 370519-submitter@bugs.debian.org, 370757-submitter@bugs.debian.org, 370784-submitter@bugs.debian.org, 371142-submitter@bugs.debian.org, 372193-submitter@bugs.debian.org, 372275-submitter@bugs.debian.org, 372488-submitter@bugs.debian.org, 372558-submitter@bugs.debian.org, 372619-submitter@bugs.debian.org, 372840-submitter@bugs.debian.org, 373464-submitter@bugs.debian.org, 373509-submitter@bugs.debian.org, 373559-submitter@bugs.debian.org, 373693-submitter@bugs.debian.org, 373953-submitter@bugs.debian.org, 374000-submitter@bugs.debian.org, 374045-submitter@bugs.debian.org, 374264-submitter@bugs.debian.org, 374396-submitter@bugs.debian.org, 374487-submitter@bugs.debian.org, 374490-submitter@bugs.debian.org, 374595-submitter@bugs.debian.org, 374730-submitter@bugs.debian.org, 374846-submitter@bugs.debian.org, 374909-submitter@bugs.debian.org, 374935-submitter@bugs.debian.org, 374955-submitter@bugs.debian.org, 375105-submitter@bugs.debian.org, 375561-submitter@bugs.debian.org, 375572-submitter@bugs.debian.org, 375612-submitter@bugs.debian.org, 376197-submitter@bugs.debian.org, 376402-submitter@bugs.debian.org, 376421-submitter@bugs.debian.org, 376422-submitter@bugs.debian.org, 376471-submitter@bugs.debian.org, 376670-submitter@bugs.debian.org, 376673-submitter@bugs.debian.org, 376715-submitter@bugs.debian.org, 376875-submitter@bugs.debian.org, 376946-submitter@bugs.debian.org, 376972-submitter@bugs.debian.org, 377080-submitter@bugs.debian.org, 377089-submitter@bugs.debian.org, 377248-submitter@bugs.debian.org, 377285-submitter@bugs.debian.org, 377445-submitter@bugs.debian.org, 377652-submitter@bugs.debian.org, 377694-submitter@bugs.debian.org, 377813-submitter@bugs.debian.org, 377895-submitter@bugs.debian.org, 377978-submitter@bugs.debian.org, 377991-submitter@bugs.debian.org, 378026-submitter@bugs.debian.org, 378049-submitter@bugs.debian.org, 378066-submitter@bugs.debian.org, 378091-submitter@bugs.debian.org, 378198-submitter@bugs.debian.org, 378253-submitter@bugs.debian.org, 378296-submitter@bugs.debian.org, 378393-submitter@bugs.debian.org, 378397-submitter@bugs.debian.org, 378412-submitter@bugs.debian.org, 378447-submitter@bugs.debian.org, 378498-submitter@bugs.debian.org, 378586-submitter@bugs.debian.org, 379214-submitter@bugs.debian.org, 379242-submitter@bugs.debian.org, 379261-submitter@bugs.debian.org, 379264-submitter@bugs.debian.org, 379275-submitter@bugs.debian.org, 379486-submitter@bugs.debian.org, 379537-submitter@bugs.debian.org, 379566-submitter@bugs.debian.org, 379584-submitter@bugs.debian.org, 379744-submitter@bugs.debian.org, 379813-submitter@bugs.debian.org, 379895-submitter@bugs.debian.org, 368991-submitter@bugs.debian.org, 369450-submitter@bugs.debian.org, 369733-submitter@bugs.debian.org
Subject: bugs fixed in NMU, documenting versions
Date: Wed, 25 Oct 2006 21:05:42 -0700
# Hi folks,
#
# You are receiving this mail because you are the submitter of one or more
# bugs that have been fixed in a non-maintainer upload of a Debian package,
# but not yet acknowledged by the maintainers.  With version tracking in the
# Debian BTS, it is important to know which version of a package fixes each
# bug so that they can be tracked for release status in the BTS, so I'm
# closing these bugs with the relevant version number information now.
#
# It is possible that this will be the only message you receive about this
# bug being fixed, and due to the volume of affected bugs we are
# unfortunately not sending individualized explanations for each bug.  If
# you have questions about the fix for your particular bug or about this
# email, please contact me directly or follow up to the bug report in the
# BTS.

close 370031 1.12-0.1
close 370147 0.3.4.cvs.20050813-2.1
close 370178 3.1.0-5.2
close 370193 1.2.2-4.3
close 370232 1.2-2.1
close 370233 4.2.22-2.1
close 370244 0.7.6-1.1
close 370438 0.3.6-2.1
close 370447 0.1.5-1.1
close 370451 0.3.9-1.1
close 370504 1.99.0-2.1
close 370519 1.0.3-1.2
close 370757 2.2-5.2
close 370784 2.4.0-4.1
close 371142 1.1.3-5.2
close 372193 1:0.7.44.20051021-2.1
close 372275 0.7.3-3.1
close 372488 0.8.0-1
close 372558 0.5.10-1.1
close 372619 1.3-0.1
close 372840 0.9.10-3.2
close 373464 1.5.3-1.1
close 373509 0.99cvs20060405-1.1
close 373559 0.0.43-0.1
close 373693 2.4-11.1
close 373953 1.9.0+20060423-3.1
close 374000 3.1.0-5.3
close 374045 1.3bbn-9.1
close 374264 0.20-1-1.3
close 374396 5.8.8-6.1
close 374487 3.5.0.20030301-1.1
close 374490 1.0.1a-2.1
close 374595 1:0.90.0.1-1
close 374730 0.6-1.1
close 374846 3.2-1.1
close 374909 3.0.9-5.1
close 374935 1.15-6.1
close 374955 1.0.3-1.2
close 375105 9.51-2.1
close 375561 1.5.1-2.1
close 375572 1.1.1-1.1
close 375612 0.3.0+beta4-1.2
close 376197 0.9.0-0.1
close 376402 0.9d-2.2
close 376421 3.0-9.2
close 376422 1.3-4.2
close 376471 1.4.52-1.1
close 376670 1.1-3.2
close 376673 15-0.1
close 376715 0.86.2-6.1
close 376875 1.3-1.1
close 376946 1:2.2-2.1	
close 377080 0.9.0-1.1
close 377089 0.18-0.1
close 377248 382-iso258-1.1
close 377285 2.7.5-2sarge2
close 377445 4.1-18.3
close 377652 3.0-16.1
close 377694 2.8-2.2
close 377813 0.5.0-1.3
close 377895 251-5.1
close 377978 20060704a-2
close 377991 1:1.18-2.3
close 378026 1.81-3.1
close 378049 0.18-2.2
close 378066 0.11.4-2
close 378091 0.4.2-3.0etch1
close 378198 6.4.2-1.1
close 378253 2.5.03.2382-2
close 378296 0.96.9-12.1
close 378393 1.4.4.cvs20060709-2.1
close 378397 1.4.4.cvs20060709-2.2
close 378412 2.34-4.1
close 378447 3.6.13-3.5
close 378498 1.6-8.1
close 378586 0.0.43-0.1
close 379214 4.1.2-1.1
close 379242 0.6.6-6.2
close 379261 1.0.57-2.2
close 379275 0.7.3-1.1
close 379486 1.19-7.2
close 379537 1.02-1.1
close 379566 0.52.2-5.1
close 379584 2.01.10-30.1
close 379744 0.1-1.2
close 379813 1.1.4-3.1
close 379895 1.0.57-2.2
thanks

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Reply sent to Robert Jordens <jordens@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Pitt <martin.pitt@ubuntu.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #31 received at 378091-close@bugs.debian.org (full text, mbox):

From: Robert Jordens <jordens@debian.org>
To: 378091-close@bugs.debian.org
Subject: Bug#378091: fixed in libtunepimp 0.4.2-4
Date: Fri, 03 Nov 2006 15:47:51 -0800
Source: libtunepimp
Source-Version: 0.4.2-4

We believe that the bug you reported is fixed in the latest version of
libtunepimp, which is due to be installed in the Debian FTP archive:

libtunepimp-bin_0.4.2-4_powerpc.deb
  to pool/main/libt/libtunepimp/libtunepimp-bin_0.4.2-4_powerpc.deb
libtunepimp-perl_0.4.2-4_powerpc.deb
  to pool/main/libt/libtunepimp/libtunepimp-perl_0.4.2-4_powerpc.deb
libtunepimp3-dev_0.4.2-4_powerpc.deb
  to pool/main/libt/libtunepimp/libtunepimp3-dev_0.4.2-4_powerpc.deb
libtunepimp3_0.4.2-4_powerpc.deb
  to pool/main/libt/libtunepimp/libtunepimp3_0.4.2-4_powerpc.deb
libtunepimp_0.4.2-4.diff.gz
  to pool/main/libt/libtunepimp/libtunepimp_0.4.2-4.diff.gz
libtunepimp_0.4.2-4.dsc
  to pool/main/libt/libtunepimp/libtunepimp_0.4.2-4.dsc
python-tunepimp_0.4.2-4_all.deb
  to pool/main/libt/libtunepimp/python-tunepimp_0.4.2-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 378091@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Jordens <jordens@debian.org> (supplier of updated libtunepimp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  3 Nov 2006 20:37:31 +0100
Source: libtunepimp
Binary: libtunepimp3-dev libtunepimp3 libtunepimp-perl python-tunepimp libtunepimp-bin
Architecture: source powerpc all
Version: 0.4.2-4
Distribution: unstable
Urgency: high
Maintainer: Robert Jordens <jordens@debian.org>
Changed-By: Robert Jordens <jordens@debian.org>
Description: 
 libtunepimp-bin - libtunepimp simple tagging applications
 libtunepimp-perl - libtunepimp perl bindings
 libtunepimp3 - MusicBrainz tagging library and simple tagger application
 libtunepimp3-dev - MusicBrainz tagging library -- development files
 python-tunepimp - libtunepimp python bindings (default package)
Closes: 373455 378091 380056
Changes: 
 libtunepimp (0.4.2-4) unstable; urgency=HIGH
 .
   * ACK libtunepimp 0.4.2-3.0etch1 NMU. And re-add the changes that
     were removed silently by the last two NMUs.
     closes: Bug#378091
   * ACK NMUs 0.4.2-3.2 and 0.4.2-3.1 (python transition).
     closes: Bug#380056, #373455
   * Urgency high upload for critical security fix.
   * The NMU contains the original patch from
     http://bugs.musicbrainz.org/attachment/ticket/1764/libtunepimp-0.4.2-lookuptools.cpp-fix-buffer-overflow.diff
     The final upstream changeset seems more complete and correct.
     http://bugs.musicbrainz.org/changeset/7935
Files: 
 aa1faadb7b5c0acf054fc0884c28eeab 999 libs optional libtunepimp_0.4.2-4.dsc
 85edb817cee3d5a00460039f1a5121ab 156683 libs optional libtunepimp_0.4.2-4.diff.gz
 733e0ac0c404d50a38618151e6aec12b 26788 python optional python-tunepimp_0.4.2-4_all.deb
 741b01190d213d397f0b9f301c6bbd3a 333756 libdevel optional libtunepimp3-dev_0.4.2-4_powerpc.deb
 e98e3c92600d1d51e98520928065d40b 303222 libs optional libtunepimp3_0.4.2-4_powerpc.deb
 0fb008b27ea9c6f5a7c79ff0d9ff5ef0 28900 sound optional libtunepimp-bin_0.4.2-4_powerpc.deb
 ba355e35232004ba3b92bf7653d18eb7 71886 perl optional libtunepimp-perl_0.4.2-4_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFS6RgHSjkv+Av7xERAnvaAJ9P806/JMxJd27BLMTyaY84KVkwOACfaC0q
LMq38mNRGW/FuP/w/VdGKyY=
=boq6
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 03:43:48 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Stefano Zacchiroli <zack@debian.org> to control@bugs.debian.org. (Sun, 10 Apr 2011 08:48:19 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 09 May 2011 07:50:49 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 00:15:07 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.