Debian Bug report logs - #572920
libltdl3: Security update breaks mpg123

version graph

Package: mpg123; Maintainer for mpg123 is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>; Source for mpg123 is src:mpg123.

Reported by: Touko Korpela <tkorpela@phnet.fi>

Date: Sun, 7 Mar 2010 17:27:01 UTC

Severity: grave

Tags: lenny

Merged with 579466

Found in version mpg123/1.4.3-4

Fixed in versions mpg123/1.6.2-1, mpg123/1.4.3-4lenny1

Done: Daniel Kobras <kobras@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Kurt Roeckx <kurt@roeckx.be>:
Bug#572920; Package libltdl3. (Sun, 07 Mar 2010 17:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Touko Korpela <tkorpela@phnet.fi>:
New Bug report received and forwarded. Copy sent to Kurt Roeckx <kurt@roeckx.be>. (Sun, 07 Mar 2010 17:27:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Touko Korpela <tkorpela@phnet.fi>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libltdl3: Security update breaks mpg123
Date: Sun, 07 Mar 2010 19:25:17 +0200
[Message part 1 (text/plain, inline)]
Package: libltdl3
Version: 1.5.26-4+lenny1
Severity: grave
Justification: renders package unusable

Libtool security update seems to have broken mpg123 (1.4.3-4). It can't find or
load output plugins. I don't know what package to blame but things should keep
working in stable.

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (900, 'stable'), (700, 'unstable'), (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libltdl3 depends on:
ii  libc6                       2.7-18lenny2 GNU C Library: Shared libraries

libltdl3 recommends no packages.

libltdl3 suggests no packages.

-- no debconf information
[mpg123-strace (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#572920; Package libltdl3. (Sun, 07 Mar 2010 21:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. (Sun, 07 Mar 2010 21:00:05 GMT) Full text and rfc822 format available.

Message #10 received at 572920@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Touko Korpela <tkorpela@phnet.fi>
Cc: 572920@bugs.debian.org
Subject: Re: Bug#572920: libltdl3: Security update breaks mpg123
Date: Sun, 7 Mar 2010 21:58:55 +0100
reassing 572920 mpg123 1.4.3-4
thanks

On Sun, Mar 07, 2010 at 07:25:17PM +0200, Touko Korpela wrote:
> Package: libltdl3
> Version: 1.5.26-4+lenny1
> Severity: grave
> Justification: renders package unusable
> 
> Libtool security update seems to have broken mpg123 (1.4.3-4). It can't find or
> load output plugins. I don't know what package to blame but things should keep
> working in stable.

I don't see how the change in libltdl3 should cause problems.  The
change makes it stop looking for .la files where it shouldn't.  I
don't see why mpg123 would need to open a file there.

So I'm reassinging this bug to mpg123 for now.


Kurt





Bug reassigned from package 'libltdl3' to 'mpg123'. Request was from kurt@roeckx.be (Kurt Roeckx) to control@bugs.debian.org. (Sun, 07 Mar 2010 21:18:08 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions libtool/1.5.26-4+lenny1. Request was from kurt@roeckx.be (Kurt Roeckx) to control@bugs.debian.org. (Sun, 07 Mar 2010 21:18:09 GMT) Full text and rfc822 format available.

Bug Marked as found in versions mpg123/1.4.3-4. Request was from kurt@roeckx.be (Kurt Roeckx) to control@bugs.debian.org. (Sun, 07 Mar 2010 21:18:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#572920; Package mpg123. (Mon, 08 Mar 2010 16:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michał Mirosław <mirq-deboogs@rere.qmqm.pl>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Mon, 08 Mar 2010 16:15:05 GMT) Full text and rfc822 format available.

Message #21 received at 572920@bugs.debian.org (full text, mbox):

From: Michał Mirosław <mirq-deboogs@rere.qmqm.pl>
To: 572920@bugs.debian.org
Cc: Kurt Roeckx <kurt@roeckx.be>
Subject: #572920: mpg123 broken after libltdl3 upgrade
Date: Mon, 8 Mar 2010 17:02:44 +0100
I just verified, that removing cve-2009-3736.patch from series file and
rebuilding libltdl3 package fixes mpg123. That patch stops libltdl from
looking in CWD for .la files and that breaks mpg123 module loading.

In case of mpg123 it does:

chdir("/usr/lib/mpg123");
lt_dlopen("type_module.la");

BTW, when passing '-o /../X' mpg123 will happily lt_dlopen("type_/../X.la"),
but that's another story.

Best Regards,
Michał Mirosław




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#572920; Package mpg123. (Mon, 08 Mar 2010 18:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. (Mon, 08 Mar 2010 18:18:03 GMT) Full text and rfc822 format available.

Message #26 received at 572920@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Michał Mirosław <mirq-deboogs@rere.qmqm.pl>, 572920@bugs.debian.org
Subject: Re: Bug#572920: #572920: mpg123 broken after libltdl3 upgrade
Date: Mon, 8 Mar 2010 19:16:05 +0100
merge 572920 561857
thanks

Hi!

On Mon, Mar 08, 2010 at 05:02:44PM +0100, Michał Mirosław wrote:
> I just verified, that removing cve-2009-3736.patch from series file and
> rebuilding libltdl3 package fixes mpg123. That patch stops libltdl from
> looking in CWD for .la files and that breaks mpg123 module loading.
> 
> In case of mpg123 it does:
> 
> chdir("/usr/lib/mpg123");
> lt_dlopen("type_module.la");
> 
> BTW, when passing '-o /../X' mpg123 will happily lt_dlopen("type_/../X.la"),
> but that's another story.

This was also reported as #561857, and is fixed in unstable and testing
already. I'll see to get an update in stable as well. As a workaround, mpg123
can be started like this in the meantime:

LD_LIBRARY_PATH=/usr/lib/mpg123 mpg123

Regards,

Daniel.




Added tag(s) lenny. Request was from Touko Korpela <tkorpela@phnet.fi> to control@bugs.debian.org. (Mon, 08 Mar 2010 20:03:03 GMT) Full text and rfc822 format available.

Reply sent to Daniel Kobras <kobras@debian.org>:
You have taken responsibility. (Mon, 26 Apr 2010 19:57:08 GMT) Full text and rfc822 format available.

Notification sent to Touko Korpela <tkorpela@phnet.fi>:
Bug acknowledged by developer. (Mon, 26 Apr 2010 19:57:08 GMT) Full text and rfc822 format available.

Message #33 received at 572920-close@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 572920-close@bugs.debian.org
Subject: Bug#572920: fixed in mpg123 1.4.3-4lenny1
Date: Mon, 26 Apr 2010 19:53:00 +0000
Source: mpg123
Source-Version: 1.4.3-4lenny1

We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive:

libmpg123-0_1.4.3-4lenny1_amd64.deb
  to main/m/mpg123/libmpg123-0_1.4.3-4lenny1_amd64.deb
libmpg123-dev_1.4.3-4lenny1_amd64.deb
  to main/m/mpg123/libmpg123-dev_1.4.3-4lenny1_amd64.deb
mpg123-alsa_1.4.3-4lenny1_amd64.deb
  to main/m/mpg123/mpg123-alsa_1.4.3-4lenny1_amd64.deb
mpg123-esd_1.4.3-4lenny1_amd64.deb
  to main/m/mpg123/mpg123-esd_1.4.3-4lenny1_amd64.deb
mpg123-nas_1.4.3-4lenny1_amd64.deb
  to main/m/mpg123/mpg123-nas_1.4.3-4lenny1_amd64.deb
mpg123_1.4.3-4lenny1.diff.gz
  to main/m/mpg123/mpg123_1.4.3-4lenny1.diff.gz
mpg123_1.4.3-4lenny1.dsc
  to main/m/mpg123/mpg123_1.4.3-4lenny1.dsc
mpg123_1.4.3-4lenny1_amd64.deb
  to main/m/mpg123/mpg123_1.4.3-4lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 572920@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated mpg123 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 29 Mar 2010 11:56:52 +0200
Source: mpg123
Binary: mpg123 libmpg123-0 libmpg123-dev mpg123-oss-i486 mpg123-oss-3dnow mpg123-esd mpg123-nas mpg123-alsa
Architecture: source amd64
Version: 1.4.3-4lenny1
Distribution: stable
Urgency: medium
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Daniel Kobras <kobras@debian.org>
Description: 
 libmpg123-0 - MPEG layer 1/2/3 audio decoder -- runtime library
 libmpg123-dev - MPEG layer 1/2/3 audio decoder -- development files
 mpg123     - MPEG layer 1/2/3 audio player
 mpg123-alsa - MPEG layer 1/2/3 audio player with ALSA support - dummy package
 mpg123-esd - MPEG layer 1/2/3 audio player with Esound support - dummy package
 mpg123-nas - MPEG layer 1/2/3 audio player with NAS support - dummy package
 mpg123-oss-3dnow - MPEG layer 1/2/3 audio player for 3DNow! machines - dummy package
 mpg123-oss-i486 - MPEG layer 1/2/3 audio player for i486 machines - dummy package
Closes: 572920
Changes: 
 mpg123 (1.4.3-4lenny1) stable; urgency=medium
 .
   * src/module.c: Backport upstream patch to fix regression in module
     loading when a libltdl with a fix for CVE-2009-3736 is in place.
     Closes: #572920
Checksums-Sha1: 
 9b657c731822e4a5bf8091a2563e63b75249e7f2 1247 mpg123_1.4.3-4lenny1.dsc
 a204301e6d5eb353b84ebcce2b713e53f314d8e4 16024 mpg123_1.4.3-4lenny1.diff.gz
 43e06d9e517e5e5178dd990a0be66af95fc54557 100138 libmpg123-0_1.4.3-4lenny1_amd64.deb
 ec6ef2926a5622fc0bd9eb6c3c149025647e2367 130552 libmpg123-dev_1.4.3-4lenny1_amd64.deb
 5c59b29e6583e695f59730353c63418d3d6c34c9 135710 mpg123_1.4.3-4lenny1_amd64.deb
 5dfd6bef276a1dd7a6396ba43ed4a0f2518270b8 12820 mpg123-esd_1.4.3-4lenny1_amd64.deb
 69ba2bfa6c6da0922c573d822243032ea27ec169 12804 mpg123-nas_1.4.3-4lenny1_amd64.deb
 d466776ef3d5ff66ec1feb46af158fe58425b600 12800 mpg123-alsa_1.4.3-4lenny1_amd64.deb
Checksums-Sha256: 
 b298cff5d8c646c97a8f4cf6c074b694e017c6f20067f9cd07d8c967900cf1db 1247 mpg123_1.4.3-4lenny1.dsc
 5eb7e472a53870045365228ebe8a161a1dc83c2ed10ed0697b20f8f9f1f43bc1 16024 mpg123_1.4.3-4lenny1.diff.gz
 00d5e9c9936baf95769fd24e91c8ce0bbe47148787e6922cee1c6bc5818569a4 100138 libmpg123-0_1.4.3-4lenny1_amd64.deb
 99fb7de9c73a37d219bf3d7bc854457b08b968333b7aba07271a88e003390273 130552 libmpg123-dev_1.4.3-4lenny1_amd64.deb
 0075caa3607ff49c7a0caf7798b4c674a5a83cb1ac43b93c6e2a1c27f7c447e8 135710 mpg123_1.4.3-4lenny1_amd64.deb
 ad0d22af9b0adbbfe150d15939e6bb5b85bc45dc4ce2d5e1ce5cafbc73360c59 12820 mpg123-esd_1.4.3-4lenny1_amd64.deb
 575b28c5e0bebefd34a99b11492f37ca34b2d13a6a06d1a6ba03753b3776f78c 12804 mpg123-nas_1.4.3-4lenny1_amd64.deb
 9a8d08cbb77f590c58d05ec01afc7b6d87498def21d1e7bb1f3582e36889b006 12800 mpg123-alsa_1.4.3-4lenny1_amd64.deb
Files: 
 40d92b2426ddd1eb722cd1a2d7232643 1247 sound optional mpg123_1.4.3-4lenny1.dsc
 e11baca68ffb313ccba392c03f834775 16024 sound optional mpg123_1.4.3-4lenny1.diff.gz
 eb389f33e4b344cad75e1aeb55252a17 100138 libs optional libmpg123-0_1.4.3-4lenny1_amd64.deb
 3714b24ae77a947841a02b9ae6e66c8a 130552 libdevel optional libmpg123-dev_1.4.3-4lenny1_amd64.deb
 cb5c3c7362ca8e4dbc82b803c8fee711 135710 sound optional mpg123_1.4.3-4lenny1_amd64.deb
 4845b83eba1a13a05a3b96afb1939cfb 12820 sound optional mpg123-esd_1.4.3-4lenny1_amd64.deb
 7c9e4581260ca86123e56680401c1973 12804 sound optional mpg123-nas_1.4.3-4lenny1_amd64.deb
 7f951d72889c4d6a2fe95166edd13666 12800 sound optional mpg123-alsa_1.4.3-4lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuwjcQACgkQpOKIA4m/fiv5LQCdEPu6Wbj+roRnloodae9fqYOS
ZY0An0DSrRnTkX4eSmNwC3bb9AU3Caaq
=Ufu6
-----END PGP SIGNATURE-----





Forcibly Merged 572920 579466. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. (Wed, 28 Apr 2010 18:09:08 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions mpg123/1.6.2-1. Request was from Luk Claes <luk@debian.org> to control@bugs.debian.org. (Sun, 15 Aug 2010 13:12:02 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 13 Sep 2010 07:31:03 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 20:42:48 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.