Your message dated Mon, 11 Nov 2024 12:04:34 +0000
with message-id <e1tat9m-0016e4...@fasolo.debian.org>
and subject line Bug#1086443: fixed in mpg123 1.32.9-1
has caused the Debian Bug report #1086443,
regarding mpg123: CVE-2024-10573: buffer overflow involving "Frankenstein
streams" in versions before 1.32.8
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1086443: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086443
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mpg123
Version: 0.59f-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Control: fixed -1 1.32.8-1
Forwarding this from
<https://www.openwall.com/lists/oss-security/2024/10/30/2>:
> There is possible buffer overflow
> (writing of decoded PCM samples beyond allocated output buffer) for
> streams that change output properties together with certain usage of
> libmpg123. This needed seeking around in the stream (including scanning
> it before actual decoding) to trigger. So, your usual web radio stream
> as obvious attack vector is unlikely, as you won't seek around in it.
> If you do work with stream dumps, usage of MPG123_NO_FRANKENSTEIN or
> the --no-frankenstein option to the mpg123 application is a workaround
> to avoid the formerly dangerous situation in earlier mpg123 releases.
> This also means that mpg123 will not decode streams of concatenated
> files with either varying format or leading Info frames past the first
> track anymore.
…
> Exploitation of this is not trivial, but I cannot rule out the
> possibility of gaining code execution.
…
> Basically any version of mpg123 is affected by this, at least those
> that explicitly support so-called Frankenstein streams.
There is currently no CVE ID allocated.
smcv
--- End Message ---
--- Begin Message ---
Source: mpg123
Source-Version: 1.32.9-1
Done: Reinhard Tartler <siret...@tauware.de>
We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1086...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siret...@tauware.de> (supplier of updated mpg123 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 Nov 2024 06:46:18 -0500
Source: mpg123
Architecture: source
Version: 1.32.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Reinhard Tartler <siret...@tauware.de>
Closes: 1086443
Changes:
mpg123 (1.32.9-1) unstable; urgency=medium
.
* New upstream release
Fixes: CVE-2024-10573, Closes: #1086443
Checksums-Sha1:
f65abd6411a60cc58deaa4db519bfe1ef6bab4fb 2779 mpg123_1.32.9-1.dsc
25aea7c5edfe6bc637f603c075210c13955200fe 1118388 mpg123_1.32.9.orig.tar.bz2
6b7c8a12749a327682b1ca3b1932e4b8948ca2bd 833 mpg123_1.32.9.orig.tar.bz2.asc
bd75338370cb36dd6ff6588325021afa8a8571f6 25464 mpg123_1.32.9-1.debian.tar.xz
Checksums-Sha256:
f561f6eb35e6d37e8fc3e0c57b1dd5cc95736c84554b6bf1fb77fc8f8b44225d 2779
mpg123_1.32.9-1.dsc
03b61e4004e960bacf2acdada03ed94d376e6aab27a601447bd4908d8407b291 1118388
mpg123_1.32.9.orig.tar.bz2
1750ee41607a0e85f845045c8f5d220d6972b90840eefe7e70e0aec6bf6d2965 833
mpg123_1.32.9.orig.tar.bz2.asc
cf7b9ee62f9fd4f743063dcc3c2811e2c68a3ceb833f906def52ca08f610434a 25464
mpg123_1.32.9-1.debian.tar.xz
Files:
a954dd7430048a1b101b261720328250 2779 sound optional mpg123_1.32.9-1.dsc
8e2c4a7251aeb2eba89800d12218055a 1118388 sound optional
mpg123_1.32.9.orig.tar.bz2
1423b5decaecc277971c09e7e27a08be 833 sound optional
mpg123_1.32.9.orig.tar.bz2.asc
6c1cb212d0fceeae7e93c1623514a7b3 25464 sound optional
mpg123_1.32.9-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmcx8HcUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsurwg//WtUlzuQI8VPZ4QXdJMrWVpQ7oCT9
PPneiE/dpg5YaCwmSyZQIubs2C+9YFWnEerQLJSJeJKGVJl3Z9ZgLPv+FkL3ndLC
o3E7A+QvfkVLaO6j/6xqIKI/LID1CS9s+IumPPgmEXcHlBJSAWHB/nRk6hdENt+o
pFjuuyzM6A00FtikA0xvI4VNzkH2iW+pN91mM1QT0C9Fd9qF+6UbE5Fsn7QWdNUi
iDZLegX3I/9etQ+GT2YQtIMYgPQhYXXG/VIICFbIReQh21aOma9TrTpo2+sXNLvS
qPAmZAFbMEtcn41l0p34CgnpTQzyng1vSPc4tSeX+f4ddkrIYHKTgIpo27Q6s8P9
N2vhzbEKsYoYus2Cl0QGWNGugohz0h1ZSUzJIgmhY3mVCab2jOnIJN63fTb1sd2R
Djke0lHNI52XCzbJGT4h4J1uA3pmk7063yeyAO8GJahkuBaCoLoy589uDbO8AGbT
o9G51PeiEv7bXPvc9MJcTvwqq0MGjVJUBRLg6bqlK9HO9kMiDcKTK81ZcbgAb2bz
XbkmYMrWcH7q4TwaZZ6pAwycbtnghEUplGb+4gJ4DVN6dx0zvJSLCRKokGnsEI5R
JGjAAaBpBhWnBwcBbfhS3oZ4DPESt1AVDCAHnQDNxDajnU1TsD8MVHo/6Wflx9wo
T4x9JOb0tlZZqVE=
=up61
-----END PGP SIGNATURE-----
pgpu5vPDH6Pcp.pgp
Description: PGP signature
--- End Message ---
