Your message dated Fri, 15 Nov 2024 15:32:28 +0000
with message-id <e1tbyja-0046hh...@fasolo.debian.org>
and subject line Bug#1086443: fixed in mpg123 1.31.2-1+deb12u1
has caused the Debian Bug report #1086443,
regarding mpg123: CVE-2024-10573: buffer overflow involving "Frankenstein
streams" in versions before 1.32.8
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1086443: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086443
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mpg123
Version: 0.59f-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Control: fixed -1 1.32.8-1
Forwarding this from
<https://www.openwall.com/lists/oss-security/2024/10/30/2>:
> There is possible buffer overflow
> (writing of decoded PCM samples beyond allocated output buffer) for
> streams that change output properties together with certain usage of
> libmpg123. This needed seeking around in the stream (including scanning
> it before actual decoding) to trigger. So, your usual web radio stream
> as obvious attack vector is unlikely, as you won't seek around in it.
> If you do work with stream dumps, usage of MPG123_NO_FRANKENSTEIN or
> the --no-frankenstein option to the mpg123 application is a workaround
> to avoid the formerly dangerous situation in earlier mpg123 releases.
> This also means that mpg123 will not decode streams of concatenated
> files with either varying format or leading Info frames past the first
> track anymore.
…
> Exploitation of this is not trivial, but I cannot rule out the
> possibility of gaining code execution.
…
> Basically any version of mpg123 is affected by this, at least those
> that explicitly support so-called Frankenstein streams.
There is currently no CVE ID allocated.
smcv
--- End Message ---
--- Begin Message ---
Source: mpg123
Source-Version: 1.31.2-1+deb12u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1086...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated mpg123 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Nov 2024 16:26:42 +0100
Source: mpg123
Architecture: source
Version: 1.31.2-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1086443
Changes:
mpg123 (1.31.2-1+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix buffer overflow (Frankenstein's Monster) (CVE-2024-10573)
(Closes: #1086443)
Checksums-Sha1:
f72cc4b128c40446dabd6c9876d78f9000b107ba 2789 mpg123_1.31.2-1+deb12u1.dsc
47c76d468261da20a8894656d3cd71456a92624a 1093881 mpg123_1.31.2.orig.tar.bz2
7d2cd7c71a80a48b577b56c6689e4117a987c7a1 833 mpg123_1.31.2.orig.tar.bz2.asc
cf9239c2ffa5cc49a2ad5a54714218722cdee3f0 33620
mpg123_1.31.2-1+deb12u1.debian.tar.xz
Checksums-Sha256:
a67b2daf33ecf2d2a720e0cd721ac44828f1edee644abac34d8022819abbbb1a 2789
mpg123_1.31.2-1+deb12u1.dsc
b17f22905e31f43b6b401dfdf6a71ed11bb7d056f68db449d70b9f9ae839c7de 1093881
mpg123_1.31.2.orig.tar.bz2
c5626e0dfba78b7e5766616ad5acc90e6729510ab0d86276a25ee46bef96902a 833
mpg123_1.31.2.orig.tar.bz2.asc
9fc7eeeb4be67525fb7901022955b646832f095499612672ad7c24a1b3303599 33620
mpg123_1.31.2-1+deb12u1.debian.tar.xz
Files:
d6cadf17985486269b61b2d64d998702 2789 sound optional
mpg123_1.31.2-1+deb12u1.dsc
7aa9b41b70826fe8edd743202e488433 1093881 sound optional
mpg123_1.31.2.orig.tar.bz2
a64934fac9d7b0573da71e21337bb9d5 833 sound optional
mpg123_1.31.2.orig.tar.bz2.asc
66d247c1bda3f234e95e60de8a654755 33620 sound optional
mpg123_1.31.2-1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmcw0WFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ee9UP/2vJpk9unM6kBdzdLthXDHzrw2B9Tgl1
IFS4AdE2nfm4pxfCpJ+sWDiaUzzkdZdmA3R8BPzxp4xuPUNThh4uBJj1k7bagllP
PUQewKu+IwGcKXry0CMu+r68w18KxFTlr/DBaz2I6CIY+ModrOuZUX8w3iTtHI4U
tyQGFqLDGMSOcQtKhlGd71jULfhYKNaK+smBnByd7fBqzaZMKSBgIe04mkkVwPZR
08vxQ47l+0eA7Syg5kQ3H2wO82Yemwjva64mDr/3Ed15jdh3dTl8rSqSN2TxSugE
HGlvph4skcZxJIlVZ4qrCSdsYfJvbLAJfUJnz51mRpwz5B2/OIwEriXeq4eFQlyy
oQTsNRlshP5uUyAoE6Rb7url9u1YqOPche7NHXeolHY2SCDRi18U7Cm25iMecl1t
dP0+Kb1bIG6lCKBhO4/X/0V7VV9HiMz7Jg2KVNc4fHArOMrVv1+dmj5MB/vSMYCZ
rM4mV2aJ64JNYjlIoUANNYXxmTY4rTkwzWUUJOR70IC2uLcAvYlmQIJqADjmI3Lc
qWYz9zqULJRimO5EqWJPCZMPrbIwUNfpt1drJ3kUEWhsnes0u1XvkVtJDOWwb3Y6
1tn82y6kfAYGdXYhTwGQ19GYaC2LvgA3OitpZIEPRBlFHepwgyUqDpM1RPOQpGEr
jwPVsTurUCPu
=tS4P
-----END PGP SIGNATURE-----
pgpgI0HT338hx.pgp
Description: PGP signature
--- End Message ---
