Bug#839731: jessie-pu: package mpg123/1.20.1-2+deb8u1

Tue, 04 Oct 2016 04:04:05 -0700 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-multimedia-maintain...@lists.alioth.debian.org

Hi,

A security issue was reported against mpg123 in bug #838960. Since it
was marked no-DSA by the security team, it needs a normal jessie-pu
update to fix it in jessie.

The debdiff is attached. I've tested it on jessie against the testcase
provided in the upstream bug report (https://mpg123.org/bugs/240).

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.0-36-generic (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

diff -Nru mpg123-1.20.1/debian/changelog mpg123-1.20.1/debian/changelog
--- mpg123-1.20.1/debian/changelog      2014-08-31 10:51:53.000000000 +0100
+++ mpg123-1.20.1/debian/changelog      2016-10-04 11:42:56.000000000 +0100
@@ -1,3 +1,10 @@
+mpg123 (1.20.1-2+deb8u1) jessie; urgency=high
+
+  * Team upload.
+  * Fix DoS with crafted ID3v2 tags. (Closes: #838960)
+
+ -- James Cowgill <jcowg...@debian.org>  Tue, 04 Oct 2016 11:42:56 +0100
+
 mpg123 (1.20.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch 
mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch
--- mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch      
1970-01-01 01:00:00.000000000 +0100
+++ mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch      
2016-10-04 11:41:20.000000000 +0100
@@ -0,0 +1,18 @@
+Description: Fix DoS with crafted ID3v2 tags
+Author: Thomas Orgis <thomas-fo...@orgis.org>
+Bug: https://sourceforge.net/p/mpg123/bugs/240/
+Bug-Debian: https://bugs.debian.org/838960
+Applied-Upstream: 1.23.8
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/libmpg123/id3.c
++++ b/src/libmpg123/id3.c
+@@ -752,7 +752,7 @@ int parse_new_id3(mpg123_handle *fr, uns
+                                       unsigned long fflags; /* need 16 bits, 
actually */
+                                       id[4] = 0;
+                                       /* pos now advanced after ext head, now 
a frame has to follow */
+-                                      while(tagpos < length-10) /* I want to 
read at least a full header */
++                                      while(length >= 10 && tagpos < 
length-10) /* I want to read at least a full header */
+                                       {
+                                               int i = 0;
+                                               unsigned long pos = tagpos;
diff -Nru mpg123-1.20.1/debian/patches/series 
mpg123-1.20.1/debian/patches/series
--- mpg123-1.20.1/debian/patches/series 2014-08-30 20:39:33.000000000 +0100
+++ mpg123-1.20.1/debian/patches/series 2016-10-04 11:41:20.000000000 +0100
@@ -1 +1,2 @@
 0001-disable_not_public_funcs.patch
+0002-dos-crafted-id3v2-tags.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to