Bug#838960: marked as done (mpg123: CVE-2016-1000247: denial of service with crafted id3v2 tags)

Wed, 12 Oct 2016 15:21:44 -0700 

Your message dated Wed, 12 Oct 2016 22:17:49 +0000
with message-id <e1burqp-000224...@franck.debian.org>
and subject line Bug#838960: fixed in mpg123 1.20.1-2+deb8u1
has caused the Debian Bug report #838960,
regarding mpg123: CVE-2016-1000247: denial of service with crafted id3v2 tags
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
838960: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838960
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: mpg123

This is mpg123 upstream formally informing you of a vulnerability
(crash on illegal memory read) in all mpg123 versions since 0.60, so
very likely all debian versions of mpg123 and libmpg123 are affected.

See more detail at http://mpg123.org/bugs/240 . A one-line fix for any
version is this:

        perl -pi -e 's:(while\()(tagpos < length-10\)):${1}length >= 10 && $2:' 
$(find src -name id3.c)


Alrighty then,

Thomas

Attachment: pgpODIAsu9HLA.pgp
Description: Digitale Signatur von OpenPGP


--- End Message ---
--- Begin Message --- 
Source: mpg123
Source-Version: 1.20.1-2+deb8u1

We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowg...@debian.org> (supplier of updated mpg123 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 04 Oct 2016 11:42:56 +0100
Source: mpg123
Binary: mpg123 libmpg123-0 libmpg123-dev
Architecture: source
Version: 1.20.1-2+deb8u1
Distribution: jessie
Urgency: high
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: James Cowgill <jcowg...@debian.org>
Description:
 libmpg123-0 - MPEG layer 1/2/3 audio decoder (shared library)
 libmpg123-dev - MPEG layer 1/2/3 audio decoder (development files)
 mpg123     - MPEG layer 1/2/3 audio player
Closes: 838960
Changes:
 mpg123 (1.20.1-2+deb8u1) jessie; urgency=high
 .
   * Team upload.
   * Fix DoS with crafted ID3v2 tags. (Closes: #838960)
Checksums-Sha1:
 8287fdd7b80fd5b90fcefea218596d1be23b491f 2252 mpg123_1.20.1-2+deb8u1.dsc
 0967bedf5947c83cedff2f9d03120d5ec7df622c 19048 
mpg123_1.20.1-2+deb8u1.debian.tar.xz
Checksums-Sha256:
 41850ae55312c4a183e9943fcc18920674b26735858933a3d8291e3748c9f577 2252 
mpg123_1.20.1-2+deb8u1.dsc
 99d31376d601232c68b5853e219247a72e3d3723cce11b543ce43ea171308d14 19048 
mpg123_1.20.1-2+deb8u1.debian.tar.xz
Files:
 d80dd3f4c20867ea00a04ff54c1784b1 2252 sound optional mpg123_1.20.1-2+deb8u1.dsc
 d578439015b0e55161aba0f446b87fc1 19048 sound optional 
mpg123_1.20.1-2+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJX/A1sAAoJEMfxZ23qLQHv5JwQAIvjCB4Qvy4tUSyhF+zR+r+G
MAywJvEajOjyyV0BnW+0ET6Y9suMDESy0mQBMfzvSB5P/A0G6RTfcOcM/emeRC+J
CJ0WTn2I6+rRx+rIxxoKChCnhx7+4G/iHZzUtjW8xpFSeF+d8tHU1aMJaHg/trX9
7pO+zCQYjVQTP2RAg3qm1MMUV1EsMtBevuoFN2Dr8FzKn6EumNquTVh/Ygr+Bwrk
qrIZ1fNwQF2SPw6i4LpfxEcgvVkJKizrYyyjBMAR87GeJhQ3EFm6A6Sm0yXyszmu
otU/JxeFGOlQHxXOHtp0dDrqJbj4hm1RJKUP/hZ6CcrMHhOPdEmUWagl+pFGI8T8
6YTjC+LC1jzG5XaX2gcYskcgE60QzWniHQBtABgOZeYFyszeTuWR8JcAp80NhR1+
r3qZm9fsgsMgqn/+Vgi77TOtNj1990IpiPAqr6jtwaN/nwHLS5pDl0YEIJZ6uZF2
x/mFW/fzJfB22OTolTuq+N5s8Y2XUvrBg+5Em5MTZLxvIbp8BvOc1JUVCVsMpXXR
Uw8rutyU/wuZ0wTBL2EPMXWUp894JgauSSb5OnGUCSZhWg5M2Bk+6zBK65vDzx0t
DFYZgL7q77yb31C+nEaOsdEj7iRXxZ2lF+i2zWUTLjQiH67sydqDhjcjsxS6Y0Pj
ld8hxa2QbE19kk3elpJb
=zTKY
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Reply via email to