Your message dated Mon, 28 Apr 2014 19:49:03 +0000
with message-id <e1werxz-00088d...@franck.debian.org>
and subject line Bug#729275: fixed in libmpeg3 1.5.4-5.1
has caused the Debian Bug report #729275,
regarding mpeg3-utils: bufferoverflow in mpeg3cat
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
729275: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729275
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mpeg3-utils
Version: 1.5.4-5
Severity: grave
Tags: security
Justification: user security hole
mpeg3cat has a buffer overflow vulnerability. A PoC file is attached.
gdb --args /usr/bin/mpeg3cat foo.mp3
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
-- System Information:
Debian Release: 7.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-3-686-pae (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages mpeg3-utils depends on:
ii libc6 2.13-38
ii libmpeg3-1 1.5.4-5
mpeg3-utils recommends no packages.
mpeg3-utils suggests no packages.
-- no debconf information
foo.mp3
Description: audio/mpeg
--- End Message ---
--- Begin Message ---
Source: libmpeg3
Source-Version: 1.5.4-5.1
We believe that the bug you reported is fixed in the latest version of
libmpeg3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 729...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Johannes Brandstätter <jbran...@2ds.eu> (supplier of updated libmpeg3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 26 Apr 2014 21:13:35 +0200
Source: libmpeg3
Binary: mpeg3-utils libmpeg3-1 libmpeg3-dev
Architecture: source amd64
Version: 1.5.4-5.1
Distribution: unstable
Urgency: medium
Maintainer: David Martínez Moreno <en...@debian.org>
Changed-By: Johannes Brandstätter <jbran...@2ds.eu>
Description:
libmpeg3-1 - MPEG streams decoding library
libmpeg3-dev - Headers and static libraries for libMPEG3
mpeg3-utils - MPEG streams decoding library
Closes: 729275
Changes:
libmpeg3 (1.5.4-5.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix stack overflow in read_toc. (Closes: #729275)
Checksums-Sha1:
757485fbc72958da336ee88d4d37334a212a8820 1776 libmpeg3_1.5.4-5.1.dsc
d822c73a9ba35a3f26ab2c5d07cc64ce276b5bf1 6743 libmpeg3_1.5.4-5.1.diff.gz
2d263a6ec6de95a4a47c6411d730e861f0a250dd 15588 mpeg3-utils_1.5.4-5.1_amd64.deb
b97e734e6736a051dbab9f60f046b76c7e815350 71664 libmpeg3-1_1.5.4-5.1_amd64.deb
56805575dbcab3141c6d07205ef69b8bf056666f 92774 libmpeg3-dev_1.5.4-5.1_amd64.deb
Checksums-Sha256:
f2a15244a5e161ccc6ba23d5f794377bab740974ea6c17ab95813fc3829dd599 1776
libmpeg3_1.5.4-5.1.dsc
3b9537b6ca9a171e245735b00443c20cb09acce547c58d837584ec7cff476c75 6743
libmpeg3_1.5.4-5.1.diff.gz
716597f26b9283cce630bc4368ff7a8c1b358eb8000701a6022c46af484ec5ba 15588
mpeg3-utils_1.5.4-5.1_amd64.deb
cd17284eadc64b0f7418d5a4f66239da3bd5b85b387a4becb9f4b7ff716cdf73 71664
libmpeg3-1_1.5.4-5.1_amd64.deb
b43229b11234022fda431a4e220a08b4d4eecf4e9819693f7692450a4f58ad75 92774
libmpeg3-dev_1.5.4-5.1_amd64.deb
Files:
149ca6b2ff5996ec0c3d5b5cf7bd6f63 15588 utils optional
mpeg3-utils_1.5.4-5.1_amd64.deb
4fdb19ed8b2e00032c561f1cbbec52e7 71664 libs optional
libmpeg3-1_1.5.4-5.1_amd64.deb
0f7d88b1d8e4a151287688da1c66b66a 92774 libdevel optional
libmpeg3-dev_1.5.4-5.1_amd64.deb
7925e798ff811e714647300f3dafe0ae 1776 libs optional libmpeg3_1.5.4-5.1.dsc
b6263f01226f28aced3519c5cd10ca58 6743 libs optional libmpeg3_1.5.4-5.1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTXAqZAAoJEGny/FFupxmT/RcP/RvgOiVyArmmGpkp0cfISw7P
vlFgm2Q7sl39i7sMHoVDWBprmX2WzW2rBYKfDHAW8othMWMgrIccI56fBWVz7OHT
DpSsW38koPRJLOD4Sjt2oL96d0kaZqRosgg/tGYqAJDHnhVEF6JbFi2jIeiwCMoE
ndNl2CJVkXAvO24P5XoTikFSgX72YLhw3esyz4XpOc9kzzN6+iJkn0sugIydxdFJ
kT6Xq8wIACAfsbhF1wPBmLsX52WVyGnobp87aDre1MFw4sx84EA706Xk/mg4J+pt
DrEbqEE/0AYndEYMnZuWyIzvsIGssZmvyLrTCTsU1rF2MGWgc3f/9YpDHijfvxdF
Ywh55cWfJfx3lprV7iiE4TCM0TQ91sl7P7iblUIHMdBhfcLmV+VC/cL2ah1UPSL/
Eo39qEXZXF3JW6lCVli2YhipwOn6gB/21GyYdVdUzdm/uPZnkvkuXdgGsobRx/Fc
d1hol2EBvxeY/Dn4ymdRhZiu5p3MLtiv8GYcx56E8Tk6Uq0/Xg3706nqMRQMkx6l
OZ3aIfkxprjvGHlfv7TU6KYkOPGtgv9E7KTdy5oZzS0bPTSb6yxWndValy9XrAy+
lIF4/YGr//e2EVs2vAyVZAVr9UE3kgPDrjXRdZcIpJ+NPVqgd8rDEpaHWq0D9U+H
ih3go1yRtiPi+By1TkzT
=EaUx
-----END PGP SIGNATURE-----
--- End Message ---
