Bug#838960: marked as done (denial of service with crafted id3v2 tags in all mpg123 versions since 0.60)

[Debian Bug Tracking System]

Your message dated Tue, 04 Oct 2016 10:00:14 +0000
with message-id <e1brmwe-0002eu...@franck.debian.org>
and subject line Bug#838960: fixed in mpg123 1.23.8-1
has caused the Debian Bug report #838960,
regarding denial of service with crafted id3v2 tags in all mpg123 versions 
since 0.60
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
838960: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838960
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: mpg123

This is mpg123 upstream formally informing you of a vulnerability
(crash on illegal memory read) in all mpg123 versions since 0.60, so
very likely all debian versions of mpg123 and libmpg123 are affected.

See more detail at http://mpg123.org/bugs/240 . A one-line fix for any
version is this:

        perl -pi -e 's:(while\()(tagpos < length-10\)):${1}length >= 10 && $2:' 
$(find src -name id3.c)


Alrighty then,

Thomas

pgphFE5ObdF_y.pgp
Description: Digitale Signatur von OpenPGP

--- End Message ---

--- Begin Message ---

Source: mpg123
Source-Version: 1.23.8-1

We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramac...@debian.org> (supplier of updated mpg123 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 28 Sep 2016 19:19:03 +0200
Source: mpg123
Binary: mpg123 libmpg123-0 libout123-0 libmpg123-dev
Architecture: source amd64
Version: 1.23.8-1
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintain...@lists.alioth.debian.org>
Changed-By: Sebastian Ramacher <sramac...@debian.org>
Description:
 libmpg123-0 - MPEG layer 1/2/3 audio decoder (shared library)
 libmpg123-dev - MPEG layer 1/2/3 audio decoder (development files)
 libout123-0 - MPEG layer 1/2/3 audio decoder (libout123 shared library)
 mpg123     - MPEG layer 1/2/3 audio player
Closes: 838960
Changes:
 mpg123 (1.23.8-1) unstable; urgency=high
 .
   * Team upload.
   * New upstream release.
     - Fixes DoS with crafted ID3v2 tags. (Closes: #838960)
   * debian/{control,libout123*}: Add new libout123-0 package.
   * debian/libmpg123-0.symbols*: Add new symbols.
   * debian/patches: Refreshed.
   * debian/control:
     - Update Vcs-*.
     - Bump Standards Version
   * debian/copyright: Update copyright years.
Checksums-Sha1:
 1730ec2ba8aab7e4485c85d1efdf40237c8564f3 2280 mpg123_1.23.8-1.dsc
 799b9fe2beb5ae1c1769b10d011c0904f8e5273e 893728 mpg123_1.23.8.orig.tar.bz2
 63f65b7513db00d0394eea63bf4c1cfc3565384c 23296 mpg123_1.23.8-1.debian.tar.xz
 ac1e509bd556b84d6af487b42d498886726cbd1c 237414 
libmpg123-0-dbgsym_1.23.8-1_amd64.deb
 9e3a728c2796f74b8c371f21dfede10b821f5098 136886 libmpg123-0_1.23.8-1_amd64.deb
 fbae7764b4c99717bf191fb47a2c5a8a0ac7780d 53734 libmpg123-dev_1.23.8-1_amd64.deb
 3764f94674a02ccb0a54998cf08606d9f45df980 55104 
libout123-0-dbgsym_1.23.8-1_amd64.deb
 e00d14c25cbeae795d9c95a16f40b0d2f29380de 37704 libout123-0_1.23.8-1_amd64.deb
 a696ccb5894bed3c1882915a68b60b39076e1e33 231980 
mpg123-dbgsym_1.23.8-1_amd64.deb
 8dfda90e4e68c0f8e2a56b744dd4f1faca96c1be 167350 mpg123_1.23.8-1_amd64.deb
Checksums-Sha256:
 3842e9fe8e3f16a123953c407e69e1302d7699175858528ca3d6f6fcc340e02f 2280 
mpg123_1.23.8-1.dsc
 de2303c8ecb65593e39815c0a2f2f2d91f708c43b85a55fdd1934c82e677cf8e 893728 
mpg123_1.23.8.orig.tar.bz2
 94eadde46dc8235be91397877660f5927bbe17913d7346b7fdb4ae00fb87612f 23296 
mpg123_1.23.8-1.debian.tar.xz
 6f087d323f82ca8667106151f7e47302de694f22c30cc35a3589a1bd61342397 237414 
libmpg123-0-dbgsym_1.23.8-1_amd64.deb
 c2d611118298e003c3c33fd6604a01d09184cdff1787fab23bf90586193ab258 136886 
libmpg123-0_1.23.8-1_amd64.deb
 fdd16995cccc8366d2f5c6edf26d226ff1d4ca940875dadcc073fc16b994ba71 53734 
libmpg123-dev_1.23.8-1_amd64.deb
 074c1676228b429c02c96d711f8dd0e06a773bb5508b3174467cabb2055c47eb 55104 
libout123-0-dbgsym_1.23.8-1_amd64.deb
 84888c98fee94015ffc5fa3b49499bb1424d26e4b6fc4ee2d8d9a5d74f43b086 37704 
libout123-0_1.23.8-1_amd64.deb
 e925c52171bb4be9ec7b5202d32c79019e83a9105c62f47983b761505c0958c7 231980 
mpg123-dbgsym_1.23.8-1_amd64.deb
 b11b705f476552a28550a053487c0f6b3b2659e7baacf8bcf3037d41688aa815 167350 
mpg123_1.23.8-1_amd64.deb
Files:
 ae7577a5081e5e0a72b2f096c434803c 2280 sound optional mpg123_1.23.8-1.dsc
 4dde045123a2ad1e385a0a82c0ef9268 893728 sound optional 
mpg123_1.23.8.orig.tar.bz2
 6fd8b98d94b553a9f71da25612c4f6cf 23296 sound optional 
mpg123_1.23.8-1.debian.tar.xz
 b9886a91a26006914b07552294b86756 237414 debug extra 
libmpg123-0-dbgsym_1.23.8-1_amd64.deb
 d26bf49dd8e79926399c650ba4327b15 136886 libs optional 
libmpg123-0_1.23.8-1_amd64.deb
 6a7c1b67a30ff11b87372f1c0ea3a3ca 53734 libdevel optional 
libmpg123-dev_1.23.8-1_amd64.deb
 eff17c5ba789022c8d863be694cdc206 55104 debug extra 
libout123-0-dbgsym_1.23.8-1_amd64.deb
 91ca224c476cabe8446f981732b85367 37704 libs optional 
libout123-0_1.23.8-1_amd64.deb
 583f664be1c780304675fc89a0e1dfbe 231980 debug extra 
mpg123-dbgsym_1.23.8-1_amd64.deb
 53e9461ab215c1a8cb2d65508afe967f 167350 sound optional 
mpg123_1.23.8-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJX6/3FAAoJEGny/FFupxmTZEwQALpvJtjer+75l+Na/TyMAMQU
0GA2Dorm1hPezsvui45AAau2dVZDH+qrQ5btmBuEAhkyyLFlNwbrJBmUhBELZQDc
kV6Gr9SYPrY6BRytyxPsLbnoeWH4dvs8A2QyQk5E6nI4kKPbCi4Wg8mLa3iEsg6t
7jBLJoLBWr/G8m34NnVMVMi06TtVv8MG3VYQ1cJ5eqrsy7dPULxHzVqtZga+DUIO
qsX89Qf8F743odde2qUuavit+GFJoxEVBGjKP42niA3m36b71l+3s+pl+fvQMcMg
ilxIhYegDNDu8mRcuD4zh479OA8D1pLNTbT1LoSTN5SCRXLCIW0UEODrGiZhWXfP
xV2DV38wSDVgtq18ysi4uWvPZ3KkF6FRRZly0QmXRImi1xxh/zWKTcvIYs+q61Xi
ldoLqo+9wedzgnpue6YGcvcqg1gVCtWVRTfs89T5SfPuOHQGGE8UqzEH5LC0TB5J
YCGMg+aV2mg47EjBfjV/ZDtJrHnyGMpuasO6EYbdLYBapqt5dU1D5Ydk+WX18fRI
KNbHKbnvD3oV3ry5V8eCDA0AVPiS7ewqTfoSfNpGbnjKbYVJCS3zetRbsYWOYnpf
6pRIP8wR+GFkQvjdcpbdXImlpKUX3tpeyTag7CVzM3NtX65G4CmBD0cUepQLw40w
LHPeIgNKM7Ed9CMhtU7O
=bsmV
-----END PGP SIGNATURE-----

--- End Message ---