Your message dated Sat, 14 Jan 2017 12:37:03 +0000 with message-id <1484397423.1091.25.ca...@adam-barratt.org.uk> and subject line Closing requests included in today's point release has caused the Debian Bug report #839731, regarding jessie-pu: package mpg123/1.20.1-2+deb8u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 839731: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839731 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-multimedia-maintain...@lists.alioth.debian.org Hi, A security issue was reported against mpg123 in bug #838960. Since it was marked no-DSA by the security team, it needs a normal jessie-pu update to fix it in jessie. The debdiff is attached. I've tested it on jessie against the testcase provided in the upstream bug report (https://mpg123.org/bugs/240). Thanks, James -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.4.0-36-generic (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detectdiff -Nru mpg123-1.20.1/debian/changelog mpg123-1.20.1/debian/changelog --- mpg123-1.20.1/debian/changelog 2014-08-31 10:51:53.000000000 +0100 +++ mpg123-1.20.1/debian/changelog 2016-10-04 11:42:56.000000000 +0100 @@ -1,3 +1,10 @@ +mpg123 (1.20.1-2+deb8u1) jessie; urgency=high + + * Team upload. + * Fix DoS with crafted ID3v2 tags. (Closes: #838960) + + -- James Cowgill <jcowg...@debian.org> Tue, 04 Oct 2016 11:42:56 +0100 + mpg123 (1.20.1-2) unstable; urgency=medium * Team upload. diff -Nru mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch --- mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch 1970-01-01 01:00:00.000000000 +0100 +++ mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch 2016-10-04 11:41:20.000000000 +0100 @@ -0,0 +1,18 @@ +Description: Fix DoS with crafted ID3v2 tags +Author: Thomas Orgis <thomas-fo...@orgis.org> +Bug: https://sourceforge.net/p/mpg123/bugs/240/ +Bug-Debian: https://bugs.debian.org/838960 +Applied-Upstream: 1.23.8 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/libmpg123/id3.c ++++ b/src/libmpg123/id3.c +@@ -752,7 +752,7 @@ int parse_new_id3(mpg123_handle *fr, uns + unsigned long fflags; /* need 16 bits, actually */ + id[4] = 0; + /* pos now advanced after ext head, now a frame has to follow */ +- while(tagpos < length-10) /* I want to read at least a full header */ ++ while(length >= 10 && tagpos < length-10) /* I want to read at least a full header */ + { + int i = 0; + unsigned long pos = tagpos; diff -Nru mpg123-1.20.1/debian/patches/series mpg123-1.20.1/debian/patches/series --- mpg123-1.20.1/debian/patches/series 2014-08-30 20:39:33.000000000 +0100 +++ mpg123-1.20.1/debian/patches/series 2016-10-04 11:41:20.000000000 +0100 @@ -1 +1,2 @@ 0001-disable_not_public_funcs.patch +0002-dos-crafted-id3v2-tags.patchsignature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Version: 8.7 Hi, Each of these bugs refers to an update that was included in today's 8.7 point release. Regards, Adam
--- End Message ---