Processed: Re: Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1

2014-04-13 Thread Debian Bug Tracking System 
Processing control commands:

 tags -1 + pending
Bug #742161 [release.debian.org] wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
Added tag(s) pending.

-- 
742161: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742161
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/handler.s.b742161.13974080621031.transcr...@bugs.debian.org

Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1

2014-04-13 Thread Adam D. Barratt 
Control: tags -1 + pending

On Sat, 2014-04-12 at 22:17 +0100, Simon McVittie wrote:
 On 01/04/14 21:48, Adam D. Barratt wrote:
  On Wed, 2014-03-19 at 23:54 +, Simon McVittie wrote:
  mp3gain, an implementation of ReplayGain volume normalization, contains
  a very old modified version of mpglib, an MPEG audio decoder maintained
  as part of mpg123.
 ...
  Please go ahead; thanks.
 
 Uploaded. Sorry for the delay, my test environment for it was rather
 awkward (I didn't want to try suspicious exploits in a network-connected
 environment, when there was a possibility they might still work). No
 changes other than the changelog.

Thanks; flagged for acceptance.

 Would you be interested in a squeeze update? The patches appear to be
 the same, apart from some end-of-line \r adjustments to make them apply.
 A possible debdiff is attached; so far its status is compiles in
 sbuild, but untested. I would of course test it on a squeeze system
 with all the mpg123 exploits I've been able to find before uploading.

If the issues still affect squeeze, I'd be happy to look at fixing them
there. Please could you open a separate bug for that when you're ready,
so that we can track the status of the uploads separately?

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1397408053.24647.24.ca...@jacala.jungle.funky-badger.org

Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1

2014-04-12 Thread Simon McVittie 
On 01/04/14 21:48, Adam D. Barratt wrote:
 On Wed, 2014-03-19 at 23:54 +, Simon McVittie wrote:
 mp3gain, an implementation of ReplayGain volume normalization, contains
 a very old modified version of mpglib, an MPEG audio decoder maintained
 as part of mpg123.
...
 Please go ahead; thanks.

Uploaded. Sorry for the delay, my test environment for it was rather
awkward (I didn't want to try suspicious exploits in a network-connected
environment, when there was a possibility they might still work). No
changes other than the changelog.

Would you be interested in a squeeze update? The patches appear to be
the same, apart from some end-of-line \r adjustments to make them apply.
A possible debdiff is attached; so far its status is compiles in
sbuild, but untested. I would of course test it on a squeeze system
with all the mpg123 exploits I've been able to find before uploading.

S

diffstat for mp3gain_1.5.1-4 mp3gain_1.5.1-4+deb6u1

 debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.dpatch |   32 ++
 debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.dpatch |   47 ++
 debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.dpatch |   33 +++
 debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.dpatch |   30 ++
 debian/patches/0015-CVE-2003-0577-common.c--is-also-an-invalid-bit-r.dpatch |   36 +++
 debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch |   27 +
 mp3gain-1.5.1/debian/changelog  |   12 ++
 mp3gain-1.5.1/debian/patches/00list |6 +
 8 files changed, 223 insertions(+)

diff -u mp3gain-1.5.1/debian/changelog mp3gain-1.5.1/debian/changelog
--- mp3gain-1.5.1/debian/changelog
+++ mp3gain-1.5.1/debian/changelog
@@ -1,3 +1,15 @@
+mp3gain (1.5.1-4+deb6u1) squeeze; urgency=high
+
+  * Add various patches from Daniel Kobras' mpg123 packaging to fix
+buffer overflows in the embedded copy/fork of mpglib
+- CVE-2003-0577 (originally #201698 in mpg123)
+- CVE-2004-0805 (originally #270542 in mpg123)
+- CVE-2004-0991
+- CVE-2006-1655 (originally #361863 in mpg123)
+(Closes: #740268)
+
+ -- Simon McVittie s...@debian.org  Wed, 19 Mar 2014 09:19:58 +
+
 mp3gain (1.5.1-4) unstable; urgency=low
 
   * Fix various potential segfaults found by cppcheck.
diff -u mp3gain-1.5.1/debian/patches/00list mp3gain-1.5.1/debian/patches/00list
--- mp3gain-1.5.1/debian/patches/00list
+++ mp3gain-1.5.1/debian/patches/00list
@@ -10,0 +11,6 @@
+0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.dpatch
+0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.dpatch
+0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.dpatch
+0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.dpatch
+0015-CVE-2003-0577-common.c--is-also-an-invalid-bit-r.dpatch
+0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch
+++ mp3gain-1.5.1/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch
@@ -0,0 +1,27 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie s...@debian.org
+Date: Sun, 16 Mar 2014 22:21:26 +
+Subject: Increase MAXFRAMESIZE to 3456 bytes, which is much closer to reality
+
+Author: Daniel Kobras
+Origin: vendor, Debian (mpg123/0.59r-14)
+---
+ mpglibDBL/mpg123.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mpglibDBL/mpg123.h b/mpglibDBL/mpg123.h
+index 691eb9c..08bd217 100644
+--- a/mpglibDBL/mpg123.h
 b/mpglibDBL/mpg123.h
+@@ -61,7 +61,7 @@ char *strchr (), *strrchr ();
+ #define MPG_MD_DUAL_CHANNEL 2
+ #define MPG_MD_MONO 3
+ 
+-#define MAXFRAMESIZE 1792
++#define MAXFRAMESIZE 3456
+ 
+ /* AF: ADDED FOR LAYER1/LAYER2 */
+ #define SCALE_BLOCK 12
only in patch2:
unchanged:
--- mp3gain-1.5.1.orig/debian/patches/0015-CVE-2003-0577-common.c--is-also-an-invalid-bit-r.dpatch
+++ mp3gain-1.5.1/debian/patches/0015-CVE-2003-0577-common.c--is-also-an-invalid-bit-r.dpatch
@@ -0,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+
+From: Simon McVittie s...@debian.org
+Date: Sun, 16 Mar 2014 21:55:22 +
+Subject: CVE-2003-0577: common.c:  is also an invalid bit rate
+
+According to Daniel Kobras on #201698, this patch is unnecessary...
+but it seems better to be careful, since our mpglib is not quite
+the same as the one in mpg123.
+
+Origin: vendor, Connectiva
+See-also: http://lwn.net/Alerts/39916/
+See-also: http://www.securityfocus.com/bid/6629
+See-also: http://www.securityfocus.com/archive/1/306903
+See-also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=201698
+---
+ mpglibDBL/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff

Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1

2014-04-01 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Wed, 2014-03-19 at 23:54 +, Simon McVittie wrote:
 mp3gain, an implementation of ReplayGain volume normalization, contains
 a very old modified version of mpglib, an MPEG audio decoder maintained
 as part of mpg123.
[...]
 The security team asked me to handle this as a stable update.
 I have opened a serious bug against mp3gain (#742111) and removed it
 from testing (#742112), because I don't think it should be in Debian 8.

Please go ahead; thanks.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1396385309.4155.21.ca...@jacala.jungle.funky-badger.org

Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1

2014-03-21 Thread Simon McVittie 
On Thu, 20 Mar 2014 at 01:06:20 +0100, Cyril Brulebois wrote:
 Simon McVittie s...@debian.org (2014-03-19):
  A proposed debdiff is attached.
 
 No it's not.

Sorry about that. I realised that just after I sent the message, and sent
a follow-up that does include it, which you might not have seen:
https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=mp3gain-wheezy.diff;att=1;bug=742161

(Again, I prepared that package with a security update in mind;
I'll change wheezy-security to wheezy in what I upload.)

Regards,
S


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20140321091517.ga4...@reptile.pseudorandom.co.uk

Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1

2014-03-19 Thread Simon McVittie 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu

mp3gain, an implementation of ReplayGain volume normalization, contains
a very old modified version of mpglib, an MPEG audio decoder maintained
as part of mpg123.

Gustavo Grieco reported a buffer overflow in this mpglib fork (#740268),
which he suspects can be exploited for arbitrary code execution if a
user runs mp3gain on crafted input. While researching the situation, I
found several old vulnerabilities in mpg123 which seem to be
applicable to mp3gain's copy (CVE-2003-0577, CVE-2004-0805,
CVE-2004-0991, CVE-2006-1655); the vulnerability that Gustavo found
appears to be one of those.

Some of those CVEs might not actually be exploitable in mp3gain - a
couple of them are specific to MPEG layer 2, which it refuses to analyze
anyway - but it seemed safer to patch them all.

The security team asked me to handle this as a stable update.
I have opened a serious bug against mp3gain (#742111) and removed it
from testing (#742112), because I don't think it should be in Debian 8.

Exploits which might be useful for testing, none of which appear to have
any effect on the patched mp3gain in a wheezy VM:

https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=PoC.mp3;att=1;bug=740268
 (Gustavo's proof-of-concept)

http://www.exploit-db.com/exploits/1634/

http://www.exploit-db.com/exploits/22147/

A proposed debdiff is attached. I'll change wheezy-security to wheezy
for the stable upload - I prepared it before I got an answer from the security
team.

I haven't tested a squeeze update yet; I expect that it would look
remarkably similar. Let me know if you'd like me to prepare one of those.

Regards,
S


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20140319235441.ga28...@reptile.pseudorandom.co.uk

Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1

2014-03-19 Thread Simon McVittie 
On Wed, 19 Mar 2014 at 23:54:41 +, Simon McVittie wrote:
 A proposed debdiff is attached.

Sorry, it wasn't. Here it is.

S
diffstat for mp3gain-1.5.2-r2 mp3gain-1.5.2-r2

 changelog   |   12 ++
 patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch |   28 ++
 patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch |   43 ++
 patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch |   29 ++
 patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch |   26 ++
 patches/0015-CVE-2003-0577-common.c--is-also-an-invalid-bit-r.patch |   32 +++
 patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch |   23 +
 patches/series  |6 +
 8 files changed, 199 insertions(+)

diff -Nru mp3gain-1.5.2-r2/debian/changelog mp3gain-1.5.2-r2/debian/changelog
--- mp3gain-1.5.2-r2/debian/changelog	2011-11-10 15:27:35.0 +
+++ mp3gain-1.5.2-r2/debian/changelog	2014-03-19 09:22:48.0 +
@@ -1,3 +1,15 @@
+mp3gain (1.5.2-r2-2+deb7u1) wheezy-security; urgency=high
+
+  * Add various patches from Daniel Kobras' mpg123 packaging to fix
+buffer overflows in the embedded copy/fork of mpglib
+- CVE-2003-0577 (originally #201698 in mpg123)
+- CVE-2004-0805 (originally #270542 in mpg123)
+- CVE-2004-0991
+- CVE-2006-1655 (originally #361863 in mpg123)
+(Closes: #740268, hopefully)
+
+ -- Simon McVittie s...@debian.org  Wed, 19 Mar 2014 09:19:58 +
+
 mp3gain (1.5.2-r2-2) unstable; urgency=low
 
   [ Simon McVittie ]
diff -Nru mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch
--- mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch	1970-01-01 01:00:00.0 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch	2014-03-19 09:22:48.0 +
@@ -0,0 +1,28 @@
+From: Simon McVittie s...@debian.org
+Date: Sun, 16 Mar 2014 20:52:15 +
+Subject: CVE-2004-0805: layer2.c: fix buffer overflow in layer2 decoder
+
+Origin: vendor, Debian (mpg123/0.59r-18)
+Author: Daniel Kobras kob...@debian.org
+See-also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=270542
+See-also: http://article.gmane.org/gmane.comp.security.full-disclosure/25471
+---
+ mpglibDBL/layer2.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/mpglibDBL/layer2.c b/mpglibDBL/layer2.c
+index 8f4e9e3..027cced 100644
+--- a/mpglibDBL/layer2.c
 b/mpglibDBL/layer2.c
+@@ -280,6 +280,11 @@ int do_layer2( PMPSTR mp,unsigned char *pcm_sample,int *pcm_point)
+   fr-jsbound = (fr-mode == MPG_MD_JOINT_STEREO) ?
+  (fr-mode_ext2)+4 : fr-II_sblimit;
+ 
++  if (fr-jsbound  fr-II_sblimit) {
++fprintf(stderr, Truncating stereo boundary to sideband limit.\n);
++fr-jsbound=fr-II_sblimit;
++  }
++
+   if(stereo == 1 || single == 3)
+ single = 0;
+ 
diff -Nru mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch
--- mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch	1970-01-01 01:00:00.0 +0100
+++ mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch	2014-03-19 09:22:48.0 +
@@ -0,0 +1,43 @@
+From: Simon McVittie s...@debian.org
+Date: Sun, 16 Mar 2014 21:00:31 +
+Subject: CVE-2006-1655: fix heap overflow in layer3.c::III_antialias()
+
+This combines two patches taken from mpg123: the original fix by Daniel
+Kobras, and extended fix for CVE-2006-1655 from upstream 0.61.
+
+Origin: vendor, Debian (mpg123/0.59r-22); upstream (mpg123/0.61)
+Author: Daniel Kobras kob...@debian.org
+Author: thor
+Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361863
+---
+ mpglibDBL/layer3.c | 10 --
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/mpglibDBL/layer3.c b/mpglibDBL/layer3.c
+index 4016a2a..793857c 100644
+--- a/mpglibDBL/layer3.c
 b/mpglibDBL/layer3.c
+@@ -1113,7 +1113,10 @@ maybe still wrong??? (copy 12 to 13?) */
+  * and mode = mixed_mode 
+  */
+int sfb = gr_infos-maxbandl;
+-   int idx = bi-longIdx[sfb];
++   int idx;
++   if (sfb  21)
++ return;
++   idx = bi-longIdx[sfb];
+ 
+for ( ; sfb8; sfb++ )
+{
+@@ -1137,7 +1140,10 @@ maybe still wrong??? (copy 12 to 13?) */
+   else /* ((gr_infos-block_type != 2)) */
+   {
+ int sfb = gr_infos-maxbandl;
+-int is_p,idx = bi-longIdx[sfb];
++int is_p,idx;
++if (sfb  21)
++  return;
++idx =

Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1

2014-03-19 Thread Cyril Brulebois 
Simon McVittie s...@debian.org (2014-03-19):
 A proposed debdiff is attached.

No it's not.

Mraw,
KiBi.


signature.asc
Description: Digital signature