Processed: Re: Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
Processing control commands: tags -1 + pending Bug #742161 [release.debian.org] wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1 Added tag(s) pending. -- 742161: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742161 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b742161.13974080621031.transcr...@bugs.debian.org
Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
Control: tags -1 + pending On Sat, 2014-04-12 at 22:17 +0100, Simon McVittie wrote: On 01/04/14 21:48, Adam D. Barratt wrote: On Wed, 2014-03-19 at 23:54 +, Simon McVittie wrote: mp3gain, an implementation of ReplayGain volume normalization, contains a very old modified version of mpglib, an MPEG audio decoder maintained as part of mpg123. ... Please go ahead; thanks. Uploaded. Sorry for the delay, my test environment for it was rather awkward (I didn't want to try suspicious exploits in a network-connected environment, when there was a possibility they might still work). No changes other than the changelog. Thanks; flagged for acceptance. Would you be interested in a squeeze update? The patches appear to be the same, apart from some end-of-line \r adjustments to make them apply. A possible debdiff is attached; so far its status is compiles in sbuild, but untested. I would of course test it on a squeeze system with all the mpg123 exploits I've been able to find before uploading. If the issues still affect squeeze, I'd be happy to look at fixing them there. Please could you open a separate bug for that when you're ready, so that we can track the status of the uploads separately? Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1397408053.24647.24.ca...@jacala.jungle.funky-badger.org
Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
On 01/04/14 21:48, Adam D. Barratt wrote: On Wed, 2014-03-19 at 23:54 +, Simon McVittie wrote: mp3gain, an implementation of ReplayGain volume normalization, contains a very old modified version of mpglib, an MPEG audio decoder maintained as part of mpg123. ... Please go ahead; thanks. Uploaded. Sorry for the delay, my test environment for it was rather awkward (I didn't want to try suspicious exploits in a network-connected environment, when there was a possibility they might still work). No changes other than the changelog. Would you be interested in a squeeze update? The patches appear to be the same, apart from some end-of-line \r adjustments to make them apply. A possible debdiff is attached; so far its status is compiles in sbuild, but untested. I would of course test it on a squeeze system with all the mpg123 exploits I've been able to find before uploading. S diffstat for mp3gain_1.5.1-4 mp3gain_1.5.1-4+deb6u1 debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.dpatch | 32 ++ debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.dpatch | 47 ++ debian/patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.dpatch | 33 +++ debian/patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.dpatch | 30 ++ debian/patches/0015-CVE-2003-0577-common.c--is-also-an-invalid-bit-r.dpatch | 36 +++ debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch | 27 + mp3gain-1.5.1/debian/changelog | 12 ++ mp3gain-1.5.1/debian/patches/00list |6 + 8 files changed, 223 insertions(+) diff -u mp3gain-1.5.1/debian/changelog mp3gain-1.5.1/debian/changelog --- mp3gain-1.5.1/debian/changelog +++ mp3gain-1.5.1/debian/changelog @@ -1,3 +1,15 @@ +mp3gain (1.5.1-4+deb6u1) squeeze; urgency=high + + * Add various patches from Daniel Kobras' mpg123 packaging to fix +buffer overflows in the embedded copy/fork of mpglib +- CVE-2003-0577 (originally #201698 in mpg123) +- CVE-2004-0805 (originally #270542 in mpg123) +- CVE-2004-0991 +- CVE-2006-1655 (originally #361863 in mpg123) +(Closes: #740268) + + -- Simon McVittie s...@debian.org Wed, 19 Mar 2014 09:19:58 + + mp3gain (1.5.1-4) unstable; urgency=low * Fix various potential segfaults found by cppcheck. diff -u mp3gain-1.5.1/debian/patches/00list mp3gain-1.5.1/debian/patches/00list --- mp3gain-1.5.1/debian/patches/00list +++ mp3gain-1.5.1/debian/patches/00list @@ -10,0 +11,6 @@ +0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.dpatch +0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.dpatch +0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.dpatch +0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.dpatch +0015-CVE-2003-0577-common.c--is-also-an-invalid-bit-r.dpatch +0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch only in patch2: unchanged: --- mp3gain-1.5.1.orig/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch +++ mp3gain-1.5.1/debian/patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.dpatch @@ -0,0 +1,27 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run + +@DPATCH@ + +From: Simon McVittie s...@debian.org +Date: Sun, 16 Mar 2014 22:21:26 + +Subject: Increase MAXFRAMESIZE to 3456 bytes, which is much closer to reality + +Author: Daniel Kobras +Origin: vendor, Debian (mpg123/0.59r-14) +--- + mpglibDBL/mpg123.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mpglibDBL/mpg123.h b/mpglibDBL/mpg123.h +index 691eb9c..08bd217 100644 +--- a/mpglibDBL/mpg123.h b/mpglibDBL/mpg123.h +@@ -61,7 +61,7 @@ char *strchr (), *strrchr (); + #define MPG_MD_DUAL_CHANNEL 2 + #define MPG_MD_MONO 3 + +-#define MAXFRAMESIZE 1792 ++#define MAXFRAMESIZE 3456 + + /* AF: ADDED FOR LAYER1/LAYER2 */ + #define SCALE_BLOCK 12 only in patch2: unchanged: --- mp3gain-1.5.1.orig/debian/patches/0015-CVE-2003-0577-common.c--is-also-an-invalid-bit-r.dpatch +++ mp3gain-1.5.1/debian/patches/0015-CVE-2003-0577-common.c--is-also-an-invalid-bit-r.dpatch @@ -0,0 +1,36 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run + +@DPATCH@ + +From: Simon McVittie s...@debian.org +Date: Sun, 16 Mar 2014 21:55:22 + +Subject: CVE-2003-0577: common.c: is also an invalid bit rate + +According to Daniel Kobras on #201698, this patch is unnecessary... +but it seems better to be careful, since our mpglib is not quite +the same as the one in mpg123. + +Origin: vendor, Connectiva +See-also: http://lwn.net/Alerts/39916/ +See-also: http://www.securityfocus.com/bid/6629 +See-also: http://www.securityfocus.com/archive/1/306903 +See-also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=201698 +--- + mpglibDBL/common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff
Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
Control: tags -1 + confirmed On Wed, 2014-03-19 at 23:54 +, Simon McVittie wrote: mp3gain, an implementation of ReplayGain volume normalization, contains a very old modified version of mpglib, an MPEG audio decoder maintained as part of mpg123. [...] The security team asked me to handle this as a stable update. I have opened a serious bug against mp3gain (#742111) and removed it from testing (#742112), because I don't think it should be in Debian 8. Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1396385309.4155.21.ca...@jacala.jungle.funky-badger.org
Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
On Thu, 20 Mar 2014 at 01:06:20 +0100, Cyril Brulebois wrote: Simon McVittie s...@debian.org (2014-03-19): A proposed debdiff is attached. No it's not. Sorry about that. I realised that just after I sent the message, and sent a follow-up that does include it, which you might not have seen: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=mp3gain-wheezy.diff;att=1;bug=742161 (Again, I prepared that package with a security update in mind; I'll change wheezy-security to wheezy in what I upload.) Regards, S -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140321091517.ga4...@reptile.pseudorandom.co.uk
Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu mp3gain, an implementation of ReplayGain volume normalization, contains a very old modified version of mpglib, an MPEG audio decoder maintained as part of mpg123. Gustavo Grieco reported a buffer overflow in this mpglib fork (#740268), which he suspects can be exploited for arbitrary code execution if a user runs mp3gain on crafted input. While researching the situation, I found several old vulnerabilities in mpg123 which seem to be applicable to mp3gain's copy (CVE-2003-0577, CVE-2004-0805, CVE-2004-0991, CVE-2006-1655); the vulnerability that Gustavo found appears to be one of those. Some of those CVEs might not actually be exploitable in mp3gain - a couple of them are specific to MPEG layer 2, which it refuses to analyze anyway - but it seemed safer to patch them all. The security team asked me to handle this as a stable update. I have opened a serious bug against mp3gain (#742111) and removed it from testing (#742112), because I don't think it should be in Debian 8. Exploits which might be useful for testing, none of which appear to have any effect on the patched mp3gain in a wheezy VM: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=PoC.mp3;att=1;bug=740268 (Gustavo's proof-of-concept) http://www.exploit-db.com/exploits/1634/ http://www.exploit-db.com/exploits/22147/ A proposed debdiff is attached. I'll change wheezy-security to wheezy for the stable upload - I prepared it before I got an answer from the security team. I haven't tested a squeeze update yet; I expect that it would look remarkably similar. Let me know if you'd like me to prepare one of those. Regards, S -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140319235441.ga28...@reptile.pseudorandom.co.uk
Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
On Wed, 19 Mar 2014 at 23:54:41 +, Simon McVittie wrote: A proposed debdiff is attached. Sorry, it wasn't. Here it is. S diffstat for mp3gain-1.5.2-r2 mp3gain-1.5.2-r2 changelog | 12 ++ patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch | 28 ++ patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch | 43 ++ patches/0013-CVE-2004-0991-fix-insufficient-validation-of-MPEG-he.patch | 29 ++ patches/0014-CVE-2004-0991-copy-frame-size-checking-from-mpg123-0.patch | 26 ++ patches/0015-CVE-2003-0577-common.c--is-also-an-invalid-bit-r.patch | 32 +++ patches/0016-Increase-MAXFRAMESIZE-to-3456-bytes-which-is-much-cl.patch | 23 + patches/series |6 + 8 files changed, 199 insertions(+) diff -Nru mp3gain-1.5.2-r2/debian/changelog mp3gain-1.5.2-r2/debian/changelog --- mp3gain-1.5.2-r2/debian/changelog 2011-11-10 15:27:35.0 + +++ mp3gain-1.5.2-r2/debian/changelog 2014-03-19 09:22:48.0 + @@ -1,3 +1,15 @@ +mp3gain (1.5.2-r2-2+deb7u1) wheezy-security; urgency=high + + * Add various patches from Daniel Kobras' mpg123 packaging to fix +buffer overflows in the embedded copy/fork of mpglib +- CVE-2003-0577 (originally #201698 in mpg123) +- CVE-2004-0805 (originally #270542 in mpg123) +- CVE-2004-0991 +- CVE-2006-1655 (originally #361863 in mpg123) +(Closes: #740268, hopefully) + + -- Simon McVittie s...@debian.org Wed, 19 Mar 2014 09:19:58 + + mp3gain (1.5.2-r2-2) unstable; urgency=low [ Simon McVittie ] diff -Nru mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch --- mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch 1970-01-01 01:00:00.0 +0100 +++ mp3gain-1.5.2-r2/debian/patches/0011-CVE-2004-0805-layer2.c-fix-buffer-overflow-in-layer2.patch 2014-03-19 09:22:48.0 + @@ -0,0 +1,28 @@ +From: Simon McVittie s...@debian.org +Date: Sun, 16 Mar 2014 20:52:15 + +Subject: CVE-2004-0805: layer2.c: fix buffer overflow in layer2 decoder + +Origin: vendor, Debian (mpg123/0.59r-18) +Author: Daniel Kobras kob...@debian.org +See-also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=270542 +See-also: http://article.gmane.org/gmane.comp.security.full-disclosure/25471 +--- + mpglibDBL/layer2.c | 5 + + 1 file changed, 5 insertions(+) + +diff --git a/mpglibDBL/layer2.c b/mpglibDBL/layer2.c +index 8f4e9e3..027cced 100644 +--- a/mpglibDBL/layer2.c b/mpglibDBL/layer2.c +@@ -280,6 +280,11 @@ int do_layer2( PMPSTR mp,unsigned char *pcm_sample,int *pcm_point) + fr-jsbound = (fr-mode == MPG_MD_JOINT_STEREO) ? + (fr-mode_ext2)+4 : fr-II_sblimit; + ++ if (fr-jsbound fr-II_sblimit) { ++fprintf(stderr, Truncating stereo boundary to sideband limit.\n); ++fr-jsbound=fr-II_sblimit; ++ } ++ + if(stereo == 1 || single == 3) + single = 0; + diff -Nru mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch --- mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch 1970-01-01 01:00:00.0 +0100 +++ mp3gain-1.5.2-r2/debian/patches/0012-CVE-2006-1655-fix-heap-overflow-in-layer3.c-III_anti.patch 2014-03-19 09:22:48.0 + @@ -0,0 +1,43 @@ +From: Simon McVittie s...@debian.org +Date: Sun, 16 Mar 2014 21:00:31 + +Subject: CVE-2006-1655: fix heap overflow in layer3.c::III_antialias() + +This combines two patches taken from mpg123: the original fix by Daniel +Kobras, and extended fix for CVE-2006-1655 from upstream 0.61. + +Origin: vendor, Debian (mpg123/0.59r-22); upstream (mpg123/0.61) +Author: Daniel Kobras kob...@debian.org +Author: thor +Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361863 +--- + mpglibDBL/layer3.c | 10 -- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/mpglibDBL/layer3.c b/mpglibDBL/layer3.c +index 4016a2a..793857c 100644 +--- a/mpglibDBL/layer3.c b/mpglibDBL/layer3.c +@@ -1113,7 +1113,10 @@ maybe still wrong??? (copy 12 to 13?) */ + * and mode = mixed_mode + */ +int sfb = gr_infos-maxbandl; +- int idx = bi-longIdx[sfb]; ++ int idx; ++ if (sfb 21) ++ return; ++ idx = bi-longIdx[sfb]; + +for ( ; sfb8; sfb++ ) +{ +@@ -1137,7 +1140,10 @@ maybe still wrong??? (copy 12 to 13?) */ + else /* ((gr_infos-block_type != 2)) */ + { + int sfb = gr_infos-maxbandl; +-int is_p,idx = bi-longIdx[sfb]; ++int is_p,idx; ++if (sfb 21) ++ return; ++idx =
Bug#742161: wheezy-pu: package mp3gain/1.5.2-r2-2+deb7u1
Simon McVittie s...@debian.org (2014-03-19): A proposed debdiff is attached. No it's not. Mraw, KiBi. signature.asc Description: Digital signature