mpg123 heap overflow in httpget.c

Debian Bug report logs - #377264
mpg123 heap overflow in httpget.c

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Horst Schirmeier <horst@schirmeier.com>

To: submit@bugs.debian.org

Subject: mpg123 heap overflow in httpget.c

Date: Fri, 7 Jul 2006 19:26:12 +0200

Package: mpg123
Version: 0.59r-20sarge1

When running mpg123 with a HTTP URL which sends any HTTP redirection,
mpg123 displays erratic behaviour due to a heap overflow in httpget.c:

$ mpg123 'http://patrimonium.amberfisharts.com/download.asp?lang=de&id=20'
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3.
Version 0.59r (1999/Jun/15). Written and copyrights by Michael Hipp.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
free(): invalid pointer 0x8085118!
Unknown host "downloads".
Segmentation fault


This heap overflow was introduced by Gentoo's
103_all_CAN-2004-0982.patch, written Jeremy Huddleston
(eradicator@gentoo.org), which obviously has also been used in Debian's
mpg123_0.59r-20sarge1.diff. On Gentoo, this has already been fixed
lately (bug #133988, GLSA 200607-01).

For more details see the Gentoo Linux Security Advisory[1]
and my bug description[2], which also contains a corrected
103_all_CAN-2004-0982.patch.

[1] http://www.gentoo.org/security/en/glsa/glsa-200607-01.xml
[2] http://bugs.gentoo.org/show_bug.cgi?id=133988

Message #10 received at 377264@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 377264@bugs.debian.org, control@bugs.debian.org

Subject: CVE-2006-3355: mpg123 heap overflow in httpget.c

Date: Sat, 5 Aug 2006 11:16:05 +0200

package mpg123
severity 377264 grave
tags 377264 +security
thanks

This is CVE-2006-3355. Please mention the CVE-id in the changelog.

Message #19 received at 377264@bugs.debian.org (full text, mbox, reply):

From: "Thomas Perl" <thp@perli.net>

To: 377264@bugs.debian.org

Subject: new upstream sources for mpg123

Date: Sat, 9 Sep 2006 09:59:33 +0200 (CEST)

Upstream has released a new version (0.60) on August 29th 2006.

Its website (http://www.mpg123.de/) states it's now released under LGPL.
The new release also fixes this bug and seems to incorporate (at least
some) patchsets from Debian.

Quoted from the announcement:

"This version is the result of merging 0.59r by Michael Hipp and parts of
his development tree with the 0.59r-gpl from sourceforge and mpg123-thor
(both including patchsets from Debian) as well as continued work on the
source of both Nicholas and myself as well as enthusiastic testers who
gave us a purpose (thanks for being with us after that long time!)."

Guess it's better to package new upstream version than patching this old
(non-free) release.

Message #26 received at 377264-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Kobras <kobras@debian.org>

To: 377264-close@bugs.debian.org

Subject: Bug#377264: fixed in mpg123 0.60-1

Date: Thu, 28 Sep 2006 06:55:45 -0700

Source: mpg123
Source-Version: 0.60-1

We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive:

mpg123-alsa_0.60-1_i386.deb
  to pool/main/m/mpg123/mpg123-alsa_0.60-1_i386.deb
mpg123-esd_0.60-1_i386.deb
  to pool/main/m/mpg123/mpg123-esd_0.60-1_i386.deb
mpg123-nas_0.60-1_i386.deb
  to pool/main/m/mpg123/mpg123-nas_0.60-1_i386.deb
mpg123-oss-3dnow_0.60-1_i386.deb
  to pool/main/m/mpg123/mpg123-oss-3dnow_0.60-1_i386.deb
mpg123-oss-i486_0.60-1_i386.deb
  to pool/main/m/mpg123/mpg123-oss-i486_0.60-1_i386.deb
mpg123_0.60-1.diff.gz
  to pool/main/m/mpg123/mpg123_0.60-1.diff.gz
mpg123_0.60-1.dsc
  to pool/main/m/mpg123/mpg123_0.60-1.dsc
mpg123_0.60-1_i386.deb
  to pool/main/m/mpg123/mpg123_0.60-1_i386.deb
mpg123_0.60.orig.tar.gz
  to pool/main/m/mpg123/mpg123_0.60.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 377264@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated mpg123 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 14 Sep 2006 13:49:03 +0200
Source: mpg123
Binary: mpg123-esd mpg123-oss-3dnow mpg123-nas mpg123-oss-i486 mpg123-alsa mpg123
Architecture: source i386
Version: 0.60-1
Distribution: unstable
Urgency: low
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Daniel Kobras <kobras@debian.org>
Description: 
 mpg123     - MPEG layer 1/2/3 audio player
 mpg123-alsa - MPEG layer 1/2/3 audio player with ALSA support
 mpg123-esd - MPEG layer 1/2/3 audio player with Esound support
 mpg123-nas - MPEG layer 1/2/3 audio player with NAS support
 mpg123-oss-3dnow - MPEG layer 1/2/3 audio player for 3DNow! machines
 mpg123-oss-i486 - MPEG layer 1/2/3 audio player for i486 machines
Closes: 292260 377264
Changes: 
 mpg123 (0.60-1) unstable; urgency=low
 .
   * New upstream release.
     + Includes security fix for a heap overflow in httpget.c
       (CVE-2006-3355). Closes: #377264
   * configure, configure.ac: Fix typo to make esd detection work.
   * src/audio_esd.c: Always define audio_queueflush().
   * debian/compat: Set to debhelper compatibility level 5.
   * debian/control: Move from non-free to main. Closes: #292260
   * debian/control: OSS versions depend on oss-compat now.
   * debian/control: Build-depend on pkg-config. Configure script uses it.
   * debian/control: Build-depend on dephelper and autotools-dev.
   * debian/copyright: Download location now points to SourceForge site.
   * debian/copyright: Document new copyright and license, and add pointer to
     documentation of relicensing process.
   * debian/mime: Require a terminal when called via mailcap.
   * debian/rules: Debhelperize.
   * debian/rules: Tweak rules for new configure-style build system.
   * debian/rules: Add magic touches to prevent accidential rebuiling of
     configure.
   * debian/{control,rules}: Reinstate mpg123-alsa package now that current
     ALSA versions are supported again.
Files: 
 43e8221d8bccd9be8e785b5cb489996b 756 sound optional mpg123_0.60-1.dsc
 cb19b957c8eb539f055ed4f4a2c8521b 608911 sound optional mpg123_0.60.orig.tar.gz
 e50952b2356e8c2534d4f259422a52a2 10940 sound optional mpg123_0.60-1.diff.gz
 9106504cc92f21ed7a29ae467a1ff7e6 134470 sound optional mpg123_0.60-1_i386.deb
 8133b274fca9e9392b0be09e8082f311 138456 sound optional mpg123-oss-i486_0.60-1_i386.deb
 6b9b42f6016d83fd7ca7b17f00a1b758 137460 sound optional mpg123-oss-3dnow_0.60-1_i386.deb
 667f050bba3698d271108ad688027ec3 134070 sound optional mpg123-esd_0.60-1_i386.deb
 a57dedbc48c4c7e2a89b1f83311a2464 135854 sound optional mpg123-nas_0.60-1_i386.deb
 6705d41e9481e0b9509b38ea64ee550e 135690 sound optional mpg123-alsa_0.60-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFCWfVpOKIA4m/fisRAnLxAKCUQvVOSIptTq4QJXDyCkrTEYw7lACguAOL
0ZcGUx7HElTumIolB3tync8=
=BJ7d
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.