Debian Bug report logs -
#409296
CVE-2007-0578: http_open function in httpget.c can get into infinite loop
Reported by: Kees Cook <kees@outflux.net>
Date: Thu, 1 Feb 2007 19:48:02 UTC
Severity: important
Tags: security
Found in version mpg123/0.61-4
Fixed in version mpg123/0.61-5
Done: Daniel Kobras <kobras@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#409296; Package mpg123.
(full text, mbox, link).
Acknowledgement sent to Kees Cook <kees@outflux.net>:
New Bug report received and forwarded. Copy sent to Daniel Kobras <kobras@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mpg123
Version: 0.61-4
Severity: important
Tags: security
It is possible mpg123 is affected by this vulnerability.
"The http_open function in httpget.c in mpg123 before 0.64 allows remote
attackers to cause a denial of service (infinite loop) by closing the
HTTP connection early."
http://www.mpg123.de/cgi-bin/news.cgi
Version 0.64 was released to solve this problem.
--
Kees Cook @outflux.net
Reply sent to Daniel Kobras <kobras@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Kees Cook <kees@outflux.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 409296-close@bugs.debian.org (full text, mbox, reply):
Source: mpg123
Source-Version: 0.61-5
We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive:
mpg123-alsa_0.61-5_i386.deb
to pool/main/m/mpg123/mpg123-alsa_0.61-5_i386.deb
mpg123-esd_0.61-5_i386.deb
to pool/main/m/mpg123/mpg123-esd_0.61-5_i386.deb
mpg123-nas_0.61-5_i386.deb
to pool/main/m/mpg123/mpg123-nas_0.61-5_i386.deb
mpg123-oss-3dnow_0.61-5_i386.deb
to pool/main/m/mpg123/mpg123-oss-3dnow_0.61-5_i386.deb
mpg123-oss-i486_0.61-5_i386.deb
to pool/main/m/mpg123/mpg123-oss-i486_0.61-5_i386.deb
mpg123_0.61-5.diff.gz
to pool/main/m/mpg123/mpg123_0.61-5.diff.gz
mpg123_0.61-5.dsc
to pool/main/m/mpg123/mpg123_0.61-5.dsc
mpg123_0.61-5_i386.deb
to pool/main/m/mpg123/mpg123_0.61-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 409296@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated mpg123 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 5 Feb 2007 23:18:31 +0100
Source: mpg123
Binary: mpg123-esd mpg123-oss-3dnow mpg123-nas mpg123-oss-i486 mpg123-alsa mpg123
Architecture: source i386
Version: 0.61-5
Distribution: unstable
Urgency: high
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Daniel Kobras <kobras@debian.org>
Description:
mpg123 - MPEG layer 1/2/3 audio player
mpg123-alsa - MPEG layer 1/2/3 audio player with ALSA support
mpg123-esd - MPEG layer 1/2/3 audio player with Esound support
mpg123-nas - MPEG layer 1/2/3 audio player with NAS support
mpg123-oss-3dnow - MPEG layer 1/2/3 audio player for 3DNow! machines - dummy package
mpg123-oss-i486 - MPEG layer 1/2/3 audio player for i486 machines
Closes: 409296
Changes:
mpg123 (0.61-5) unstable; urgency=high
.
* src/httpget.c: Fix potential denial of service attack on premature
end-of-file from HTTP server (CVE-2007-0578). Patch taken from upstream's
0.64 release. Closes: #409296
Files:
e3db0e6254ca33aebbb7c891ad18878c 734 sound optional mpg123_0.61-5.dsc
d477d90c567051827daa00a4df05fe69 12809 sound optional mpg123_0.61-5.diff.gz
9d9b0baf85edce6b7a6b022482ed34c4 140096 sound optional mpg123_0.61-5_i386.deb
14de2ddf2c282ffc805f0b47f9c34302 139622 sound optional mpg123-esd_0.61-5_i386.deb
c77f4ce34059c18cfb833a356660525c 141750 sound optional mpg123-nas_0.61-5_i386.deb
162d48df02a8a9a883114a829f53cfd9 140936 sound optional mpg123-oss-i486_0.61-5_i386.deb
776e248f28ad796203be27880aad7005 141554 sound optional mpg123-alsa_0.61-5_i386.deb
1178c627f0a42db7c48c329dbc2f7626 38188 sound optional mpg123-oss-3dnow_0.61-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iD8DBQFFx7p8pOKIA4m/fisRAlssAJ0YtvHBGhV3Rnl6YRkYwkjUjVEFQgCgxZnJ
qKdTIJ4WkMq6egJ967x6CJo=
=4J6U
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Jun 2007 07:34:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:45:59 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon