Debian Bug report logs -
#368207
mp3info: CVE-2006-2465: buffer overflow via command-line argument
Reported by: Alec Berryman <alec@thened.net>
Date: Sat, 20 May 2006 14:48:12 UTC
Severity: grave
Tags: fixed, patch, security
Found in version mp3info/0.8.4-9
Fixed in version 0.8.4-9.1
Done: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Pawel Wiecek <coven@debian.org>
:
Bug#368207
; Package mp3info
.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Pawel Wiecek <coven@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: mp3info
Version: 0.8.4-9
Severity: normal
Tags: security patch
CVE-2006-2465: "Buffer overflow in MP3Info 0.8.4 allows attackers to
execute arbitrary code via a long command line argument. NOTE: if
mp3info is not installed setuid or setgid in any reasonable context,
then this issue might not be a vulnerability."
I've confirmed this issue appears in 0.8.4-9 and attached a patch that
fixes it. There are other sprintf()s around the source, but since it's
reading the fixed-length ID3 tags I'm not sure there are any
vulnerabilities there.
Please mention the CVE in your changelog.
Thanks,
Alec
[CVE-2006-2465.diff (text/plain, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Pawel Wiecek <coven@debian.org>
:
Bug#368207
; Package mp3info
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Pawel Wiecek <coven@debian.org>
.
(full text, mbox, link).
Message #10 received at 368207@bugs.debian.org (full text, mbox, reply):
severity 337127 grave
severity 375281 grave
severity 370144 grave
severity 355797 grave
severity 368207 grave
thanks
I'm raising the severity of these security bugs, which have been
neglected for too long. Etch should not ship with them. If the
bug should not apply to Etch, please indicate so.
Cheers,
Moritz
Severity set to `grave' from `normal'
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Pawel Wiecek <coven@debian.org>
:
Bug#368207
; Package mp3info
.
(full text, mbox, link).
Acknowledgement sent to Carlos C Soto <csoto@sia-solutions.com>
:
Extra info received and forwarded to list. Copy sent to Pawel Wiecek <coven@debian.org>
.
(full text, mbox, link).
Message #17 received at 368207@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I'm applying the following pathch wich includes the patch from Alec
Berryman <alec@thened.net> who corrects CVE-2006-2465.
Also in this patch is corrected a lintian error about the missing target
build-indep at debian/rules
This is a patch for the package.
-- Carlos C Soto :: eclipxe
[mp3info-patch.diff (text/x-patch, inline)]
diff -ru mp3info-0.8.4-orig/debian/changelog mp3info-0.8.4/debian/changelog
--- mp3info-0.8.4-orig/debian/changelog 2006-08-13 19:14:09.000000000 -0500
+++ mp3info-0.8.4/debian/changelog 2006-08-13 19:12:04.000000000 -0500
@@ -1,3 +1,11 @@
+mp3info (0.8.4-9.1) unstable; urgency=low
+
+ * Applied patch from Alec Berryman <alec@thened.net> (Closes: #368207)
+ * Added an empty binary-indep target in debian/rules, to fix Lintian
+ error message
+
+ -- Carlos C Soto <csoto@sia-solutions.com> Sun, 13 Aug 2006 19:10:14 -0500
+
mp3info (0.8.4-9) unstable; urgency=low
* Changed debconf dependency to include debconf-2.0 (closes: #332032)
diff -ru mp3info-0.8.4-orig/debian/rules mp3info-0.8.4/debian/rules
--- mp3info-0.8.4-orig/debian/rules 2006-08-13 19:14:09.000000000 -0500
+++ mp3info-0.8.4/debian/rules 2006-08-13 19:09:42.000000000 -0500
@@ -87,5 +87,8 @@
dh_md5sums
dh_builddeb
+binary-indep:
+ true
+
binary: binary-arch
.PHONY: build clean binary-arch binary install configure
diff -ru mp3info-0.8.4-orig/mp3info.c mp3info-0.8.4/mp3info.c
--- mp3info-0.8.4-orig/mp3info.c 2006-08-13 19:14:09.000000000 -0500
+++ mp3info-0.8.4/mp3info.c 2006-08-13 19:01:00.000000000 -0500
@@ -183,7 +183,7 @@
file_open=0;
if (view_only == 1) {
if ( !( fp=fopen(argv[i],"r") ) ) {
- sprintf(error_msg,"Error opening MP3: %s",argv[i]);
+ snprintf(error_msg,sizeof(error_msg),"Error opening MP3: %s",argv[i]);
perror(error_msg);
retcode |= 1;
} else {
@@ -191,7 +191,7 @@
}
} else {
if ( !( fp=fopen(argv[i],"rb+") ) ) {
- sprintf(error_msg,"Error opening MP3: %s",argv[i]);
+ snprintf(error_msg,sizeof(error_msg),"Error opening MP3: %s",argv[i]);
perror(error_msg);
retcode |= 1;
} else {
Tags added: fixed
Request was from Carlos C Soto <csoto@sia-solutions.com>
to control@bugs.debian.org
.
(full text, mbox, link).
Message sent on to Alec Berryman <alec@thened.net>
:
Bug#368207.
(full text, mbox, link).
Message #22 received at 368207-submitter@bugs.debian.org (full text, mbox, reply):
Hi,
You should have recently received (or will soon receive) an e-mail
telling you that I've closed Debian bug #368207 in the mp3info
package, which you reported.
Due to the fact that the package was uploaded by someone who does not
normally do so, the bug was marked as "fixed" rather than closed.
Debian's bug tracking system now allows for this information to be
recorded in a more useful manner, enabling these bugs to be closed.
Due to the volume of bugs affected by this change, we are unfortunately
not sending individualized explanations for each bug. If you have
questions about the fix for your particular bug or about this email,
please contact me directly or follow up to the bug report in the Debian
BTS.
[It's possible you may receive multiple messages stating that the bug
was fixed in several different versions of the package. There are two
common reasons for this:
- the bug was fixed in one version but subsequently found to exist
in a later version
- the bug existed in multiple distributions (for instance, "unstable"
and "stable") and was thus fixed in a separate upload to each
distribution
]
Regards,
Adam
Bug marked as fixed in version 0.8.4-9.1, send any further explanations to Alec Berryman <alec@thened.net>
Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 24 Jun 2007 12:17:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:47:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.