mpg123: CVE-2016-1000247: denial of service with crafted id3v2 tags

Debian Bug report logs - #838960
mpg123: CVE-2016-1000247: denial of service with crafted id3v2 tags

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thomas Orgis <thomas-forum@orgis.org>

To: submit@bugs.debian.org

Subject: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

Date: Tue, 27 Sep 2016 07:47:55 +0200

[Message part 1 (text/plain, inline)]

Package: mpg123

This is mpg123 upstream formally informing you of a vulnerability
(crash on illegal memory read) in all mpg123 versions since 0.60, so
very likely all debian versions of mpg123 and libmpg123 are affected.

See more detail at http://mpg123.org/bugs/240 . A one-line fix for any
version is this:

	perl -pi -e 's:(while\()(tagpos < length-10\)):${1}length >= 10 && $2:' $(find src -name id3.c)


Alrighty then,

Thomas

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 838960@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: Thomas Orgis <thomas-forum@orgis.org>

Cc: 838960@bugs.debian.org, security@debian.org

Subject: Re: Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

Date: Tue, 27 Sep 2016 10:27:04 +0100

[Message part 1 (text/plain, inline)]

Control: severity -1 grave
Control: tags -1 security fixed-upstream
Control: found -1 0.60-1

Hi,

On 27/09/16 06:47, Thomas Orgis wrote:
> Package: mpg123
> 
> This is mpg123 upstream formally informing you of a vulnerability
> (crash on illegal memory read) in all mpg123 versions since 0.60, so
> very likely all debian versions of mpg123 and libmpg123 are affected.
> 
> See more detail at http://mpg123.org/bugs/240 . A one-line fix for any
> version is this:
> 
> 	perl -pi -e 's:(while\()(tagpos < length-10\)):${1}length >= 10 && $2:' $(find src -name id3.c)

Thanks for letting Debian know!

Does this have a CVE ID? If not it should get one.

James

[signature.asc (application/pgp-signature, attachment)]

Message #21 received at 838960@bugs.debian.org (full text, mbox, reply):

From: Thomas Orgis <thomas-forum@orgis.org>

To: James Cowgill <jcowgill@debian.org>

Cc: 838960@bugs.debian.org, Thomas Orgis <thomas-forum@orgis.org>, security@debian.org

Subject: Re: Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

Date: Tue, 27 Sep 2016 17:59:01 +0200

[Message part 1 (text/plain, inline)]

Am Tue, 27 Sep 2016 10:27:04 +0100
schrieb James Cowgill <jcowgill@debian.org>: 

> Does this have a CVE ID? If not it should get one.

I wondered about that. At the moment I just acted on the bug report and
pushed the fix. I have to personal experience with the CVE procedure.
In the past, just "someone" made them appear.

I tried to apply for a CVE using the horrific Google docs form
(http://iwantacve.org/) now. How can they resort to such a third-party
ECMAScript-fest instead of a simple HTML form for _security_ issue
reporting?!

Not sure if/when I'll get a response to that.


Alrighty then,

Thomas

[Message part 2 (application/pgp-signature, inline)]

Message #26 received at 838960@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Thomas Orgis <thomas-forum@orgis.org>

Cc: James Cowgill <jcowgill@debian.org>, 838960@bugs.debian.org, security@debian.org

Subject: Re: Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

Date: Tue, 27 Sep 2016 18:50:35 +0200

* Thomas Orgis:

> Am Tue, 27 Sep 2016 10:27:04 +0100
> schrieb James Cowgill <jcowgill@debian.org>: 
>
>> Does this have a CVE ID? If not it should get one.
>
> I wondered about that. At the moment I just acted on the bug report and
> pushed the fix. I have to personal experience with the CVE procedure.
> In the past, just "someone" made them appear.
>
> I tried to apply for a CVE using the horrific Google docs form
> (http://iwantacve.org/) now. How can they resort to such a third-party
> ECMAScript-fest instead of a simple HTML form for _security_ issue
> reporting?!

This is the first time I have heard about that site.  The official
form is at:

  <https://cveform.mitre.org/>

(It still uses Javascript.)

But I'm not sure if this is in scope here because the web form
requires you to confirm that the issue is not in a “CNA-covered
product”.  Debian is a CNA-covered product, mpg123 is part of Debian,
so it is unclear what to do here.  I'll ask around.

Message #31 received at 838960@bugs.debian.org (full text, mbox, reply):

From: Thomas Orgis <thomas-forum@orgis.org>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: James Cowgill <jcowgill@debian.org>, 838960@bugs.debian.org, security@debian.org

Subject: Re: Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

Date: Tue, 27 Sep 2016 22:39:21 +0200

[Message part 1 (text/plain, inline)]

Am Tue, 27 Sep 2016 18:50:35 +0200
schrieb Florian Weimer <fw@deneb.enyo.de>: 

> Debian is a CNA-covered product, mpg123 is part of Debian,
> so it is unclear what to do here.  I'll ask around.

Well, so far I did not get a response from http://iwantacve.org/
(linked from
http://cve.mitre.org/cve/data_sources_product_coverage.html, btw. both
not defaulting to https) … I am not sure how long I should wait. Maybe
the "Distributed Weakness Filing Project" consists of humans that don't
work around the clock. If there is a number from Debian, it's fine by
me. We should just avoid that there are two associations.

And, well mpg123 is part of Debian and numerous other distros/ports
trees, as well as a stand-alone product people install on their MS
Windows machines, or under OS/2 (yes, really;-) … or in yet other
contexts. Like just about any other open source project. I guess
getting a CVE via the Debian umbrella might be the easiest route,
though.

Getting the fix to the users is my top priority. Even without CVE, a
debian bug report hopefully triggers a good number of downstream
distros at least.


Alrighty then,

Thomas

[Message part 2 (application/pgp-signature, inline)]

Message #36 received at 838960-submitter@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: 838960-submitter@bugs.debian.org

Subject: Bug#838960 marked as pending

Date: Wed, 28 Sep 2016 17:29:35 +0000

tag 838960 pending
thanks

Hello,

Bug #838960 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=pkg-multimedia/mpg123.git;a=commitdiff;h=a2789e2

---
commit a2789e286ff721187af85306ae5b5b42a8135fac
Author: Sebastian Ramacher <sramacher@debian.org>
Date:   Wed Sep 28 19:26:53 2016 +0200

    Finalize changelog

diff --git a/debian/changelog b/debian/changelog
index 11ee8bf..a171a12 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,17 @@
-mpg123 (1.23.8-1) UNRELEASED; urgency=medium
+mpg123 (1.23.8-1) unstable; urgency=high
 
+  * Team upload.
   * New upstream release.
-
- -- Sebastian Ramacher <sramacher@debian.org>  Wed, 28 Sep 2016 18:44:36 +0200
+    - Fixes DoS with crafted ID3v2 tags. (Closes: #838960)
+  * debian/{control,libout123*}: Add new libout123-0 package.
+  * debian/libmpg123-0.symbols*: Add new symbols.
+  * debian/patches: Refreshed.
+  * debian/control:
+    - Update Vcs-*.
+    - Bump Standards Version
+  * debian/copyright: Update copyright years.
+
+ -- Sebastian Ramacher <sramacher@debian.org>  Wed, 28 Sep 2016 19:19:03 +0200
 
 mpg123 (1.22.4-1) unstable; urgency=medium
 

Message #41 received at 838960@bugs.debian.org (full text, mbox, reply):

From: Thomas Orgis <thomas-forum@orgis.org>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: James Cowgill <jcowgill@debian.org>, 838960@bugs.debian.org, security@debian.org

Subject: Re: Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

Date: Thu, 29 Sep 2016 01:20:05 +0200

[Message part 1 (text/plain, inline)]

Am Tue, 27 Sep 2016 22:39:21 +0200
schrieb Thomas Orgis <thomas-forum@orgis.org>: 

> Well, so far I did not get a response from http://iwantacve.org/

Still nothing. I don't expect anything to arrive anymore. Perhaps that
Google Docs form was a joke anyway. So, please let's just get a number
via Debian and get on with it.


Alrighty then,

Thomas

[Message part 2 (application/pgp-signature, inline)]

Message #46 received at 838960@bugs.debian.org (full text, mbox, reply):

From: Thomas Orgis <thomas-forum@orgis.org>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: Thomas Orgis <thomas-forum@orgis.org>, 838960@bugs.debian.org, James Cowgill <jcowgill@debian.org>, security@debian.org

Subject: Re: Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

Date: Fri, 30 Sep 2016 08:05:14 +0200

[Message part 1 (text/plain, inline)]

Am Thu, 29 Sep 2016 01:20:05 +0200
schrieb Thomas Orgis <thomas-forum@orgis.org>: 

> Still nothing. I don't expect anything to arrive anymore. Perhaps that
> Google Docs form was a joke anyway. So, please let's just get a number
> via Debian and get on with it.

Nope, eh … yes. I got a reply now from the distributed weakness
reporting project and probably a CVE will follow. Sorry if I'm causing
a mess with this. It is my first time getting involved in this directly.


Alrighty then,

Thomas

[Message part 2 (application/pgp-signature, inline)]

Message #51 received at 838960-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: 838960-close@bugs.debian.org

Subject: Bug#838960: fixed in mpg123 1.23.8-1

Date: Tue, 04 Oct 2016 10:00:14 +0000

Source: mpg123
Source-Version: 1.23.8-1

We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838960@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated mpg123 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 28 Sep 2016 19:19:03 +0200
Source: mpg123
Binary: mpg123 libmpg123-0 libout123-0 libmpg123-dev
Architecture: source amd64
Version: 1.23.8-1
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
 libmpg123-0 - MPEG layer 1/2/3 audio decoder (shared library)
 libmpg123-dev - MPEG layer 1/2/3 audio decoder (development files)
 libout123-0 - MPEG layer 1/2/3 audio decoder (libout123 shared library)
 mpg123     - MPEG layer 1/2/3 audio player
Closes: 838960
Changes:
 mpg123 (1.23.8-1) unstable; urgency=high
 .
   * Team upload.
   * New upstream release.
     - Fixes DoS with crafted ID3v2 tags. (Closes: #838960)
   * debian/{control,libout123*}: Add new libout123-0 package.
   * debian/libmpg123-0.symbols*: Add new symbols.
   * debian/patches: Refreshed.
   * debian/control:
     - Update Vcs-*.
     - Bump Standards Version
   * debian/copyright: Update copyright years.
Checksums-Sha1:
 1730ec2ba8aab7e4485c85d1efdf40237c8564f3 2280 mpg123_1.23.8-1.dsc
 799b9fe2beb5ae1c1769b10d011c0904f8e5273e 893728 mpg123_1.23.8.orig.tar.bz2
 63f65b7513db00d0394eea63bf4c1cfc3565384c 23296 mpg123_1.23.8-1.debian.tar.xz
 ac1e509bd556b84d6af487b42d498886726cbd1c 237414 libmpg123-0-dbgsym_1.23.8-1_amd64.deb
 9e3a728c2796f74b8c371f21dfede10b821f5098 136886 libmpg123-0_1.23.8-1_amd64.deb
 fbae7764b4c99717bf191fb47a2c5a8a0ac7780d 53734 libmpg123-dev_1.23.8-1_amd64.deb
 3764f94674a02ccb0a54998cf08606d9f45df980 55104 libout123-0-dbgsym_1.23.8-1_amd64.deb
 e00d14c25cbeae795d9c95a16f40b0d2f29380de 37704 libout123-0_1.23.8-1_amd64.deb
 a696ccb5894bed3c1882915a68b60b39076e1e33 231980 mpg123-dbgsym_1.23.8-1_amd64.deb
 8dfda90e4e68c0f8e2a56b744dd4f1faca96c1be 167350 mpg123_1.23.8-1_amd64.deb
Checksums-Sha256:
 3842e9fe8e3f16a123953c407e69e1302d7699175858528ca3d6f6fcc340e02f 2280 mpg123_1.23.8-1.dsc
 de2303c8ecb65593e39815c0a2f2f2d91f708c43b85a55fdd1934c82e677cf8e 893728 mpg123_1.23.8.orig.tar.bz2
 94eadde46dc8235be91397877660f5927bbe17913d7346b7fdb4ae00fb87612f 23296 mpg123_1.23.8-1.debian.tar.xz
 6f087d323f82ca8667106151f7e47302de694f22c30cc35a3589a1bd61342397 237414 libmpg123-0-dbgsym_1.23.8-1_amd64.deb
 c2d611118298e003c3c33fd6604a01d09184cdff1787fab23bf90586193ab258 136886 libmpg123-0_1.23.8-1_amd64.deb
 fdd16995cccc8366d2f5c6edf26d226ff1d4ca940875dadcc073fc16b994ba71 53734 libmpg123-dev_1.23.8-1_amd64.deb
 074c1676228b429c02c96d711f8dd0e06a773bb5508b3174467cabb2055c47eb 55104 libout123-0-dbgsym_1.23.8-1_amd64.deb
 84888c98fee94015ffc5fa3b49499bb1424d26e4b6fc4ee2d8d9a5d74f43b086 37704 libout123-0_1.23.8-1_amd64.deb
 e925c52171bb4be9ec7b5202d32c79019e83a9105c62f47983b761505c0958c7 231980 mpg123-dbgsym_1.23.8-1_amd64.deb
 b11b705f476552a28550a053487c0f6b3b2659e7baacf8bcf3037d41688aa815 167350 mpg123_1.23.8-1_amd64.deb
Files:
 ae7577a5081e5e0a72b2f096c434803c 2280 sound optional mpg123_1.23.8-1.dsc
 4dde045123a2ad1e385a0a82c0ef9268 893728 sound optional mpg123_1.23.8.orig.tar.bz2
 6fd8b98d94b553a9f71da25612c4f6cf 23296 sound optional mpg123_1.23.8-1.debian.tar.xz
 b9886a91a26006914b07552294b86756 237414 debug extra libmpg123-0-dbgsym_1.23.8-1_amd64.deb
 d26bf49dd8e79926399c650ba4327b15 136886 libs optional libmpg123-0_1.23.8-1_amd64.deb
 6a7c1b67a30ff11b87372f1c0ea3a3ca 53734 libdevel optional libmpg123-dev_1.23.8-1_amd64.deb
 eff17c5ba789022c8d863be694cdc206 55104 debug extra libout123-0-dbgsym_1.23.8-1_amd64.deb
 91ca224c476cabe8446f981732b85367 37704 libs optional libout123-0_1.23.8-1_amd64.deb
 583f664be1c780304675fc89a0e1dfbe 231980 debug extra mpg123-dbgsym_1.23.8-1_amd64.deb
 53e9461ab215c1a8cb2d65508afe967f 167350 sound optional mpg123_1.23.8-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJX6/3FAAoJEGny/FFupxmTZEwQALpvJtjer+75l+Na/TyMAMQU
0GA2Dorm1hPezsvui45AAau2dVZDH+qrQ5btmBuEAhkyyLFlNwbrJBmUhBELZQDc
kV6Gr9SYPrY6BRytyxPsLbnoeWH4dvs8A2QyQk5E6nI4kKPbCi4Wg8mLa3iEsg6t
7jBLJoLBWr/G8m34NnVMVMi06TtVv8MG3VYQ1cJ5eqrsy7dPULxHzVqtZga+DUIO
qsX89Qf8F743odde2qUuavit+GFJoxEVBGjKP42niA3m36b71l+3s+pl+fvQMcMg
ilxIhYegDNDu8mRcuD4zh479OA8D1pLNTbT1LoSTN5SCRXLCIW0UEODrGiZhWXfP
xV2DV38wSDVgtq18ysi4uWvPZ3KkF6FRRZly0QmXRImi1xxh/zWKTcvIYs+q61Xi
ldoLqo+9wedzgnpue6YGcvcqg1gVCtWVRTfs89T5SfPuOHQGGE8UqzEH5LC0TB5J
YCGMg+aV2mg47EjBfjV/ZDtJrHnyGMpuasO6EYbdLYBapqt5dU1D5Ydk+WX18fRI
KNbHKbnvD3oV3ry5V8eCDA0AVPiS7ewqTfoSfNpGbnjKbYVJCS3zetRbsYWOYnpf
6pRIP8wR+GFkQvjdcpbdXImlpKUX3tpeyTag7CVzM3NtX65G4CmBD0cUepQLw40w
LHPeIgNKM7Ed9CMhtU7O
=bsmV
-----END PGP SIGNATURE-----

Message #56 received at 838960@bugs.debian.org (full text, mbox, reply):

From: Thomas Orgis <thomas-forum@orgis.org>

To: 838960@bugs.debian.org

Subject: Re: Bug#838960 closed by Sebastian Ramacher <sramacher@debian.org> (Bug#838960: fixed in mpg123 1.23.8-1)

Date: Tue, 4 Oct 2016 13:22:11 +0200

[Message part 1 (text/plain, inline)]

Am Tue, 04 Oct 2016 10:03:10 +0000
schrieb owner@bugs.debian.org (Debian Bug Tracking System): 

> This is an automatic notification regarding your Bug report
> which was filed against the mpg123 package:
> 
> #838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60
> 
> It has been closed by Sebastian Ramacher <sramacher@debian.org>.

Are the packages for stable/oldstable also being fixed?


Alrighty then,

Thomas

[Message part 2 (application/pgp-signature, inline)]

Message #61 received at 838960@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: Thomas Orgis <thomas-forum@orgis.org>, 838960@bugs.debian.org

Subject: Re: Bug#838960: closed by Sebastian Ramacher <sramacher@debian.org> (Bug#838960: fixed in mpg123 1.23.8-1)

Date: Tue, 4 Oct 2016 13:26:19 +0200

[Message part 1 (text/plain, inline)]

On 2016-10-04 13:22:11, Thomas Orgis wrote:
> Am Tue, 04 Oct 2016 10:03:10 +0000
> schrieb owner@bugs.debian.org (Debian Bug Tracking System): 
> 
> > This is an automatic notification regarding your Bug report
> > which was filed against the mpg123 package:
> > 
> > #838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60
> > 
> > It has been closed by Sebastian Ramacher <sramacher@debian.org>.
> 
> Are the packages for stable/oldstable also being fixed?

Yes, see #839731.

Cheers
-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Message #66 received at 838960@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thomas Orgis <thomas-forum@orgis.org>, 838960@bugs.debian.org

Cc: Florian Weimer <fw@deneb.enyo.de>, James Cowgill <jcowgill@debian.org>, security@debian.org

Subject: Re: Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

Date: Wed, 5 Oct 2016 21:34:49 +0200

Hi Thomas,

On Fri, Sep 30, 2016 at 08:05:14AM +0200, Thomas Orgis wrote:
> Am Thu, 29 Sep 2016 01:20:05 +0200
> schrieb Thomas Orgis <thomas-forum@orgis.org>: 
> 
> > Still nothing. I don't expect anything to arrive anymore. Perhaps that
> > Google Docs form was a joke anyway. So, please let's just get a number
> > via Debian and get on with it.
> 
> Nope, eh … yes. I got a reply now from the distributed weakness
> reporting project and probably a CVE will follow. Sorry if I'm causing
> a mess with this. It is my first time getting involved in this directly.

Any news from the DWF project on the assigned CVE?

Regards,
Salvatore

Message #71 received at 838960@bugs.debian.org (full text, mbox, reply):

From: Thomas Orgis <thomas-forum@orgis.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Thomas Orgis <thomas-forum@orgis.org>, 838960@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>, James Cowgill <jcowgill@debian.org>, security@debian.org

Subject: Re: Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

Date: Wed, 5 Oct 2016 23:34:02 +0200

[Message part 1 (text/plain, inline)]

Am Wed, 5 Oct 2016 21:34:49 +0200
schrieb Salvatore Bonaccorso <carnil@debian.org>: 

> Any news from the DWF project on the assigned CVE?

Nothing. I got the initial request to accept the MITRE Terms of Use for
CVE from the person handling my case (I assume). I replied to the mail
at 2016-09-30. Nothing came back. I don't know what is the usual
duration here. Maybe my reply got dropped as it was sent from the
account behind maintainer@mpg123.org, wich is only a forwarder.

Dunno how to proceed.


Alrighty then,

Thomas

[Message part 2 (application/pgp-signature, inline)]

Message #78 received at 838960-close@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 838960-close@bugs.debian.org

Subject: Bug#838960: fixed in mpg123 1.20.1-2+deb8u1

Date: Wed, 12 Oct 2016 22:17:49 +0000

Source: mpg123
Source-Version: 1.20.1-2+deb8u1

We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838960@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated mpg123 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 04 Oct 2016 11:42:56 +0100
Source: mpg123
Binary: mpg123 libmpg123-0 libmpg123-dev
Architecture: source
Version: 1.20.1-2+deb8u1
Distribution: jessie
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
 libmpg123-0 - MPEG layer 1/2/3 audio decoder (shared library)
 libmpg123-dev - MPEG layer 1/2/3 audio decoder (development files)
 mpg123     - MPEG layer 1/2/3 audio player
Closes: 838960
Changes:
 mpg123 (1.20.1-2+deb8u1) jessie; urgency=high
 .
   * Team upload.
   * Fix DoS with crafted ID3v2 tags. (Closes: #838960)
Checksums-Sha1:
 8287fdd7b80fd5b90fcefea218596d1be23b491f 2252 mpg123_1.20.1-2+deb8u1.dsc
 0967bedf5947c83cedff2f9d03120d5ec7df622c 19048 mpg123_1.20.1-2+deb8u1.debian.tar.xz
Checksums-Sha256:
 41850ae55312c4a183e9943fcc18920674b26735858933a3d8291e3748c9f577 2252 mpg123_1.20.1-2+deb8u1.dsc
 99d31376d601232c68b5853e219247a72e3d3723cce11b543ce43ea171308d14 19048 mpg123_1.20.1-2+deb8u1.debian.tar.xz
Files:
 d80dd3f4c20867ea00a04ff54c1784b1 2252 sound optional mpg123_1.20.1-2+deb8u1.dsc
 d578439015b0e55161aba0f446b87fc1 19048 sound optional mpg123_1.20.1-2+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJX/A1sAAoJEMfxZ23qLQHv5JwQAIvjCB4Qvy4tUSyhF+zR+r+G
MAywJvEajOjyyV0BnW+0ET6Y9suMDESy0mQBMfzvSB5P/A0G6RTfcOcM/emeRC+J
CJ0WTn2I6+rRx+rIxxoKChCnhx7+4G/iHZzUtjW8xpFSeF+d8tHU1aMJaHg/trX9
7pO+zCQYjVQTP2RAg3qm1MMUV1EsMtBevuoFN2Dr8FzKn6EumNquTVh/Ygr+Bwrk
qrIZ1fNwQF2SPw6i4LpfxEcgvVkJKizrYyyjBMAR87GeJhQ3EFm6A6Sm0yXyszmu
otU/JxeFGOlQHxXOHtp0dDrqJbj4hm1RJKUP/hZ6CcrMHhOPdEmUWagl+pFGI8T8
6YTjC+LC1jzG5XaX2gcYskcgE60QzWniHQBtABgOZeYFyszeTuWR8JcAp80NhR1+
r3qZm9fsgsMgqn/+Vgi77TOtNj1990IpiPAqr6jtwaN/nwHLS5pDl0YEIJZ6uZF2
x/mFW/fzJfB22OTolTuq+N5s8Y2XUvrBg+5Em5MTZLxvIbp8BvOc1JUVCVsMpXXR
Uw8rutyU/wuZ0wTBL2EPMXWUp894JgauSSb5OnGUCSZhWg5M2Bk+6zBK65vDzx0t
DFYZgL7q77yb31C+nEaOsdEj7iRXxZ2lF+i2zWUTLjQiH67sydqDhjcjsxS6Y0Pj
ld8hxa2QbE19kk3elpJb
=zTKY
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.