Summary: | media-sound/mpg123: buffer overflows in httpget.c | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Luke Macken (RETIRED) <lewk> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | chriswhite, eradicator, sound |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | B2 [glsa] vorlon | ||
Package list: | Runtime testing required: | --- |
Description
Luke Macken (RETIRED)
2004-10-20 21:46:18 UTC
No confirmation from upstream Upstream is dead. I don't have time to look at this now. I'll try to look at it tomorrow. eradicator: I was working on this bug last night, but didn't get a chance to fix it fully. It seems there's a bit of a stability issues besides the security fix that needs to be applied. If you can look at it and get things done faster, please feel free to take it, otherwise I'll keep working on it. the stability issues are documented in other bugs, and we shouldn't worry about fixing those at the same time as this security fix. I'm on this now and will hopefully have a releasse soon mpg123-0.59s-r5 is fixed. the size of httpauth1 is upperbound by strlen(purl) + 1, so we allocate that much space. Likewise for buf, we allocate (strlen(httpauth) + 1) * 4 Archs, please test and mark stable. tried to emerge media-sound/mpg123-0.59s-r5 but the gentoo patch is not on any mirrors that i tried and the original src is bad: >>> emerge (1 of 1) media-sound/mpg123-0.59s-r5 to / [...] >>> Downloading http://dev.gentoo.org/~eradicator/mpg123/mpg123-0.59s-gentoo-1.0.tar.bz2 --19:49:21-- http://dev.gentoo.org/%7Eeradicator/mpg123/mpg123-0.59s-gentoo-1.0.tar.bz2 => `/usr/portage/distfiles/mpg123-0.59s-gentoo-1.0.tar.bz2' Resolving dev.gentoo.org... 156.56.111.197 Connecting to dev.gentoo.org[156.56.111.197]:80... connected. HTTP request sent, awaiting response... 403 Forbidden 19:49:21 ERROR 403: Forbidden. eradicator: please chmod a+r that file. thanks. done, sorry Marked ppc stable. The patchdir variable was also wrong, so I fixed that too. Just the following need to mark it stable ~ia64 ~alpha ~mips ~ppc64 IIRC, they're all tier-2 archs, so we can put out the GLSA. Stable on alpha. Ready for a GLSA Eradicator, could you comment on the other bug mentioned in the advisory? It doesn't appear to be fixed with the new patch. Eradicator confirmed that a patch is missing for that. Could someone pls look into it? going back to ebuild status and removing arches for now ok, -r6 has been added which addresses all 3 security fixes. The changes to fix the last bug found that buffer overflows could easily result from more than just the prgName variable. The httpauth lengths were not considered, and the proxy server was not considered. This is now fixed now by allocating the corerct size to request. Archs, please test -r6. Tested and marked stable on ppc. -r6 stable on alpha. glsa 20041027 stable on ppc64, Could this vulnerability affect the MP3 plugin based on mpg123 included in XMMS and Beep Media Player? re: comment #19: no Stable on mips. |