________________________________________________________________________ Mandrake Linux Security Update Advisory ________________________________________________________________________ Package name: mpg123 Advisory ID: MDKSA-2003:078 Date: July 23rd, 2003 Affected versions: 9.0, 9.1, Corporate Server 2.1 ________________________________________________________________________ Problem Description: A vulnerability in the mpg123 mp3 player could allow local and/or remote attackers to cause a DoS and possibly execute arbitrary code via an mp3 file with a zero bitrate, which causes a negative frame size. ________________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0577 http://online.securityfocus.com/bid/6629 ________________________________________________________________________
Well... it appears then that both 0.59 r and s both are insecure. mpg321 to the rescue! :)
publicly available exploit for mpg123 at http://fakehalo.deadpig.org/xmpg123.c No solution = package.mask to the rescue. # <solar@gentoo.org> (29 Sep 2003) # masked for security reasons bug 26787 <=media-sound/mpg123-0.59s
Are you sure this can't be fixed? The exploit references an updated version from Mandrake. It seems likely that the source for that update is available somewhere. Even if it isn't, it doesn't appear to be terribly difficult to fix. If the exploit is really as simple as described (plays an mp3 with a zero, or negative bitrate) then it would be straightword to patch. Shouldn't we at least try to fix before masking?
Better to turn off the hose before starting to mop up the floor. It may be easy to patch, but in the mean-time, who knows how many people might install it and get hacked. Better to mask it and fix the problem so at least only the people who have it installed already have the possibility to be affected.
Patch (in Bugtraq archives) here: http://archives.neohapsis.com/archives/bugtraq/2003-01/0117.html Let me know if you aren't going to apply this and i'll take care of it tonight when i get home from work.
re.: #4 Yes, agreed. Both versions should be masked until someone applies the patch and re-tests the exploit.
I'm just a user in this context so if you're talking to me re: applying the patch I won't be doing any changes to this package. It's all yours if you want it.
I meant the security team, to whom this bug is assigned.
The security team often gets suck tracking down fixes for various programs, sometimes even fixing programs that they themselves don't even use or have little experience with. This should not really be the role of the secuirty team alone. Arch herds should still do good house keeping on the programs they maintain. ---------------------------------------------------------------------------- J. Ellis yes if you have time it would be great if you could apply the listed patch and test. After proper ~arch testing we can unmask and send out a GLSA.
Masking has resulted in: # emerge -puDv world These are the packages that I would merge, in order: Calculating world dependencies / !!! all ebuilds that could satisfy ">=media-sound/mpg123-0.59" have been masked. !!! (dependency required by "app-cdr/cdbakeoven-2.0_beta2" [ebuild]) !!! Problem with ebuild app-cdr/cdbakeoven-2.0_beta2 !!! Possibly a DEPEND/*DEPEND problem. !!! Depgraph creation failed. Does this imply everything with mpg123 as a dependancy, if installed, will bork portage updates? Hmmm. # emerge -s mpg123 Searching... [ Results for search key : mpg123 ] [ Applications found : 1 ] * media-sound/mpg123 [ Masked ] Latest version available: 0.59s Latest version installed: 0.59s Size of downloaded files: 239 kB Homepage: http://www.mpg123.de/ Description: Real Time mp3 player # emerge -s cdbakeoven Searching... [ Results for search key : cdbakeoven ] [ Applications found : 1 ] * app-cdr/cdbakeoven Latest version available: 2.0_beta2 Latest version installed: 2.0_beta2 Size of downloaded files: 758 kB Homepage: http://cdbakeoven.sourceforge.net/ Description: CDBakeOven, KDE CD Writing Software It's not a huge issue for me, as Arson is my burner of choice, and can live with -C'ing cdbakeoven. But if other packages do require mpg123...
For me it breaks kde. emerge -vDup world These are the packages that I would merge, in order: Calculating world dependencies / !!! all ebuilds that could satisfy ">=media-sound/mpg123-0.59r" have been masked. !!! (dependency required by "kde-base/kdemultimedia-3.1.4-r1" [ebuild]) !!! Problem with ebuild kde-base/kdemultimedia-3.1.4-r1 !!! Possibly a DEPEND/*DEPEND problem. !!! Depgraph creation failed.
For me it broke openquicktime # emerge -vDeuf world Calculating world dependencies / !!! all ebuilds that could satisfy "media-sound/mpg123" have been masked. !!! (dependency required by "media-libs/openquicktime-1.0-r1" [ebuild]) !!! Problem with ebuild media-libs/openquicktime-1.0-r1 !!! Possibly a DEPEND/*DEPEND problem. !!! Depgraph creation failed.
Solar and others, please test 0.59-r3 and 0.59s-r1 -- they should fix any potential security loopholes
*** Bug 29974 has been marked as a duplicate of this bug. ***
Well I confirmed 0.59{r-r3,s-r1} compiles and plays my local media. I was never able to verify the exploit. Any votes for bumping to stable?
Temporarily removing mpg123 from dependancies revealed what depended on mpg123 on my system, one by one. (I'm sure there must be an easier way to check reverse deps) Anyway, cdbakeoven, kdemultimedia, openquicktime, k3b were the installed packages on my system that depend on mpg123. Regards,
I would suggest that it stay platform masked for at least a few days. If things are okay after the weekend i'll move 0.59r to stable. Is this now unmasked?
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-17 was sent to gentoo-announce@gentoo.org, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com -------------------------------------- All mpg123 package.masks have been lifted, changing resolution to FIXED