Summary: | media-sound/mpg123-0.59s-r9 heap overflow | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Horst Schirmeier <gentoo> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | eradicator, tcort | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | x86 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | B2 [glsa] DerCorny | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Horst Schirmeier
2006-05-21 18:01:21 UTC
Created attachment 87220 [details, diff]
103_all_CAN-2004-0982-NEW.patch
replacement for 103_all_CAN-2004-0982.patch
Created attachment 87221 [details, diff]
separate patch on top of 103_all_CAN-2004-0982.patch
this is what I changed on top of 103_all_CAN-2004-0982.patch
*** Bug 133987 has been marked as a duplicate of this bug. *** eradicator please have a look ... An easy way to reproduce the overflow: ( echo -ne "HTTP/1.1 302 Found\r\nLocation: " echo -ne "http://fooooooooooooooooooooooooooooooooooooooooooooooooo/\r\n\r\n" )\ | nc -lp 8080 & mpg123 http://localhost:8080/ My report is 16 days old now; eradicator does not seem to be interested at all. Would anyone else mind to review this report? The problem description is quite detailed, my patch is trivial, it only needs to be committed. Gentoo should not be the only distribution out there with (another) possible mpg123 vulnerability. (This bug was _introduced_ by a Gentoo patch.) Sorry, I missed this when I was originally CC'd. I'll get to it today. Ok, all ready to commit... just waiting for the patch tarball to hit mirrors. Thanks :) No offense, btw. (comment #6). I just hadn't heard anything from you... No worries. The tarball is on mirrors, and I've marked the ebuild is marked stable on amd64 and sparc. Works fine for me on ~x86. Non-{amd64,sparc} stable is still vulnerable, though. Arches, please test 0.59s-r11 and mark stable if possible, thank you opening stable on ppc64 x86 done ~_~ ppc-macos done alpha stable. Stable on hppa ppc stable GLSA 200607-01 mips and ia64 don't forget to mark stable to benifit from the GLSA. -r11 stable on mips. |