diff -u mpg123-0.67/debian/changelog mpg123-0.67/debian/changelog --- mpg123-0.67/debian/changelog +++ mpg123-0.67/debian/changelog @@ -1,3 +1,15 @@ +mpg123 (0.67-1ubuntu0.1) hardy-security; urgency=low + + * SECURITY UPDATE: Integer signedness error in the store_id3_text function + in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause + a denial of service (out-of-bounds memory access) and possibly execute + arbitrary code via an ID3 tag with a negative encoding value. (LP: 370031). + - src/id3.c: Inline patch from upstream SVN rev 1920. + - http://www.mpg123.org/cgi-bin/viewvc.cgi/tags/1.7.2/?view=log + - CVE-2009-1301 + + -- Stefan Lesicnik Fri, 01 May 2009 09:37:03 +0200 + mpg123 (0.67-1) unstable; urgency=low * New upsteam version. only in patch2: unchanged: --- mpg123-0.67.orig/src/id3.c +++ mpg123-0.67/src/id3.c @@ -75,21 +75,21 @@ void store_id3_text(struct stringbuf* sb, char* source, size_t source_size) { size_t pos = 1; /* skipping the encoding */ - int encoding; + unsigned int encoding; int bwidth; if(! source_size) return; - encoding = source[0]; - debug1("encoding: %i\n", encoding); + encoding = (unsigned int) source[0]; + debug1("encoding: %u\n", encoding); if(encoding > 3) { - warning1("Unknown text encoding %d, assuming ISO8859-1 - I will probably screw a bit up!", encoding); + warning1("Unknown text encoding %u, assuming ISO8859-1 - I will probably screw a bit up!", encoding); encoding = 0; } bwidth = encoding_widths[encoding]; if((source_size-1) % bwidth) { /* Uh. (BTW, the -1 is for the encoding byte.) */ - warning2("Weird tag size %d for encoding %d - I will probably trim too early or something but I think the MP3 is broken.", (int)source_size, encoding); + warning2("Weird tag size %d for encoding %u - I will probably trim too early or something but I think the MP3 is broken.", (int)source_size, encoding); source_size -= (source_size-1) % bwidth; } /*