ports/71499: [ security ] audio/mpg123: allows code execution with user privilege
Roman Bogorodskiy
bogorodskiy at inbox.ru
Wed Sep 8 18:00:43 UTC 2004
>Number: 71499
>Category: ports
>Synopsis: [ security ] audio/mpg123: allows code execution with user privilege
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Wed Sep 08 18:00:42 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Roman Bogorodskiy
>Release: FreeBSD 5.3-BETA3 i386
>Organization:
>Environment:
System: FreeBSD lame.novel.ru 5.3-BETA3 FreeBSD 5.3-BETA3 #5: Sun Sep 5 16:56:41 MSD 2004 root at lame.novel.ru:/usr/obj/usr/home/novel/current/src/sys/NOVEL i386
>Description:
http://www.alighieri.org/advisories/advisory-mpg123.txt
Cite:
"A malicious formatted mp3/2 causes mpg123 to fail header
checks, this may allow arbitrary code to be executed with the
privilege of the user trying to play the mp3. For more informations
read and understand the patch."
Added files: patch-layer2.c
PS I don't really think somebody runs mpg123 under root, never the less
it's better to get this bug fixed.
>How-To-Repeat:
>Fix:
diff -ruN mpg123.orig/files/patch-layer2.c mpg123/files/patch-layer2.c
--- mpg123.orig/files/patch-layer2.c Thu Jan 1 03:00:00 1970
+++ mpg123/files/patch-layer2.c Wed Sep 8 21:44:53 2004
@@ -0,0 +1,14 @@
+diff -u -r1.1.1.1 layer2.c
+--- layer2.c 1999/02/10 12:13:06 1.1.1.1
++++ layer2.c 2004/09/02 21:43:58
+@@ -265,6 +265,11 @@
+ fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
+ (fr->mode_ext<<2)+4 : fr->II_sblimit;
+
++ if (fr->jsbound > fr->II_sblimit) {
++ fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
++ fr->jsbound=fr->II_sblimit;
++ }
++
+ if(stereo == 1 || single == 3)
+ single = 0;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list