Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 08 Sep 2004 21:56:43 +0400
From:      Roman Bogorodskiy <bogorodskiy@inbox.ru>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        portmgr@FreeBSD.org
Subject:   ports/71499: [ security ] audio/mpg123: allows code execution with user privilege
Message-ID:  <E1C56gU-000Ja9-00.bogorodskiy-inbox-ru@mx1.mail.ru>
Resent-Message-ID: <200409081800.i88I0gW1020992@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         71499
>Category:       ports
>Synopsis:       [ security ] audio/mpg123: allows code execution with user privilege
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 08 18:00:42 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Roman Bogorodskiy
>Release:        FreeBSD 5.3-BETA3 i386
>Organization:
>Environment:
System: FreeBSD lame.novel.ru 5.3-BETA3 FreeBSD 5.3-BETA3 #5: Sun Sep 5 16:56:41 MSD 2004 root@lame.novel.ru:/usr/obj/usr/home/novel/current/src/sys/NOVEL i386


>Description:
	http://www.alighieri.org/advisories/advisory-mpg123.txt

	Cite: 
		"A malicious formatted mp3/2 causes mpg123 to fail header 
	checks, this may allow arbitrary code to be executed with the 
	privilege of the user trying to play the mp3. For more informations 
	read and understand the patch."

	Added files: patch-layer2.c

	PS I don't really think somebody runs mpg123 under root, never the less
	it's better to get this bug fixed. 
	
>How-To-Repeat:
>Fix:

diff -ruN mpg123.orig/files/patch-layer2.c mpg123/files/patch-layer2.c
--- mpg123.orig/files/patch-layer2.c	Thu Jan  1 03:00:00 1970
+++ mpg123/files/patch-layer2.c	Wed Sep  8 21:44:53 2004
@@ -0,0 +1,14 @@
+diff -u -r1.1.1.1 layer2.c
+--- layer2.c	1999/02/10 12:13:06	1.1.1.1
++++ layer2.c	2004/09/02 21:43:58
+@@ -265,6 +265,11 @@
+   fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
+      (fr->mode_ext<<2)+4 : fr->II_sblimit;
+ 
++  if (fr->jsbound > fr->II_sblimit) {
++	  fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
++	  fr->jsbound=fr->II_sblimit;
++  }
++  
+   if(stereo == 1 || single == 3)
+     single = 0;
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1C56gU-000Ja9-00.bogorodskiy-inbox-ru>