From owner-freebsd-ports-bugs@FreeBSD.ORG  Wed Sep  8 18:00:43 2004
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1E3E916A4CE
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Wed,  8 Sep 2004 18:00:43 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E57D843D3F
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Wed,  8 Sep 2004 18:00:42 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i88I0gqQ020993	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Wed, 8 Sep 2004 18:00:42 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i88I0gW1020992;
	Wed, 8 Sep 2004 18:00:42 GMT
	(envelope-from gnats)
Resent-Date: Wed, 8 Sep 2004 18:00:42 GMT
Resent-Message-Id: <200409081800.i88I0gW1020992@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Roman Bogorodskiy <bogorodskiy@inbox.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DC40D16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed,  8 Sep 2004 17:56:45 +0000 (GMT)
Received: from mx1.mail.ru (mx1.mail.ru [194.67.23.121])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F275C43D62
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed,  8 Sep 2004 17:56:44 +0000 (GMT)
	(envelope-from bogorodskiy@inbox.ru)
Received: from [194.186.150.106] (port=54118 helo=inbox.ru)
	by mx1.mail.ru with esmtp 
	id 1C56gU-000Ja9-00
	for FreeBSD-gnats-submit@freebsd.org; Wed, 08 Sep 2004 21:56:43 +0400
Message-Id: <E1C56gU-000Ja9-00.bogorodskiy-inbox-ru@mx1.mail.ru>
Date: Wed, 08 Sep 2004 21:56:43 +0400
From: Roman Bogorodskiy <bogorodskiy@inbox.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
cc: portmgr@FreeBSD.org
Subject: ports/71499: [ security ] audio/mpg123: allows code execution with
	user privilege
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Roman Bogorodskiy <bogorodskiy@inbox.ru>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>,
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>,
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2004 18:00:43 -0000


>Number:         71499
>Category:       ports
>Synopsis:       [ security ] audio/mpg123: allows code execution with user privilege
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 08 18:00:42 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Roman Bogorodskiy
>Release:        FreeBSD 5.3-BETA3 i386
>Organization:
>Environment:
System: FreeBSD lame.novel.ru 5.3-BETA3 FreeBSD 5.3-BETA3 #5: Sun Sep 5 16:56:41 MSD 2004 root@lame.novel.ru:/usr/obj/usr/home/novel/current/src/sys/NOVEL i386


>Description:
	http://www.alighieri.org/advisories/advisory-mpg123.txt

	Cite: 
		"A malicious formatted mp3/2 causes mpg123 to fail header 
	checks, this may allow arbitrary code to be executed with the 
	privilege of the user trying to play the mp3. For more informations 
	read and understand the patch."

	Added files: patch-layer2.c

	PS I don't really think somebody runs mpg123 under root, never the less
	it's better to get this bug fixed. 
	
>How-To-Repeat:
>Fix:

diff -ruN mpg123.orig/files/patch-layer2.c mpg123/files/patch-layer2.c
--- mpg123.orig/files/patch-layer2.c	Thu Jan  1 03:00:00 1970
+++ mpg123/files/patch-layer2.c	Wed Sep  8 21:44:53 2004
@@ -0,0 +1,14 @@
+diff -u -r1.1.1.1 layer2.c
+--- layer2.c	1999/02/10 12:13:06	1.1.1.1
++++ layer2.c	2004/09/02 21:43:58
+@@ -265,6 +265,11 @@
+   fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
+      (fr->mode_ext<<2)+4 : fr->II_sblimit;
+ 
++  if (fr->jsbound > fr->II_sblimit) {
++	  fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
++	  fr->jsbound=fr->II_sblimit;
++  }
++  
+   if(stereo == 1 || single == 3)
+     single = 0;
>Release-Note:
>Audit-Trail:
>Unformatted: