Bug 62474 (CVE-2004-0982)

Summary: VUL-0: CVE-2004-0982 : mpg123 buffer overflow while parsing HTTP URLs
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Thomas Biege <thomas>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: nadvornik, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: mpg123-0.59s-http-auth-overflow.patch

Description Thomas Biege 2004-10-21 15:19:50 UTC 
Hello Vladimir, 
please have a look at: 
http://www.barrossecurity.com/advisories/
mpg123_getauthfromurl_bof_advisory.txt
Comment 1 Thomas Biege 2004-10-21 15:19:50 UTC 
<!-- SBZ_reproduce  -->
mpg123 -@ http://$(perl -e 'print "A" x 260')@www.somesite.com/somefile.xxx
Comment 2 Vladimir Nadvornik 2004-10-22 18:33:23 UTC 
Created attachment 25313 [details]
mpg123-0.59s-http-auth-overflow.patch

This patch should fix it.
Is it OK?
Comment 3 Thomas Biege 2004-10-22 18:52:12 UTC 
Yes, looks good. 
 
I think it stops the test case mentioned above, did you test?
Comment 4 Vladimir Nadvornik 2004-10-22 19:32:12 UTC 
Yes, this is tested.
Comment 5 Vladimir Nadvornik 2004-10-22 20:54:40 UTC 
Packages are submited for 8.1-9.2 
Can you please submit patchinfos?
Comment 6 Thomas Biege 2004-10-25 20:48:01 UTC 
The second bug wasn't fixed, right? 
... 
  sprintf (request + strlen(request), 
     " HTTP/1.0\r\nUser-Agent: %s/%s\r\n", 
     prgName, prgVersion); 
...
Comment 7 Thomas Biege 2004-10-25 21:01:29 UTC 
patchinfo files done.
Comment 8 Michael Schröder 2004-10-27 18:29:35 UTC 
Hmm, status of the "second bug fix"?
Comment 9 Michael Schröder 2004-10-29 18:45:45 UTC 
Hello?
Comment 10 Marcus Meissner 2004-10-29 19:41:05 UTC 
patch incomplete, see comment #c6
Comment 11 Thomas Biege 2004-10-29 19:43:43 UTC 
I think it's missing the patch... Vladimir?
Comment 12 Vladimir Nadvornik 2004-11-01 20:20:04 UTC 
Sorry for the delay. 
 
I think this patch is sufficient, isn't it? 
 
                sprintf (request + strlen(request),  
                        " HTTP/1.0\r\nUser-Agent: %s/%s\r\n",  
-                       prgName, prgVersion);  
+                       "mpg123", prgVersion);
Comment 13 Thomas Biege 2004-11-02 16:25:11 UTC 
No problem. 
 
Yes it's ok. 
 
Another way of doing it would be: 
snprintf(request + strlen(request), sizeof(request)-strlen(request), " 
HTTP/1.0\r\nUser-Agent: %s/%s\r\n", prgName, prgVersion)
Comment 14 Vladimir Nadvornik 2004-11-02 18:14:55 UTC 
Package submitted
Comment 15 Ludwig Nussel 2004-11-03 22:49:35 UTC 
CAN-2004-0982
Comment 16 Thomas Biege 2004-11-03 23:26:57 UTC 
packages approved