Bug 64776

Summary: VUL-0: CVE-2004-0982: verify mpg123 patches are sufficient
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: nadvornik
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0982: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: 103_all_CAN-2004-0982.patch

Description Ludwig Nussel 2005-01-12 20:55:36 UTC 
gentoo uses a more complicated patch for CAN-2004-0982. Verify that 
103_all_CAN-2004-0982.patch and mpg123-0.59s-http-auth-overflow.patch are the 
same.
Comment 1 Ludwig Nussel 2005-01-12 20:55:55 UTC 
Created attachment 27591 [details]
103_all_CAN-2004-0982.patch
Comment 2 Sebastian Krahmer 2005-01-17 21:25:06 UTC 
mpg123-0.59s-http-auth-overflow.patch is not sufficient as it seems.
At least the ' ' -> %20 encoding loop can still overflow.
Comment 3 Vladimir Nadvornik 2005-01-19 22:59:01 UTC 
I replaced the patch with the gentoo one. 
 
Packages with fix for 49776 and 49775 are submitted.
Comment 4 Thomas Biege 2005-01-21 19:41:09 UTC 
Do we need patchinfo files or is it a stable-only fix?
Comment 5 Vladimir Nadvornik 2005-01-21 19:47:31 UTC 
I fixed it in all releases (8.1-9.2). Yes, the patchinfo is needed.
Comment 6 Thomas Biege 2005-01-21 21:25:26 UTC 
swamp id: 209
Comment 7 Marcus Meissner 2005-01-25 22:46:23 UTC 
updates released.
Comment 8 Thomas Biege 2009-10-13 20:11:12 UTC 
CVE-2004-0982: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)