Bug 62474 (CVE-2004-0982) - VUL-0: CVE-2004-0982 : mpg123 buffer overflow while parsing HTTP URLs
Summary: VUL-0: CVE-2004-0982 : mpg123 buffer overflow while parsing HTTP URLs
Status: RESOLVED FIXED
Alias: CVE-2004-0982
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Thomas Biege
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-21 15:19 UTC by Thomas Biege
Modified: 2020-08-05 17:57 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
mpg123-0.59s-http-auth-overflow.patch (1.47 KB, text/x-diff)
2004-10-22 18:33 UTC, Vladimir Nadvornik 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2004-10-21 15:19:50 UTC 
Hello Vladimir, 
please have a look at: 
http://www.barrossecurity.com/advisories/
mpg123_getauthfromurl_bof_advisory.txt
Comment 1 Thomas Biege 2004-10-21 15:19:50 UTC 
<!-- SBZ_reproduce  -->
mpg123 -@ http://$(perl -e 'print "A" x 260')@www.somesite.com/somefile.xxx
Comment 2 Vladimir Nadvornik 2004-10-22 18:33:23 UTC 
Created attachment 25313 [details]
mpg123-0.59s-http-auth-overflow.patch

This patch should fix it.
Is it OK?
Comment 3 Thomas Biege 2004-10-22 18:52:12 UTC 
Yes, looks good. 
 
I think it stops the test case mentioned above, did you test?
Comment 4 Vladimir Nadvornik 2004-10-22 19:32:12 UTC 
Yes, this is tested.
Comment 5 Vladimir Nadvornik 2004-10-22 20:54:40 UTC 
Packages are submited for 8.1-9.2 
Can you please submit patchinfos?
Comment 6 Thomas Biege 2004-10-25 20:48:01 UTC 
The second bug wasn't fixed, right? 
... 
  sprintf (request + strlen(request), 
     " HTTP/1.0\r\nUser-Agent: %s/%s\r\n", 
     prgName, prgVersion); 
...
Comment 7 Thomas Biege 2004-10-25 21:01:29 UTC 
patchinfo files done.
Comment 8 Michael Schröder 2004-10-27 18:29:35 UTC 
Hmm, status of the "second bug fix"?
Comment 9 Michael Schröder 2004-10-29 18:45:45 UTC 
Hello?
Comment 10 Marcus Meissner 2004-10-29 19:41:05 UTC 
patch incomplete, see comment #c6
Comment 11 Thomas Biege 2004-10-29 19:43:43 UTC 
I think it's missing the patch... Vladimir?
Comment 12 Vladimir Nadvornik 2004-11-01 20:20:04 UTC 
Sorry for the delay. 
 
I think this patch is sufficient, isn't it? 
 
                sprintf (request + strlen(request),  
                        " HTTP/1.0\r\nUser-Agent: %s/%s\r\n",  
-                       prgName, prgVersion);  
+                       "mpg123", prgVersion);
Comment 13 Thomas Biege 2004-11-02 16:25:11 UTC 
No problem. 
 
Yes it's ok. 
 
Another way of doing it would be: 
snprintf(request + strlen(request), sizeof(request)-strlen(request), " 
HTTP/1.0\r\nUser-Agent: %s/%s\r\n", prgName, prgVersion)
Comment 14 Vladimir Nadvornik 2004-11-02 18:14:55 UTC 
Package submitted
Comment 15 Ludwig Nussel 2004-11-03 22:49:35 UTC 
CAN-2004-0982
Comment 16 Thomas Biege 2004-11-03 23:26:57 UTC 
packages approved