64776 – VUL-0: CVE-2004-0982: verify mpg123 patches are sufficient

Bug 64776 - VUL-0: CVE-2004-0982: verify mpg123 patches are sufficient

Summary: VUL-0: CVE-2004-0982: verify mpg123 patches are sufficient

Status:	RESOLVED FIXED

Alias:	None

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2004-0982: CVSS v2 Base Score: 10...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-01-12 20:55 UTC by Ludwig Nussel
Modified:	2021-10-19 14:04 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
103_all_CAN-2004-0982.patch (6.76 KB, patch) 2005-01-12 20:55 UTC, Ludwig Nussel	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2005-01-12 20:55:36 UTC

gentoo uses a more complicated patch for CAN-2004-0982. Verify that 
103_all_CAN-2004-0982.patch and mpg123-0.59s-http-auth-overflow.patch are the 
same.

Comment 1 Ludwig Nussel 2005-01-12 20:55:55 UTC

Created attachment 27591 [details]
103_all_CAN-2004-0982.patch

Comment 2 Sebastian Krahmer 2005-01-17 21:25:06 UTC

mpg123-0.59s-http-auth-overflow.patch is not sufficient as it seems.
At least the ' ' -> %20 encoding loop can still overflow.

Comment 3 Vladimir Nadvornik 2005-01-19 22:59:01 UTC

I replaced the patch with the gentoo one. 
 
Packages with fix for 49776 and 49775 are submitted.

Comment 4 Thomas Biege 2005-01-21 19:41:09 UTC

Do we need patchinfo files or is it a stable-only fix?

Comment 5 Vladimir Nadvornik 2005-01-21 19:47:31 UTC

I fixed it in all releases (8.1-9.2). Yes, the patchinfo is needed.

Comment 6 Thomas Biege 2005-01-21 21:25:26 UTC

swamp id: 209

Comment 7 Marcus Meissner 2005-01-25 22:46:23 UTC

updates released.

Comment 8 Thomas Biege 2009-10-13 20:11:12 UTC

CVE-2004-0982: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)