emacs-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47194: closed ([PATCH] gnu: mpg321: Fix CVE-2019-14247.)

From: GNU bug Tracking System
Subject: bug#47194: closed ([PATCH] gnu: mpg321: Fix CVE-2019-14247.)
Date: Tue, 16 Mar 2021 18:17:02 +0000 
Your message dated Tue, 16 Mar 2021 19:16:07 +0100
with message-id <5f1f710d4020009be998e32f10abef192385c27d.camel@zaclys.net>
and subject line Re: [bug#47194] [PATCH] gnu: mpg321: Fix CVE-2019-14247.
has caused the debbugs.gnu.org bug report #47194,
regarding [PATCH] gnu: mpg321: Fix CVE-2019-14247.
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
47194: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=47194
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems
--- Begin Message --- Subject: [PATCH] gnu: mpg321: Fix CVE-2019-14247. Date: Tue, 16 Mar 2021 12:03:12 -0400 
* gnu/packages/patches/mpg321-CVE-2019-14247.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/mp3.scm (mpg321)[source]: Apply it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/mp3.scm                          |  4 +++-
 .../patches/mpg321-CVE-2019-14247.patch       | 23 +++++++++++++++++++
 3 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/mpg321-CVE-2019-14247.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index cf8849cf59..abb1e2140d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1404,6 +1404,7 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/mit-krb5-hurd.patch                     \
   %D%/packages/patches/mit-krb5-qualify-short-hostnames.patch  \
   %D%/packages/patches/mpc123-initialize-ao.patch              \
+  %D%/packages/patches/mpg321-CVE-2019-14247.patch             \
   %D%/packages/patches/module-init-tools-moduledir.patch       \
   %D%/packages/patches/monero-use-system-miniupnpc.patch                       
\
   %D%/packages/patches/mono-mdoc-timestamping.patch            \
diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm
index 34390d3696..dba3e17558 100644
--- a/gnu/packages/mp3.scm
+++ b/gnu/packages/mp3.scm
@@ -408,7 +408,9 @@ command-line tool as well as a C library, libmpg123.")
                                  version "/mpg321-" version ".tar.gz"))
              (sha256
               (base32
-               "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"))))
+               "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"))
+             (patches
+              (search-patches "mpg321-CVE-2019-14247.patch"))))
     (build-system gnu-build-system)
     (arguments '(#:configure-flags '("--disable-alsa")))
     (inputs
diff --git a/gnu/packages/patches/mpg321-CVE-2019-14247.patch 
b/gnu/packages/patches/mpg321-CVE-2019-14247.patch
new file mode 100644
index 0000000000..03afaccc67
--- /dev/null
+++ b/gnu/packages/patches/mpg321-CVE-2019-14247.patch
@@ -0,0 +1,23 @@
+This patch was downloaded from https://sourceforge.net/p/mpg321/bugs/51/ and
+fixes CVE-2019-14247.
+
+Description: Handle illegal bitrate value
+Author: Chrysostomos Nanakos <cnanakos@debian.org>
+Bug-Debian: https://bugs.debian.org/870406
+Bug-Debian: https://bugs.debian.org/887057
+
+--- mpg321-0.3.2.orig/mad.c
++++ mpg321-0.3.2/mad.c
+@@ -574,6 +574,12 @@ void scan(void const *ptr, ssize_t len,
+ 
+     if (!is_vbr)
+     {
++      if (header.bitrate <= 0)                                                
++        {                                                                     
  
++            fprintf(stderr, "Illegal bit allocation value\n");                
                                                              
++            return;                                                           
  
++        }    
++
+         double time = (len * 8.0) / (header.bitrate); /* time in seconds */
+         double timefrac = (double)time - ((long)(time));
+         long nsamples = 32 * MAD_NSBSAMPLES(&header); /* samples per frame */
-- 
2.30.1

--- End Message ---
--- Begin Message --- Subject: Re: [bug#47194] [PATCH] gnu: mpg321: Fix CVE-2019-14247. Date: Tue, 16 Mar 2021 19:16:07 +0100 User-agent: Evolution 3.34.2 
Pushed as 109f58444beecd1b9b7c502f2a687a6b91c62dc0

Thanks

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
reply via email to
[Prev in Thread] Current Thread [Next in Thread]