tech-pkg: Re: mpg123 buffer overflow vulnerability (fwd)

Subject: Re: mpg123 buffer overflow vulnerability (fwd)
To: Georg Schwarz <geos@epost.de>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-pkg
Date: 09/09/2004 13:03:06

On Thu, 9 Sep 2004, Georg Schwarz wrote:

> A quick question: since mpg123 is part of pkgsrc, who is taking care of
> such fixes?
> I did not find it mentioned on the NetBSD security web pages.
>
>
> ----- Forwarded message from Davide Del Vecchio -----
>
> =======================================================
>  mpg123-0.59r buffer overflow vulnerability
> =======================================================
>
> Davide Del Vecchio Adv#10

The same message is at http://www.securityfocus.com/archive/1/374433

The NetBSD security webpages generally do not have information about
security issues with pkgsrc packages.

The fixes are done by the maintainer or by pkgsrc developers. Any pkgsrc
user is free to share fixes (patches) and suggestions too.

Pkgsrc does have a mechanism for notifying you about known security
issues. Please install the pkgsrc/security/audit-packages package and run
the download-vulnerability-list tool and then the audit-packages tool.

Anyways, the pkgsrc vulnerability list (retrieved using
download-vulnerability-list) indicates the same URL mentioned above. It
appears that the mpg123 packages in pkgsrc have been fixed.

 Jeremy C. Reed

 	  	 	 BSD News, BSD tutorials, BSD links
	  	 	 http://www.bsdnewsletter.com/