Yellow Dog Linux Bugfix Advisory: YDU-20020522-5
Dan Burcaw
yellowdog-updates@lists.terrasoftsolutions.com
Wed, 22 May 2002 16:09:46 -0600 (MDT)
Yellow Dog Linux Bugfix Announcement
------------------------------------
Package: mpg321
Issue Date: May 22, 2002
Priority: medium
Advisory ID: YDU-20020522-5
1. Topic:
Updated mpg321 packages are available.
2. Problem:
Updated mpg321 packages are available for which fix
a buffer overflow in the network streaming code as well as
other bugs.
"It is possible for mpg321 before version 0.2.9 to segfault if
given certain specifically crafted data. In the case of network
streaming, this data would be remotely supplied, which could lead
to remote code execution.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0272 to this issue.
It is recommended that users of mpg321 upgrade to these errata packages
containing mpg321 version 0.2.10, which is not vulnerable to this
issue."
(from Red Hat advisory)
3. Solution:
a) Updating via yup...
We suggest that you use the Yellow Dog Update Program (yup)
to keep your system up-to-date. The following command(s) will
automatically retrieve and install the fixed version of
this update onto your system:
yup update mpg321
b) Updating manually...
The update can also be retrieved manually from our ftp site
below along with the rpm command that should be used to install
the update. (Please use a mirror site)
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/ppc/
rpm -Fvh libmad-0.14.2b-3.ppc.rpm mpg321-0.2.9-2.5.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
fbbd7301d9ce23345fc64d2ccedd94dc ppc/libmad-0.14.2b-3.ppc.rpm
52f34adc0a6a7182055fa00cfafed623 ppc/mpg321-0.2.9-2.5.ppc.rpm
066b3447d4bde11da921f7565f169d65 SRPMS/libmad-0.14.2b-3.src.rpm
b867cb4f128bf29e28fe00ec3666b869 SRPMS/mpg321-0.2.9-2.5.src.rpm
If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of yup, the Yellow Dog Update Program, see
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml