Yellow Dog Linux Bugfix Advisory: YDU-20020522-5

Dan Burcaw yellowdog-updates@lists.terrasoftsolutions.com
Wed, 22 May 2002 16:09:46 -0600 (MDT) 

Yellow Dog Linux Bugfix Announcement
------------------------------------

Package:	mpg321	
Issue Date: 	May 22, 2002	
Priority:	medium		
Advisory ID: 	YDU-20020522-5


1. 	Topic:

	Updated mpg321 packages are available.


2. 	Problem:

	Updated mpg321 packages are available for which fix
	a buffer overflow in the network streaming code as well as
	other bugs.

	"It is possible for mpg321 before version 0.2.9 to segfault if
	given certain specifically crafted data. In the case of network
	streaming, this data would be remotely supplied, which could lead
	to remote code execution.

	The Common Vulnerabilities and Exposures project (cve.mitre.org) has
	assigned the name CAN-2002-0272 to this issue.

	It is recommended that users of mpg321 upgrade to these errata packages
	containing mpg321 version 0.2.10, which is not vulnerable to this
	issue."
	(from Red Hat advisory)


3. 	Solution:

   	a) Updating via yup...
   	We suggest that you use the Yellow Dog Update Program (yup)
   	to keep your system up-to-date. The following command(s) will
   	automatically retrieve and install the fixed version of
   	this update onto your system:

		yup update mpg321 

   	b) Updating manually...
   	The update can also be retrieved manually from our ftp site
   	below along with the rpm command that should be used to install
   	the update.  (Please use a mirror site)

   		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/ppc/
		rpm -Fvh libmad-0.14.2b-3.ppc.rpm mpg321-0.2.9-2.5.ppc.rpm 

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
fbbd7301d9ce23345fc64d2ccedd94dc  ppc/libmad-0.14.2b-3.ppc.rpm
52f34adc0a6a7182055fa00cfafed623  ppc/mpg321-0.2.9-2.5.ppc.rpm
066b3447d4bde11da921f7565f169d65  SRPMS/libmad-0.14.2b-3.src.rpm
b867cb4f128bf29e28fe00ec3666b869  SRPMS/mpg321-0.2.9-2.5.src.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml