Hi! mpg123 made use of a feature in libltdl3 that was removed to fix CVE-2009-3736. As a result, mpg123 in stable can no longer load any output plugins. I'd like to ask for approval of an upload to stable (debdiff attached) to fix this regression. Regards, Daniel.
diff -u mpg123-1.4.3/debian/changelog mpg123-1.4.3/debian/changelog
--- mpg123-1.4.3/debian/changelog
+++ mpg123-1.4.3/debian/changelog
@@ -1,3 +1,11 @@
+mpg123 (1.4.3-4lenny1) stable; urgency=medium
+
+ * src/module.c: Backport upstream patch to fix regression in module
+ loading when a libltdl with a fix for CVE-2009-3736 is in place.
+ Closes: #572920
+
+ -- Daniel Kobras <kobras@debian.org> Mon, 29 Mar 2010 11:56:52 +0200
+
mpg123 (1.4.3-4) unstable; urgency=medium
* src/wav.c: Backport upstream patch for writing WAV output to stdout
only in patch2:
unchanged:
--- mpg123-1.4.3.orig/src/module.c
+++ mpg123-1.4.3/src/module.c
@@ -93,13 +93,14 @@
chdir(moddir);
/* Work out the path of the module to open */
- module_path_len = strlen(type) + 1 + strlen(name) + strlen(MODULE_FILE_SUFFIX) + 1;
+ /* Note that we need to open ./file, not just file! */
+ module_path_len = 2 + strlen(type) + 1 + strlen(name) + strlen(MODULE_FILE_SUFFIX) + 1;
module_path = malloc( module_path_len );
if (module_path == NULL) {
error1( "Failed to allocate memory for module name: %s", strerror(errno) );
goto om_bad;
}
- snprintf( module_path, module_path_len, "%s_%s%s", type, name, MODULE_FILE_SUFFIX );
+ snprintf( module_path, module_path_len, "./%s_%s%s", type, name, MODULE_FILE_SUFFIX );
/* Display the path of the module created */
debug1( "Module path: %s", module_path );