| Summary: | mpg123 new buffer overflow security issue fixed upstream in 1.18.0 (CVE-2014-9497) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | olivier.delaune, rverschelde, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/586336/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok | ||
| Source RPM: | mpg123-1.16.0-2.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-02-01 20:24:15 CET
David Walser
2014-02-01 20:24:26 CET
Whiteboard:
(none) =>
MGA4TOO
David Walser
2014-02-05 20:10:04 CET
Whiteboard:
MGA4TOO =>
MGA4TOO, MGA3TOO Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated mpg123 packages fix security vulnerability: mpg123 1.14.1 and later are vulnerable to a buffer overflow that could allow a maliciously crafted audio file to crash applications that use the libmpg123 library. mpg123 has been updated to version 1.18.0, which fixes this issue, as well as several others. References: http://mpg123.org/cgi-bin/news.cgi ======================== Updated packages in core/updates_testing: ======================== mpg123-1.18.0-1.mga3 mpg123-pulse-1.18.0-1.mga3 mpg123-jack-1.18.0-1.mga3 mpg123-portaudio-1.18.0-1.mga3 mpg123-sdl-1.18.0-1.mga3 mpg123-openal-1.18.0-1.mga3 libmpg123_0-1.18.0-1.mga3 libmpg123-devel-1.18.0-1.mga3 mpg123-1.18.0-1.mga4 mpg123-pulse-1.18.0-1.mga4 mpg123-jack-1.18.0-1.mga4 mpg123-portaudio-1.18.0-1.mga4 mpg123-sdl-1.18.0-1.mga4 mpg123-openal-1.18.0-1.mga4 libmpg123_0-1.18.0-1.mga4 libmpg123-devel-1.18.0-1.mga4 from SRPMS: mpg123-1.18.0-1.mga3.src.rpm mpg123-1.18.0-1.mga4.src.rpm Version:
Cauldron =>
4 Tested on Mga4 64-bits with a mp3 file. It works fine. If mpg123 is not used to play mp3 then could you tell us where we could find any file to test? CC:
(none) =>
olivier.delaune It is used to play mp3 files. I don't know of any PoC for the security issue.
Manuel Hiebel
2014-02-11 22:44:16 CET
Hardware:
i586 =>
All Testing complete Mageia 4 i586, no regression found while playing mp3 files. I tried both on local mp3 files (downloaded from e.g. http://download.linnrecords.com/test/mp3/recit.aspx) and directly using the URL: $ mpg123 ~/Downloads/recit.mp3 $ mpg123 http://download.linnrecords.com/test/mp3/recit.aspx CC:
(none) =>
remi Testing complete mga3 32 same as Rémi in comment 4
Rémi Verschelde
2014-02-13 14:56:42 CET
Whiteboard:
MGA3TOO has_procedure mga4-32-ok mga4-64-ok =>
MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok Testing complete mga3 64 Whiteboard:
MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks Keywords:
(none) =>
validated_update Testing complete Mageia 3 x86_64 too. I noticed that if I install only mpg123 and not lib64mpg123_0 (since the requires is not versioned), the application segfaults when trying to load an online stream, but I guess users don't cherry pick updates? cf. https://bugs.mageia.org/show_bug.cgi?id=11678 I meant to link this comment: https://bugs.mageia.org/show_bug.cgi?id=11678#c36 Update pushed: http://advisories.mageia.org/MGASA-2014-0067.html Status:
NEW =>
RESOLVED
David Walser
2014-02-14 18:51:54 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/586336/ FYI, the e-mail that sent this advisory had a typo in the subject. It said "mga123" instead of "mpg123." The typo carried over onto LWN's vulnerability page, but they just fixed it after I pointed it out. On Fri, 14 Feb 2014 09:52:20 -0800 (PST) David Walser wrote: > This entry says mga123, but it should be mpg123: > http://lwn.net/Vulnerabilities/586336/ so it should ... fwiw, the subject on the advisory email was: [updates-announce] MGASA-2014-0067: Updated mga123 packages fix a buffer overflow which is where mga123 came from :) jake -- Jake Edge - LWN - jake@lwn.net - http://lwn.net A CVE has been assigned for this: http://openwall.com/lists/oss-security/2015/01/04/5 Could someone please update the advisory in SVN? Advisory: ======================== Updated mpg123 packages fix security vulnerability: mpg123 1.14.1 and later are vulnerable to a buffer overflow that could allow a maliciously crafted audio file to crash applications that use the libmpg123 library (CVE-2014-9497). mpg123 has been updated to version 1.18.0, which fixes this issue, as well as several others. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9497 http://mpg123.org/cgi-bin/news.cgi http://openwall.com/lists/oss-security/2015/01/04/5 Summary:
mpg123 new buffer overflow security issue fixed upstream in 1.18.0 =>
mpg123 new buffer overflow security issue fixed upstream in 1.18.0 (CVE-2014-9497) |