Bug 21220

Summary: mpg123 new security issues CVE-2017-9545, CVE-2017-10683, CVE-2017-11126
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, marja11, nathan95, sysadmin-bugs
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory has_procedure MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK
Source RPM: mpg123-1.24.0-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-07-10 12:11:54 CEST 
A security issue in mpg123 was fixed upstream and has been announced:
http://openwall.com/lists/oss-security/2017/07/10/4

I would guess at least 1.24.0 is also affected.  If 1.25.2 is going to include additional fuzzing-related fixes, we should probably just update to it when it's available.
David Walser 2017-07-10 12:12:01 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-07-10 23:29:21 CEST 
Assingig to the registered maintainer.

Assignee: bugsquad => lists.jjorge
CC: (none) => marja11

Comment 2 David Walser 2017-07-30 00:54:36 CEST 
1.25.1 fixed CVE-2017-10683, 1.25.2 fixed CVE-2017-11126, and 1.25.4 fixed CVE-2017-9545, and other fuzzing fixes were contained in these releases as well:
http://www.mpg123.de/cgi-bin/news.cgi
Comment 3 David Walser 2017-07-30 01:23:33 CEST 
Updated packages uploaded for Mageia 5, Mageia 6, and Cauldron.

Advisory:
========================

Updated mpg123 packages fix security vulnerabilities:

The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows remote
attackers to cause a denial of service (buffer over-read) via a crafted mp3
file (CVE-2017-9545).

Invalid read of size 1 in ID3v2 parser due to forgotten offset from the frame
flag bytes (CVE-2017-10683).

Extend pow tables for layer III to properly handle files with i-stereo and
5-bit scalefactors. Never observed them for real, just as fuzzed input to
trigger the read overflow (CVE-2017-11126).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10683
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11126
http://www.mpg123.de/cgi-bin/news.cgi
========================

Updated packages in core/updates_testing:
========================
mpg123-1.25.4-1.mga5
mpg123-pulse-1.25.4-1.mga5
mpg123-jack-1.25.4-1.mga5
mpg123-portaudio-1.25.4-1.mga5
mpg123-sdl-1.25.4-1.mga5
mpg123-openal-1.25.4-1.mga5
libmpg123_0-1.25.4-1.mga5
libmpg123-devel-1.25.4-1.mga5
mpg123-1.25.4-1.mga6
mpg123-pulse-1.25.4-1.mga6
mpg123-jack-1.25.4-1.mga6
mpg123-portaudio-1.25.4-1.mga6
mpg123-sdl-1.25.4-1.mga6
mpg123-openal-1.25.4-1.mga6
libmpg123_0-1.25.4-1.mga6
libmpg123-devel-1.25.4-1.mga6

from SRPMS:
mpg123-1.25.4-1.mga5.src.rpm
mpg123-1.25.4-1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6
Assignee: lists.jjorge => qa-bugs

Comment 4 Rémi Verschelde 2017-07-30 13:04:25 CEST 
Basic testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12503#c4

Whiteboard: MGA5TOO => has_procedure MGA5TOO

Comment 5 Rémi Verschelde 2017-07-30 13:07:46 CEST 
Works fine on Mageia 6 x86_64.

Whiteboard: has_procedure MGA5TOO => has_procedure MGA5TOO MGA6-64-OK

Comment 6 Rémi Verschelde 2017-07-30 13:09:45 CEST 
Advisory uploaded.

Whiteboard: has_procedure MGA5TOO MGA6-64-OK => advisory has_procedure MGA5TOO MGA6-64-OK

Rémi Verschelde 2017-07-30 13:10:22 CEST

Summary: mpg123 new security issue CVE-2017-11126 => mpg123 new security issues CVE-2017-9545, CVE-2017-10683, CVE-2017-11126

nathan giovannini 2017-07-30 22:05:54 CEST

Whiteboard: advisory has_procedure MGA5TOO MGA6-64-OK => advisory has_procedure MGA5TOO MGA6-64-OK MGA-32-OK
CC: (none) => nathan95

nathan giovannini 2017-07-30 22:07:59 CEST

Whiteboard: advisory has_procedure MGA5TOO MGA6-64-OK MGA-32-OK => advisory has_procedure MGA5TOO MGA6-64-OK MGA6-32-OK

Comment 7 Lewis Smith 2017-08-08 21:05:12 CEST 
Testing M5 x64

BEFORE update, I had just:
 mpg123-1.20.1-4.1.mga5
 lib64mpg123_0-1.20.1-4.1.mga5
UPDATED these to:
 lib64mpg123_0-1.25.4-1.mga5
 mpg123-1.25.4-1.mga5

The given reference:
 http://download.linnrecords.com/test/mp3/recit.aspx
is of little use if you have any other .mp3 file:
 $ mpg123 recit.mp3 
...
Playing MPEG stream 1 of 1: recit.mp3 ...
MPEG 1.0 layer III, 320 kbit/s, 44100 Hz joint-stereo
[0:09] Decoding of recit.mp3 finished.
OK, 9s of something.

Playing a different file sounded OK to end:
 $ mpg123 track2.mp3
...
Terminal control enabled, press 'h' for listing of keys and functions.

Playing MPEG stream 1 of 1: track2.mp3 ...

MPEG 1.0 L III cbr128 44100 j-s

Title:                                   Artist:                                
Comment:                                 Album:                                 
Year:                                    Genre:  Unknown                        

[3:45] Decoding of track2.mp3 finished.

OKing this for Mageia 5; also validating as 6 already done, & advisory.

Whiteboard: advisory has_procedure MGA5TOO MGA6-64-OK MGA6-32-OK => advisory has_procedure MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 8 Mageia Robot 2017-08-08 22:25:22 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0249.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED