Bug 23509

Summary: mpg123 1.25.10
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, lists.jjorge, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: mpg123-1.25.8-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-08-31 23:42:35 CEST 
http://www.mpg123.de/cgi-bin/news.cgi

The invalid read fix is a security fix.  It'd be good to update Mageia 6 again too.
Comment 1 José Jorge 2018-09-08 12:42:32 CEST 
I have uploaded version 1.25.10 to MGA6 updates_testing.

Suggested advisory :

The mpg123 project has fixed several bugs in the player, including an invalid read. We upgrade to the latest version which cumulates all those fixes.

SRPM :
mpg123-1.25.10-1.mga6.srpm 

RPMS:
mpg123-1.25.10-1.mga6.i586.rpm 
mpg123-pulse-1.25.10-1.mga6.i586.rpm 
mpg123-jack-1.25.10-1.mga6.i586.rpm 
mpg123-portaudio-1.25.10-1.mga6.i586.rpm 
mpg123-sdl-1.25.10-1.mga6.i586.rpm 
mpg123-openal-1.25.10-1.mga6.i586.rpm 
libmpg123_0-1.25.10-1.mga6.i586.rpm 
libmpg123-devel-1.25.10-1.mga6.i586.rpm

Assignee: lists.jjorge => qa-bugs
CC: (none) => lists.jjorge
Status: NEW => ASSIGNED
Version: Cauldron => 6

Comment 2 Len Lawrence 2018-09-09 15:01:51 CEST 
Mageia 6, x86_64

Updated two of the packages and installed the rest from Updates Testing.

$ mpg123 Contrapunctus_IX-JSBach.mp3
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
	version 1.25.10; written and copyright by Michael Hipp and others
	free software (LGPL) without any warranty but with best wishes

Terminal control enabled, press 'h' for listing of keys and functions.
Playing MPEG stream 1 of 1: Contrapunctus_IX-JSBach.mp3 ...
MPEG 1.0 L III cbr128 44100 stereo
Title:   Contrapunctus IX                Artist: J S Bach                       
Comment:                                 Album:                                 
Year:                                    Genre:  Instrumental

There is not much else we can do to test this.  It has a lot of options, many of them quite technical.  It will play URLs as long as they resolve to an MPEG3 stream.

The keyboard can be used to control play - type 'h' for a list of keys.
Play tracks listed in a file, in random order:
$ mpg123 -Z -@ reallythebest
Playing MPEG stream 10 of 10: UpAroundTheBend.mp3 ...
[...]
Playing MPEG stream 8 of 10: SuzyQ.mp3 ...
[...] <press 'f' to move to next track>
Playing MPEG stream 1 of 10: BadMoonRising.mp3 ...
[...]

It works anyway.  Good for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 3 Thomas Andrews 2018-09-21 03:45:03 CEST 
Validating. Suggested advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-09-21 17:08:57 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2018-09-21 18:27:48 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0386.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED