Bug 12503 - mpg123 new buffer overflow security issue fixed upstream in 1.18.0 (CVE-2014-9497)
: mpg123 new buffer overflow security issue fixed upstream in 1.18.0 (CVE-2014-...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/586336/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-01 20:24 CET by David Walser
Modified: 2015-01-06 00:40 CET (History)
4 users (show)

See Also:
Source RPM: mpg123-1.16.0-2.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-02-01 20:24:15 CET
mpg123 1.18.0 was released on January 31, fixing an issue introduced in 1.14.1:
http://mpg123.org/cgi-bin/news.cgi

Mageia 3 and Mageia 4 are affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-02-05 21:45:44 CET
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated mpg123 packages fix security vulnerability:

mpg123 1.14.1 and later are vulnerable to a buffer overflow that could allow
a maliciously crafted audio file to crash applications that use the libmpg123
library.

mpg123 has been updated to version 1.18.0, which fixes this issue, as well as
several others.

References:
http://mpg123.org/cgi-bin/news.cgi
========================

Updated packages in core/updates_testing:
========================
mpg123-1.18.0-1.mga3
mpg123-pulse-1.18.0-1.mga3
mpg123-jack-1.18.0-1.mga3
mpg123-portaudio-1.18.0-1.mga3
mpg123-sdl-1.18.0-1.mga3
mpg123-openal-1.18.0-1.mga3
libmpg123_0-1.18.0-1.mga3
libmpg123-devel-1.18.0-1.mga3
mpg123-1.18.0-1.mga4
mpg123-pulse-1.18.0-1.mga4
mpg123-jack-1.18.0-1.mga4
mpg123-portaudio-1.18.0-1.mga4
mpg123-sdl-1.18.0-1.mga4
mpg123-openal-1.18.0-1.mga4
libmpg123_0-1.18.0-1.mga4
libmpg123-devel-1.18.0-1.mga4

from SRPMS:
mpg123-1.18.0-1.mga3.src.rpm
mpg123-1.18.0-1.mga4.src.rpm
Comment 2 Olivier Delaune 2014-02-08 21:41:23 CET
Tested on Mga4 64-bits with a mp3 file. It works fine. If mpg123 is not used to play mp3 then could you tell us where we could find any file to test?
Comment 3 David Walser 2014-02-08 22:07:24 CET
It is used to play mp3 files.  I don't know of any PoC for the security issue.
Comment 4 Rémi Verschelde 2014-02-13 12:19:52 CET
Testing complete Mageia 4 i586, no regression found while playing mp3 files.

I tried both on local mp3 files (downloaded from e.g. http://download.linnrecords.com/test/mp3/recit.aspx) and directly using the URL:
$ mpg123 ~/Downloads/recit.mp3
$ mpg123 http://download.linnrecords.com/test/mp3/recit.aspx
Comment 5 claire robinson 2014-02-13 14:50:03 CET
Testing complete mga3 32 same as Rémi in comment 4
Comment 6 claire robinson 2014-02-13 15:08:40 CET
Testing complete mga3 64
Comment 7 claire robinson 2014-02-13 15:13:13 CET
Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 8 Rémi Verschelde 2014-02-13 15:18:04 CET
Testing complete Mageia 3 x86_64 too.
I noticed that if I install only mpg123 and not lib64mpg123_0 (since the requires is not versioned), the application segfaults when trying to load an online stream, but I guess users don't cherry pick updates? cf. https://bugs.mageia.org/show_bug.cgi?id=11678
Comment 9 Rémi Verschelde 2014-02-13 15:33:44 CET
I meant to link this comment: https://bugs.mageia.org/show_bug.cgi?id=11678#c36
Comment 10 Thomas Backlund 2014-02-13 21:08:08 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0067.html
Comment 11 David Walser 2014-02-15 00:27:13 CET
FYI, the e-mail that sent this advisory had a typo in the subject.  It said "mga123" instead of "mpg123."  The typo carried over onto LWN's vulnerability page, but they just fixed it after I pointed it out.

On Fri, 14 Feb 2014 09:52:20 -0800 (PST) David Walser wrote:
> This entry says mga123, but it should be mpg123:
> http://lwn.net/Vulnerabilities/586336/

so it should ... fwiw, the subject on the advisory email was:

[updates-announce] MGASA-2014-0067: Updated mga123 packages fix a
buffer overflow

which is where mga123 came from :)

jake

-- 
Jake Edge - LWN - jake@lwn.net - http://lwn.net
Comment 12 David Walser 2015-01-06 00:40:06 CET
A CVE has been assigned for this:
http://openwall.com/lists/oss-security/2015/01/04/5

Could someone please update the advisory in SVN?

Advisory:
========================

Updated mpg123 packages fix security vulnerability:

mpg123 1.14.1 and later are vulnerable to a buffer overflow that could allow
a maliciously crafted audio file to crash applications that use the libmpg123
library (CVE-2014-9497).

mpg123 has been updated to version 1.18.0, which fixes this issue, as well as
several others.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9497
http://mpg123.org/cgi-bin/news.cgi
http://openwall.com/lists/oss-security/2015/01/04/5

Note You need to log in before you can comment on or make changes to this bug.