mpg123 1.18.0 was released on January 31, fixing an issue introduced in 1.14.1: http://mpg123.org/cgi-bin/news.cgi Mageia 3 and Mageia 4 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Whiteboard: MGA4TOO => MGA4TOO, MGA3TOO
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated mpg123 packages fix security vulnerability: mpg123 1.14.1 and later are vulnerable to a buffer overflow that could allow a maliciously crafted audio file to crash applications that use the libmpg123 library. mpg123 has been updated to version 1.18.0, which fixes this issue, as well as several others. References: http://mpg123.org/cgi-bin/news.cgi ======================== Updated packages in core/updates_testing: ======================== mpg123-1.18.0-1.mga3 mpg123-pulse-1.18.0-1.mga3 mpg123-jack-1.18.0-1.mga3 mpg123-portaudio-1.18.0-1.mga3 mpg123-sdl-1.18.0-1.mga3 mpg123-openal-1.18.0-1.mga3 libmpg123_0-1.18.0-1.mga3 libmpg123-devel-1.18.0-1.mga3 mpg123-1.18.0-1.mga4 mpg123-pulse-1.18.0-1.mga4 mpg123-jack-1.18.0-1.mga4 mpg123-portaudio-1.18.0-1.mga4 mpg123-sdl-1.18.0-1.mga4 mpg123-openal-1.18.0-1.mga4 libmpg123_0-1.18.0-1.mga4 libmpg123-devel-1.18.0-1.mga4 from SRPMS: mpg123-1.18.0-1.mga3.src.rpm mpg123-1.18.0-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Tested on Mga4 64-bits with a mp3 file. It works fine. If mpg123 is not used to play mp3 then could you tell us where we could find any file to test?
CC: (none) => olivier.delaune
It is used to play mp3 files. I don't know of any PoC for the security issue.
Hardware: i586 => AllWhiteboard: MGA3TOO => MGA3TOO mga4-64-ok
Testing complete Mageia 4 i586, no regression found while playing mp3 files. I tried both on local mp3 files (downloaded from e.g. http://download.linnrecords.com/test/mp3/recit.aspx) and directly using the URL: $ mpg123 ~/Downloads/recit.mp3 $ mpg123 http://download.linnrecords.com/test/mp3/recit.aspx
CC: (none) => remiWhiteboard: MGA3TOO mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Testing complete mga3 32 same as Rémi in comment 4
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Testing complete Mageia 3 x86_64 too. I noticed that if I install only mpg123 and not lib64mpg123_0 (since the requires is not versioned), the application segfaults when trying to load an online stream, but I guess users don't cherry pick updates? cf. https://bugs.mageia.org/show_bug.cgi?id=11678
I meant to link this comment: https://bugs.mageia.org/show_bug.cgi?id=11678#c36
Update pushed: http://advisories.mageia.org/MGASA-2014-0067.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/586336/
FYI, the e-mail that sent this advisory had a typo in the subject. It said "mga123" instead of "mpg123." The typo carried over onto LWN's vulnerability page, but they just fixed it after I pointed it out. On Fri, 14 Feb 2014 09:52:20 -0800 (PST) David Walser wrote: > This entry says mga123, but it should be mpg123: > http://lwn.net/Vulnerabilities/586336/ so it should ... fwiw, the subject on the advisory email was: [updates-announce] MGASA-2014-0067: Updated mga123 packages fix a buffer overflow which is where mga123 came from :) jake -- Jake Edge - LWN - jake@lwn.net - http://lwn.net
A CVE has been assigned for this: http://openwall.com/lists/oss-security/2015/01/04/5 Could someone please update the advisory in SVN? Advisory: ======================== Updated mpg123 packages fix security vulnerability: mpg123 1.14.1 and later are vulnerable to a buffer overflow that could allow a maliciously crafted audio file to crash applications that use the libmpg123 library (CVE-2014-9497). mpg123 has been updated to version 1.18.0, which fixes this issue, as well as several others. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9497 http://mpg123.org/cgi-bin/news.cgi http://openwall.com/lists/oss-security/2015/01/04/5
Summary: mpg123 new buffer overflow security issue fixed upstream in 1.18.0 => mpg123 new buffer overflow security issue fixed upstream in 1.18.0 (CVE-2014-9497)