Bug 23509 - mpg123 1.25.10
Summary: mpg123 1.25.10
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-08-31 23:42 CEST by David Walser
Modified: 2018-09-21 18:27 CEST (History)
5 users (show)

See Also:
Source RPM: mpg123-1.25.8-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-08-31 23:42:35 CEST 
http://www.mpg123.de/cgi-bin/news.cgi

The invalid read fix is a security fix.  It'd be good to update Mageia 6 again too.
Comment 1 José Jorge 2018-09-08 12:42:32 CEST 
I have uploaded version 1.25.10 to MGA6 updates_testing.

Suggested advisory :

The mpg123 project has fixed several bugs in the player, including an invalid read. We upgrade to the latest version which cumulates all those fixes.

SRPM :
mpg123-1.25.10-1.mga6.srpm 

RPMS:
mpg123-1.25.10-1.mga6.i586.rpm 
mpg123-pulse-1.25.10-1.mga6.i586.rpm 
mpg123-jack-1.25.10-1.mga6.i586.rpm 
mpg123-portaudio-1.25.10-1.mga6.i586.rpm 
mpg123-sdl-1.25.10-1.mga6.i586.rpm 
mpg123-openal-1.25.10-1.mga6.i586.rpm 
libmpg123_0-1.25.10-1.mga6.i586.rpm 
libmpg123-devel-1.25.10-1.mga6.i586.rpm

Assignee: lists.jjorge => qa-bugs
CC: (none) => lists.jjorge
Status: NEW => ASSIGNED
Version: Cauldron => 6

Comment 2 Len Lawrence 2018-09-09 15:01:51 CEST 
Mageia 6, x86_64

Updated two of the packages and installed the rest from Updates Testing.

$ mpg123 Contrapunctus_IX-JSBach.mp3
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
	version 1.25.10; written and copyright by Michael Hipp and others
	free software (LGPL) without any warranty but with best wishes

Terminal control enabled, press 'h' for listing of keys and functions.
Playing MPEG stream 1 of 1: Contrapunctus_IX-JSBach.mp3 ...
MPEG 1.0 L III cbr128 44100 stereo
Title:   Contrapunctus IX                Artist: J S Bach                       
Comment:                                 Album:                                 
Year:                                    Genre:  Instrumental

There is not much else we can do to test this.  It has a lot of options, many of them quite technical.  It will play URLs as long as they resolve to an MPEG3 stream.

The keyboard can be used to control play - type 'h' for a list of keys.
Play tracks listed in a file, in random order:
$ mpg123 -Z -@ reallythebest
Playing MPEG stream 10 of 10: UpAroundTheBend.mp3 ...
[...]
Playing MPEG stream 8 of 10: SuzyQ.mp3 ...
[...] <press 'f' to move to next track>
Playing MPEG stream 1 of 10: BadMoonRising.mp3 ...
[...]

It works anyway.  Good for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 3 Thomas Andrews 2018-09-21 03:45:03 CEST 
Validating. Suggested advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-09-21 17:08:57 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2018-09-21 18:27:48 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0386.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.