Assigning to our registered mpg123 maintainer.

CC: (none) => marja11
Assignee: bugsquad => lists.jjorge

Suggested advisory:
Mpg123-1.25.12 fixes some a number of security bugs found by OSS-Fuzz.
Upstream says : "I do not have CVE numbers for these bugs. I rather fix the bugs than name them. Just update, will you?"

Ref: http://www.mpg123.de/cgi-bin/news.cgi#2019-07-18

RPMS :

mpg123-1.25.12-1.mga7.aarch64.rpm
mpg123-pulse-1.25.12-1.mga7.aarch64.rpm
mpg123-jack-1.25.12-1.mga7.aarch64.rpm
mpg123-portaudio-1.25.12-1.mga7.aarch64.rpm
mpg123-sdl-1.25.12-1.mga7.aarch64.rpm
mpg123-openal-1.25.12-1.mga7.aarch64.rpm
mpg123-sndio-1.25.12-1.mga7.aarch64.rpm
lib64mpg123_0-1.25.12-1.mga7.aarch64.rpm
lib64mpg123-devel-1.25.12-1.mga7.aarch64.rpm

Assignee: lists.jjorge => qa-bugs
CC: (none) => lists.jjorge
Status: NEW => ASSIGNED

Thanks.  Just noting that 1.25.12 was finally announced and does fix more security issues:
http://www.mpg123.de/cgi-bin/news.cgi#2019-08-24

You forgot Mageia 6 though.

Assignee: qa-bugs => lists.jjorge
CC: (none) => qa-bugs

(In reply to David Walser from comment #3)
> Thanks.  Just noting that 1.25.12 was finally announced and does fix more
> security issues:
> http://www.mpg123.de/cgi-bin/news.cgi#2019-08-24

Yes, this should be a better reference for the advisory. 

> You forgot Mageia 6 though.

Yup, pushed. The RPMS list is the same as for MGA7, except sndio plugin.

Assignee: lists.jjorge => qa-bugs

Full package list:
mpg123-1.25.12-1.mga6
mpg123-pulse-1.25.12-1.mga6
mpg123-jack-1.25.12-1.mga6
mpg123-portaudio-1.25.12-1.mga6
mpg123-sdl-1.25.12-1.mga6
mpg123-openal-1.25.12-1.mga6
libmpg123_0-1.25.12-1.mga6
libmpg123-devel-1.25.12-1.mga6
mpg123-1.25.12-1.mga7
mpg123-pulse-1.25.12-1.mga7
mpg123-jack-1.25.12-1.mga7
mpg123-portaudio-1.25.12-1.mga7
mpg123-sdl-1.25.12-1.mga7
mpg123-openal-1.25.12-1.mga7
mpg123-sndio-1.25.12-1.mga7
libmpg123_0-1.25.12-1.mga7
libmpg123-devel-1.25.12-1.mga7

from SRPMS:
mpg123-1.25.12-1.mga6.src.rpm
mpg123-1.25.12-1.mga7.src.rpm

mga6, x86_64

Installed missing packages, ran the test option of mpg123 on an mp3 file then updated
from version 1.25.10 to 1.25.10-1, 8 packages.

$ mpg123 -o test Chiquitita.mp3
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
	version 1.25.12; written and copyright by Michael Hipp and others
	free software (LGPL) without any warranty but with best wishes
Terminal control enabled, press 'h' for listing of keys and functions.
Playing MPEG stream 1 of 1: Chiquitita.mp3 ...
MPEG 1.0 L III cbr128 44100 stereo
[5:24] Decoding of Chiquitita.mp3 finished.

$ mpg123 --list-modules
Available modules
-----------------
pulse          output  Output audio using PulseAudio Server
portaudio      output  Output audio using PortAudio
jack           output  Output audio using JACK (JACK Audio Connection Kit).
alsa           output  Output audio using Advanced Linux Sound Architecture (ALSA).
oss            output  Output audio using OSS
openal         output  Output audio using OpenAL.
sdl            output  Output audio using SDL (Simple DirectMedia Layer).
dummy          output  Dummy audio output - does not output audio.
raw            output  raw headerless stream (builtin)
cdr            output  compact disc digital audio stream (builtin)
wav            output  RIFF WAVE file (builtin)
au             output  Sun AU file (builtin)
test           output  output into the void (builtin)

Using pulseaudio here.

$ mpg123 LaTempranica.mp3
Defaults to ALSA plug-in
Pressing 'h' in a terminal displayed help for control keys.
+ and - changed volume OK.

$ mplayer -vo pulse LaTempranica.mp3
Switched to pulse audio output.

Tried oss - failed because there are no oss drivers on the system.

$ mpg123 -w mozart.wav NonPiuAndrai.mp3
This created a WAV file from the MP3 file.

$ ll
-rw-r--r-- 1 lcl lcl 40670252 Aug 27 10:21 mozart.wav
-rw-r--r-- 1 lcl lcl  3688908 Jan 28  2009 NonPiuAndrai.mp3

An alternative way to convert is:
$ mpg123 -o wav DoveSono.mp3 > DoveSono.wav
$ ll Dove*
-rw-r--r-- 1 lcl lcl  5968040 Jan 28  2009 DoveSono.mp3
-rw-r--r-- 1 lcl lcl 65797676 Aug 27 10:30 DoveSono.wav

The output file plays fine with SOX.

SDL works as well.
$ mpg123 -o sdl LaProcession.mp3
The terminal keys work.
'k' for instance produced "[BOOKMARK] track 1 frame 6277"
'b' reset to the beginning

mpg123 cannot read m3u playlists but file lists can be supplied, e.g.
$ mpg123 `ls T*`
Press 'l'
Playlist (">" indicates current track):
> ThePrinceOfDenmarksMarch-JeremiahClarke.mp3
  TrumpetTuneAndAyre-HenryPurcell.mp3
  TrumpetTune-JohnStanley.mp3

$ mpg123 *
Playing MPEG stream 1 of 12: AnElizabethanSuite.mp3 ...
'f'
'f'
Playing MPEG stream 3 of 12: CeremonialBrassMusic-JohannPezel.mp3 ...
'q'
$

Play sections of a track:
$ mpg123 --skip 2000 --frames 2000 LaDansereye-TielmanSusato.mp3
'k'
[BOOKMARK] track 1 frame 2254
and playing truncated fairly quickly.

This all looks perfectly in order.  OK and validating.

Keywords: (none) => validated_update
Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK
CC: (none) => tarazed25, sysadmin-bugs

Oops.  Just noticed a copy&paste error.
The mplayer test was to do with setting up the sound system earlier.
The actual test was:
$ mpg123 -o pulse LaTempranica.mp3
Playing MPEG stream 1 of 1: LaTempranica.mp3 ...

Advisory can be simply as follows:
---------------------------------

The mpg123 package has been updated to version 1.25.12, fixing several issues
which could cause it to crash or hang while parsing mp3 files.

References:
http://www.mpg123.de/cgi-bin/news.cgi#2019-08-24

mga7, x86_64

Installed missing packages.  mpg123-sndio must be new, not available before update.

Updated everything and installed mpg123-sndio.


$ mpg123 DontVientCela.mp3
Checked interactive help and keyboard controls.

$ mpg123 -o pulse LaTempranica.mp3
Interactive pitch control worked.

$ mpg123 -w badmoonrising.wav BadMoonRising.mp3
[...]
MPEG 1.0 L III cbr128 44100 stereo
Title:   Bad Moon Rising                 Artist: Creedence Clearwater Revival   
Comment: Created by Grip                 Album:  Really The Best                
Genre:   Rock
[2:18] Decoding of BadMoonRising.mp3 finished.
$ play badmoonrising.wav
OK

$ mpg123 -o sdl AsLongAsICanSeeTheLight.mp3 
'v'
> 6360+1634  02:46.13+00:42.68 --- 072=072 128 kb/s  418 B acc    0 clip p+0.00
Works fine.

$ cd DonHenley
$ mpg123 *
'l'
Playlist (">" indicates current track):
> AllSheWantsToDoIsDance.mp3
  BuildingThePerfectBeast.mp3
  ManWithAMission.mp3
  TheBoysOfSummer.mp3
'k'
[BOOKMARK] track 1 frame 4143
'k'
[BOOKMARK] track 2 frame 1345
'd'
'k'
[BOOKMARK] track 1 frame 717
'q'
$

$ mpg123 --skip 1000 --frames 3000 PadstowMaySong.mp3
'k'
[BOOKMARK] track 1 frame 1591
'k'
[BOOKMARK] track 1 frame 3980
Play cut off milliseconds later.

$ ls | wc -l
Random play...
$ mpg123 -Z *
'l'
  AVirginMostPure.mp3
  BettsyBell.mp3
  Blacksmith.mp3
  BloodAndGold.mp3
  BoarsHead.mp3
  DoffingMistress.mp3
  LongShadows.mp3
> PadstowMaySong.mp3
  SingingTheTravells.mp3
  SingSingAllTheEarth.mp3
  TheKing.mp3

Using 'f' at this point advances the track pointer sequentially.

"mpg123 --longhelp" shows the full range of options, which includes
"--lyrics           show lyrics (from ID3v2 USLT frame)"
No output from mp3 files here, mostly ripped from commercial CDs, and mediainfo does not find anything.

All the simple commands work well.  Giving this an OK for 64bits.

Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

Wow, much less that Len : I just played an mp3 http stream and a local mp3 file in a i586 system.

Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK MGA7-32-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0238.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED