That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/10/30/2 https://www.openwall.com/lists/oss-security/2024/10/30/3 https://www.openwall.com/lists/oss-security/2024/10/31/4 https://www.openwall.com/lists/oss-security/2024/11/01/2 To get the patch: """ svn co svn://scm.orgis.org/mpg123/branches/1.31-fixes cd 1.31-fixes/ svn diff -r5270:5444 """
CVE: (none) => CVE-2024-10573Source RPM: (none) => mpg123-1.31.3-1.mga9.src.rpmStatus comment: (none) => Patches available from upstream
Thanks for the patch ref - saves a lot of hunting. Cauldron is very up-to date, this is just M9. Assigning yet again to DavidG, who routinely updates this SRPM.
Assignee: bugsquad => geiger.david68210
Suggested advisory: ======================== The updated packages fix a security vulnerability: An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector. (CVE-2024-10573) References: https://www.openwall.com/lists/oss-security/2024/10/30/2 https://www.openwall.com/lists/oss-security/2024/10/30/3 https://www.openwall.com/lists/oss-security/2024/10/31/4 https://www.openwall.com/lists/oss-security/2024/11/01/2 ======================== Updated packages in core/updates_testing: ======================== lib(64)mpg123_0-1.31.3-1.1.mga9 lib(64)mpg123-devel-1.31.3-1.1.mga9 mpg123-1.31.3-1.1.mga9 mpg123-jack-1.31.3-1.1.mga9 mpg123-openal-1.31.3-1.1.mga9 mpg123-portaudio-1.31.3-1.1.mga9 mpg123-pulse-1.31.3-1.1.mga9 mpg123-sdl-1.31.3-1.1.mga9 mpg123-sndio-1.31.3-1.1.mga9 from SRPM: mpg123-1.31.3-1.1.mga9.src.rpm
Status comment: Patches available from upstream => (none)Assignee: geiger.david68210 => qa-bugsStatus: NEW => ASSIGNED
Keywords: (none) => advisory
RH x86_64 rpm -qa|grep mpg123 mpg123-1.31.3-1.1.mga9 lib64mpg123_0-1.31.3-1.1.mga9 mpg123-pulse-1.31.3-1.1.mga9 mpg123-sdl-1.31.3-1.1.mga9 mpg123-jack-1.31.3-1.1.mga9 mpg123-openal-1.31.3-1.1.mga9 mpg123-portaudio-1.31.3-1.1.mga9 mpg123-sndio-1.31.3-1.1.mga9 libmpg123_0-1.31.3-1.1.mga9 mpg123 --list-modules Available modules ----------------- sndio output Output audio using sndio library jack output Output audio using JACK (JACK Audio Connection Kit). portaudio output Output audio using PortAudio oss output Output audio using OSS alsa output Output audio using Advanced Linux Sound Architecture (ALSA). pulse output Output audio using PulseAudio Server dummy output Dummy audio output - does not output audio. sdl output Output audio using SDL (Simple DirectMedia Layer). openal output Output audio using OpenAL. raw output raw headerless stream (builtin) cdr output compact disc digital audio stream (builtin) wav output RIFF WAVE file (builtin) au output Sun AU file (builtin) test output output into the void (builtin) hex output interleaved hex printout (builtin) txt output plain text printout, a column per channel (builtin) Play mp3 file looks good
mga9, x64 Already under way, so may as well continue. Several of the release packages were missing so installed them before updating. Clean update after that. $ mpg123 KillerQueen.mp3 Played track OK. 'h' key showed list of interactive commands such as 'A' for more bass and '+' to increase volume. That worked. $ mpg123 -w downonthecorner.wav DownOnTheCorner.mp3 Playing MPEG stream 1 of 1: DownOnTheCorner.mp3 ... MPEG 1.0 L III cbr128 44100 stereo Title: Down On The Corner Artist: Creedence Clearwater Revival Comment: Created by Grip Album: Really The Best Year: 1994 Genre: Rock [2:43] Decoding of DownOnTheCorner.mp3 finished. The resulting WAV file could be played OK. $ play downonthecorner.wav Found this command in an old report: $ mpg123 -o sdl BadMoonRising.mp3 This plays fine using the "SDL audio device" Played random tracks from current directory: $ mpg123 -Z * [...] Title: Up Around The Bend <typed l for list> Playlist (">" indicates current track): BadMoonRising.mp3 DownOnTheCorner.mp3 downonthecorner.wav GreenRiver.mp3 HeyTonight.mp3 IHeardItOnTheGrapevine.mp3 ProudMary.mp3 reallythebest SuzyQ.mp3 TravelinBand.mp3 > UpAroundTheBend.mp3 [...] <typed 'l'> BadMoonRising.mp3 DownOnTheCorner.mp3 downonthecorner.wav GreenRiver.mp3 HeyTonight.mp3 > IHeardItOnTheGrapevine.mp3 ProudMary.mp3 reallythebest SuzyQ.mp3 TravelinBand.mp3 UpAroundTheBend.mp3 <typed 'f'> <typed 'l'> BadMoonRising.mp3 DownOnTheCorner.mp3 downonthecorner.wav GreenRiver.mp3 HeyTonight.mp3 IHeardItOnTheGrapevine.mp3 ProudMary.mp3 reallythebest SuzyQ.mp3 > TravelinBand.mp3 UpAroundTheBend.mp3 CtrlC to exit. Enough testing.
CC: (none) => tarazed25
CC: (none) => andrewsfarmWhiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
This package was pushed today but for some reason this bug wasn't automatically closed.
CC: (none) => danResolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0358.html