Package mpg123 updated to version 1.25.2-alt0.M80P.1 for branch p8 in task 185643.

Published: 2017-06-30
Modified: 2024-11-21

CVE-2017-10683

In mpg123 1.25.0, there is a heap-based buffer over-read in the convert_latin1 function in libmpg123/id3.c. A crafted input will lead to a remote denial of service attack.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1465819
https://bugzilla.redhat.com/show_bug.cgi?id=1465819

Published: 2017-07-10
Modified: 2024-11-21

CVE-2017-11126

The III_i_stereo function in libmpg123/layer3.c in mpg123 through 1.25.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file that is mishandled in the code for the "block_type != 2" case, a similar issue to CVE-2017-9870.

Severity: MEDIUM (5.5) Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

http://openwall.com/lists/oss-security/2017/07/10/4
http://openwall.com/lists/oss-security/2017/07/10/4
https://blogs.gentoo.org/ago/2017/07/03/mpg123-global-buffer-overflow-in-iii_i_stereo-layer3-c/
https://blogs.gentoo.org/ago/2017/07/03/mpg123-global-buffer-overflow-in-iii_i_stereo-layer3-c/

Version: 2.1.0

Package mpg123 update in p8 on 2017-07-20

ALT-PU-2017-1910-1

Closed vulnerabilities

CVE-2017-10683

CVE-2017-11126