MGASA-2017-0249

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2017-0249.html

Import Source

https://advisories.mageia.org/MGASA-2017-0249.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2017-0249

Related

CVE-2017-9545

Published

2017-08-08T20:24:42Z

Modified

2017-08-08T20:06:26Z

Summary

Updated mpg123 packages fix security vulnerabilities

Details

The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows remote attackers to cause a denial of service (buffer over-read) via a crafted mp3 file (CVE-2017-9545).

Invalid read of size 1 in ID3v2 parser due to forgotten offset from the frame flag bytes (CVE-2017-10683).

Extend pow tables for layer III to properly handle files with i-stereo and 5-bit scalefactors. Never observed them for real, just as fuzzed input to trigger the read overflow (CVE-2017-11126).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / mpg123

Package

Name: mpg123
Purl: pkg:rpm/mageia/mpg123?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.4-1.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:5 / mpg123

Package

Name: mpg123
Purl: pkg:rpm/mageia/mpg123?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.4-1.mga5

Ecosystem specific

{
    "section": "core"
}