Mageia Advisory: MGASA-2017-0249 - Updated mpg123 packages fix security vulnerabilities

Updated mpg123 packages fix security vulnerabilities

Publication date: 08 Aug 2017
Modification date: 08 Aug 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-9545

Description

The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows remote
attackers to cause a denial of service (buffer over-read) via a crafted mp3
file (CVE-2017-9545).

Invalid read of size 1 in ID3v2 parser due to forgotten offset from the frame
flag bytes (CVE-2017-10683).

Extend pow tables for layer III to properly handle files with i-stereo and
5-bit scalefactors. Never observed them for real, just as fuzzed input to
trigger the read overflow (CVE-2017-11126).

References

https://bugs.mageia.org/show_bug.cgi?id=21220
http://www.mpg123.de/cgi-bin/news.cgi
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9545

SRPMS

5/core

mpg123-1.25.4-1.mga5

6/core

mpg123-1.25.4-1.mga6

Advisories » MGASA-2017-0249

Updated mpg123 packages fix security vulnerabilities

Description

References

SRPMS

5/core

6/core