From $URL: "as upstream of mpg123, I recently fixed a possibly serious issue that resulted in writing past a buffer on the heap under certain use cases. The fixed release is 1.32.8. There is no CVE for this (that I know of)." They go on to explain the circumstances needed to hit the bug - seeking around in a malicious stream - and consider it non trivial to exploit. For example, as I read it, just playing a malicious crafted .mp3 will not do it. 1.32.8, released a few days ago, includes fixes.
I'll go with Denial of Service given the difficulty to exploit.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0494c0e7c505921c1d8140d6339543d41f42473e commit 0494c0e7c505921c1d8140d6339543d41f42473e Author: Sam James <sam@gentoo.org> AuthorDate: 2024-11-26 05:52:28 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-11-26 06:05:24 +0000 media-plugins/mpg123-output-plugins: add 1.32.9 Bug: https://bugs.gentoo.org/942561 Signed-off-by: Sam James <sam@gentoo.org> media-plugins/mpg123-output-plugins/Manifest | 1 + .../mpg123-output-plugins-1.32.9.ebuild | 102 +++++++++++++++++++++ 2 files changed, 103 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6903d98e459c3089700ad60a89b10671802679e8 commit 6903d98e459c3089700ad60a89b10671802679e8 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-11-26 05:48:00 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-11-26 06:05:24 +0000 media-sound/mpg123-base: add 1.32.9 There's a bunch of configure option changes upstream which I want to double check with Igor, but I'm pretty sure that we discussed them all before and it doesn't change the approach we took wrt the mpg123-base and mpg123-output-plugins split for bug #915858 -- so I've not changed any of that in the ebuild. Bug: https://bugs.gentoo.org/915858 Bug: https://bugs.gentoo.org/942561 Closes: https://bugs.gentoo.org/943699 Signed-off-by: Sam James <sam@gentoo.org> media-sound/mpg123-base/Manifest | 1 + media-sound/mpg123-base/mpg123-base-1.32.9.ebuild | 109 ++++++++++++++++++++++ 2 files changed, 110 insertions(+)
Igor, is my assumption right wrt no configure option changes needed?
(In reply to Sam James from comment #3) > Igor, is my assumption right wrt no configure option changes needed? Yes, upstream just removed support for earlier libmpg123 split method; we do not use it in mpg123-base and mpg123-output-plugins split we have today so all should be fine.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0abb52ef2636613b4ed5b00c3a8d3f26d48b26c2 commit 0abb52ef2636613b4ed5b00c3a8d3f26d48b26c2 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2025-01-07 19:31:46 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2025-01-07 19:31:51 +0000 media-plugins/mpg123-output-plugins: dropped obsolete 1.32.3 Bug: https://bugs.gentoo.org/945128 Bug: https://bugs.gentoo.org/942561 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> media-plugins/mpg123-output-plugins/Manifest | 1 - .../mpg123-output-plugins-1.32.3.ebuild | 106 --------------------- 2 files changed, 107 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61cb08e4e613fc74d5294387d61e89185029fcc4 commit 61cb08e4e613fc74d5294387d61e89185029fcc4 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2025-01-07 19:31:14 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2025-01-07 19:31:51 +0000 media-sound/mpg123-base: dropped obsolete 1.32.3 Bug: https://bugs.gentoo.org/945128 Bug: https://bugs.gentoo.org/942561 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> media-sound/mpg123-base/Manifest | 1 - media-sound/mpg123-base/mpg123-base-1.32.3.ebuild | 112 ---------------------- 2 files changed, 113 deletions(-)
the tree is clean now, you can proceed.
I am observing LTO-related build issue when upgrading from media-sound/mpg123-base-1.32.9 to media-sound/mpg123-base-1.32.9-r1: [ebuild U ] media-sound/mpg123-base-1.32.9-r1::gentoo [1.32.9::gentoo] USE="alsa pulseaudio sdl (-coreaudio) -int-quality -ipv6 -jack -nas -oss -portaudio" ABI_X86="32 (64) (-x32)" CPU_FLAGS_X86="sse (-3dnow) (-3dnowext) (-mmx)" 0 KiB possibly due to abi_x86_32: ... libtool: link: x86_64-pc-linux-gnu-gcc -m32 -mfpmath=sse -Werror=odr -Werror=lto-type-mismatch -Werror=strict-aliasing -O3 -flto=auto -march=native -fomit-frame-pointer -fipa-cp-clone -finline-functions -fno-stack-protector -fno-stack-clash-protection -pipe -D_GNU_SOURCE -Wl,-O1 -Wl,-z -Wl,pack-relative-relocs -o src/.libs/mpg123 src/audio.o src/common.o src/sysutil.o src/control_generic.o src/equalizer.o src/getlopt.o src/httpget.o src/resolver.o src/genre.o src/mpg123.o src/metaprint.o src/local.o src/playlist.o src/streamdump.o src/term.o src/term_posix.o src/net123_exec.o -Wl,--as-needed src/compat/.libs/libcompat.a src/libmpg123/.libs/libmpg123.so src/libout123/.libs/libout123.so src/libsyn123/.libs/libsyn123.so -lm /var/tmp/portage/media-sound/mpg123-base-1.32.9-r1/work/mpg123-1.32.9/src/include/mpg123.h:1118:21: error: type of 'mpg123_seek_frame_64' does not match original declaration [-Werror=lto-type-mismatch] 1118 | MPG123_EXPORT off_t mpg123_seek_frame( mpg123_handle *mh | ^ /var/tmp/portage/media-sound/mpg123-base-1.32.9-r1/work/mpg123-1.32.9/src/include/mpg123.h:1118:21: note: return value type mismatch 1118 | MPG123_EXPORT off_t mpg123_seek_frame( mpg123_handle *mh | ^ /var/tmp/portage/media-sound/mpg123-base-1.32.9-r1/work/mpg123-1.32.9/src/include/mpg123.h:1118:21: note: 'mpg123_seek_frame_64' was previously declared here /var/tmp/portage/media-sound/mpg123-base-1.32.9-r1/work/mpg123-1.32.9/src/include/mpg123.h:1118:21: note: code may be misoptimized unless '-fno-strict-aliasing' is used /var/tmp/portage/media-sound/mpg123-base-1.32.9-r1/work/mpg123-1.32.9/src/include/mpg123.h:1063:21: error: type of 'mpg123_seek_64' does not match original declaration [-Werror=lto-type-mismatch] 1063 | MPG123_EXPORT off_t mpg123_seek( mpg123_handle *mh | ^ /var/tmp/portage/media-sound/mpg123-base-1.32.9-r1/work/mpg123-1.32.9/src/include/mpg123.h:1063:21: note: return value type mismatch 1063 | MPG123_EXPORT off_t mpg123_seek( mpg123_handle *mh | ^ ... I will fill a separate PR if needed.
(In reply to Zdenek Sojka from comment #7) > I am observing LTO-related build issue when upgrading from > media-sound/mpg123-base-1.32.9 to media-sound/mpg123-base-1.32.9-r1: Sorry, I'd missed this. FWIW, handled in bug 951124.