Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 942561 (CVE-2024-10573) - <media-sound/mpg123-base-1.32.9: heap overflow when seeking on a malicious stream
Summary: <media-sound/mpg123-base-1.32.9: heap overflow when seeking on a malicious st...
Status: IN_PROGRESS
Alias: CVE-2024-10573
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://marc.info/?l=oss-security&m=1...
Whiteboard: A3 [glsa?]
Keywords:
Depends on: 945128 945154 951101 951124
Blocks:
  Show dependency tree
 
Reported: 2024-10-30 18:28 UTC by Hank Leininger
Modified: 2025-04-02 02:03 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2024-10-30 18:28:53 UTC
From $URL:

"as upstream of mpg123, I recently fixed a possibly serious issue that
resulted in writing past a buffer on the heap under certain use cases.
The fixed release is 1.32.8. 

There is no CVE for this (that I know of)."

They go on to explain the circumstances needed to hit the bug - seeking around in a malicious stream - and consider it non trivial to exploit. For example, as I read it, just playing a malicious crafted .mp3 will not do it.

1.32.8, released a few days ago, includes fixes.
Comment 1 Hans de Graaff gentoo-dev Security 2024-11-12 18:50:21 UTC
I'll go with Denial of Service given the difficulty to exploit.
Comment 2 Larry the Git Cow gentoo-dev 2024-11-26 06:06:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0494c0e7c505921c1d8140d6339543d41f42473e

commit 0494c0e7c505921c1d8140d6339543d41f42473e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-11-26 05:52:28 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-11-26 06:05:24 +0000

    media-plugins/mpg123-output-plugins: add 1.32.9
    
    Bug: https://bugs.gentoo.org/942561
    Signed-off-by: Sam James <sam@gentoo.org>

 media-plugins/mpg123-output-plugins/Manifest       |   1 +
 .../mpg123-output-plugins-1.32.9.ebuild            | 102 +++++++++++++++++++++
 2 files changed, 103 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6903d98e459c3089700ad60a89b10671802679e8

commit 6903d98e459c3089700ad60a89b10671802679e8
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-11-26 05:48:00 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-11-26 06:05:24 +0000

    media-sound/mpg123-base: add 1.32.9
    
    There's a bunch of configure option changes upstream which I want to double
    check with Igor, but I'm pretty sure that we discussed them all before
    and it doesn't change the approach we took wrt the mpg123-base and
    mpg123-output-plugins split for bug #915858 -- so I've not changed
    any of that in the ebuild.
    
    Bug: https://bugs.gentoo.org/915858
    Bug: https://bugs.gentoo.org/942561
    Closes: https://bugs.gentoo.org/943699
    Signed-off-by: Sam James <sam@gentoo.org>

 media-sound/mpg123-base/Manifest                  |   1 +
 media-sound/mpg123-base/mpg123-base-1.32.9.ebuild | 109 ++++++++++++++++++++++
 2 files changed, 110 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-11-26 06:06:43 UTC
Igor, is my assumption right wrt no configure option changes needed?
Comment 4 Igor V. Kovalenko 2024-11-26 06:23:56 UTC
(In reply to Sam James from comment #3)
> Igor, is my assumption right wrt no configure option changes needed?

Yes, upstream just removed support for earlier libmpg123 split method; we do not use it in mpg123-base and mpg123-output-plugins split we have today so all should be fine.
Comment 5 Larry the Git Cow gentoo-dev 2025-01-07 19:31:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0abb52ef2636613b4ed5b00c3a8d3f26d48b26c2

commit 0abb52ef2636613b4ed5b00c3a8d3f26d48b26c2
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2025-01-07 19:31:46 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2025-01-07 19:31:51 +0000

    media-plugins/mpg123-output-plugins: dropped obsolete 1.32.3
    
    Bug: https://bugs.gentoo.org/945128
    Bug: https://bugs.gentoo.org/942561
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-plugins/mpg123-output-plugins/Manifest       |   1 -
 .../mpg123-output-plugins-1.32.3.ebuild            | 106 ---------------------
 2 files changed, 107 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61cb08e4e613fc74d5294387d61e89185029fcc4

commit 61cb08e4e613fc74d5294387d61e89185029fcc4
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2025-01-07 19:31:14 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2025-01-07 19:31:51 +0000

    media-sound/mpg123-base: dropped obsolete 1.32.3
    
    Bug: https://bugs.gentoo.org/945128
    Bug: https://bugs.gentoo.org/942561
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-sound/mpg123-base/Manifest                  |   1 -
 media-sound/mpg123-base/mpg123-base-1.32.3.ebuild | 112 ----------------------
 2 files changed, 113 deletions(-)
Comment 6 Miroslav Šulc gentoo-dev 2025-01-07 19:32:47 UTC
the tree is clean now, you can proceed.
Comment 7 Zdenek Sojka 2025-03-10 10:33:04 UTC
I am observing LTO-related build issue when upgrading from media-sound/mpg123-base-1.32.9 to media-sound/mpg123-base-1.32.9-r1:

[ebuild     U  ] media-sound/mpg123-base-1.32.9-r1::gentoo [1.32.9::gentoo] USE="alsa pulseaudio sdl (-coreaudio) -int-quality -ipv6 -jack -nas -oss -portaudio" ABI_X86="32 (64) (-x32)" CPU_FLAGS_X86="sse (-3dnow) (-3dnowext) (-mmx)" 0 KiB

possibly due to abi_x86_32:

...
libtool: link: x86_64-pc-linux-gnu-gcc -m32 -mfpmath=sse -Werror=odr -Werror=lto-type-mismatch -Werror=strict-aliasing -O3 -flto=auto -march=native -fomit-frame-pointer -fipa-cp-clone -finline-functions -fno-stack-protector -fno-stack-clash-protection -pipe -D_GNU_SOURCE -Wl,-O1 -Wl,-z -Wl,pack-relative-relocs -o src/.libs/mpg123 src/audio.o src/common.o src/sysutil.o src/control_generic.o src/equalizer.o src/getlopt.o src/httpget.o src/resolver.o src/genre.o src/mpg123.o src/metaprint.o src/local.o src/playlist.o src/streamdump.o src/term.o src/term_posix.o src/net123_exec.o  -Wl,--as-needed src/compat/.libs/libcompat.a src/libmpg123/.libs/libmpg123.so src/libout123/.libs/libout123.so src/libsyn123/.libs/libsyn123.so -lm

/var/tmp/portage/media-sound/mpg123-base-1.32.9-r1/work/mpg123-1.32.9/src/include/mpg123.h:1118:21: error: type of 'mpg123_seek_frame_64' does not match original declaration [-Werror=lto-type-mismatch]
 1118 | MPG123_EXPORT off_t mpg123_seek_frame( mpg123_handle *mh
      |                     ^
/var/tmp/portage/media-sound/mpg123-base-1.32.9-r1/work/mpg123-1.32.9/src/include/mpg123.h:1118:21: note: return value type mismatch
 1118 | MPG123_EXPORT off_t mpg123_seek_frame( mpg123_handle *mh
      |                     ^
/var/tmp/portage/media-sound/mpg123-base-1.32.9-r1/work/mpg123-1.32.9/src/include/mpg123.h:1118:21: note: 'mpg123_seek_frame_64' was previously declared here
/var/tmp/portage/media-sound/mpg123-base-1.32.9-r1/work/mpg123-1.32.9/src/include/mpg123.h:1118:21: note: code may be misoptimized unless '-fno-strict-aliasing' is used
/var/tmp/portage/media-sound/mpg123-base-1.32.9-r1/work/mpg123-1.32.9/src/include/mpg123.h:1063:21: error: type of 'mpg123_seek_64' does not match original declaration [-Werror=lto-type-mismatch]
 1063 | MPG123_EXPORT off_t mpg123_seek( mpg123_handle *mh
      |                     ^
/var/tmp/portage/media-sound/mpg123-base-1.32.9-r1/work/mpg123-1.32.9/src/include/mpg123.h:1063:21: note: return value type mismatch
 1063 | MPG123_EXPORT off_t mpg123_seek( mpg123_handle *mh
      |                     ^
...

I will fill a separate PR if needed.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-04-02 02:03:41 UTC
(In reply to Zdenek Sojka from comment #7)
> I am observing LTO-related build issue when upgrading from
> media-sound/mpg123-base-1.32.9 to media-sound/mpg123-base-1.32.9-r1:

Sorry, I'd missed this. FWIW, handled in bug 951124.