Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 626346 (CVE-2017-9545)

Summary: <media-sound/mpg123-1.25.10-r1: denial of service (buffer over-read) via a crafted mp3 file
Product: Gentoo Security Reporter: Christopher Díaz Riveros (RETIRED) <chrisadr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: sound, thomas-forum
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2017-9545
Whiteboard: B3 [noglsa cve]
Package list:
media-sound/mpg123-1.25.10-r1
 Runtime testing required: ---

Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-27 10:35:07 UTC 
From URL:

The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows remote attackers to cause a denial of service (buffer over-read) via a crafted mp3 file.
Comment 1 Andreas Sturmlechner gentoo-dev 2018-08-22 22:42:50 UTC 
Why not simply stabilise 1.25.10 then...
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-24 01:41:28 UTC 
x86 stable
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-08-24 02:16:40 UTC 
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2018-08-26 18:52:52 UTC 
ia64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-08-26 18:54:04 UTC 
ppc stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-08-26 18:55:56 UTC 
ppc64 stable
Comment 7 Rolf Eike Beer archtester 2018-09-04 19:27:04 UTC 
sparc done.
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2018-09-13 14:34:28 UTC 
Stable on alpha.
Comment 9 Markus Meier gentoo-dev 2018-09-19 16:57:58 UTC 
arm stable, all arches done.
Comment 10 Larry the Git Cow gentoo-dev 2018-09-20 15:22:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c01b0308e5930c14617b37612328345d14f384d

commit 7c01b0308e5930c14617b37612328345d14f384d
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-20 13:09:32 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-20 15:22:33 +0000

    media-sound/mpg123: Security cleanup
    
    Bug: https://bugs.gentoo.org/626346
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 media-sound/mpg123/Manifest             |   2 -
 media-sound/mpg123/mpg123-1.25.6.ebuild | 103 --------------------------------
 media-sound/mpg123/mpg123-1.25.8.ebuild | 103 --------------------------------
 3 files changed, 208 deletions(-)
Comment 11 Michael Boyle 2018-09-21 01:13:02 UTC 
@security, please vote.

Security Padawan
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2018-09-30 21:26:10 UTC 
GLSA Vote No.

Thank you all for your work.
Closing as [noglsa].