Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 500262 (CVE-2014-9497) - <media-sound/mpg123-1.18.1: MP3 Decoding Buffer Overflow Vulnerability
Summary: <media-sound/mpg123-1.18.1: MP3 Decoding Buffer Overflow Vulnerability
Status: RESOLVED FIXED
Alias: CVE-2014-9497
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/56729/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-04 10:41 UTC by Agostino Sarubbo
Modified: 2015-02-06 15:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-04 10:41:47 UTC
From ${URL} :

Description

A vulnerability has been reported in mpg123, which can be exploited by malicious people to potentially 
compromise a user's system.

The vulnerability is caused due to an error when decoding MP3 files and can be exploited to cause a 
heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 1.18.0.


Solution:
Update to version 1.18.0.

Provided and/or discovered by:
PAN Myautsai in a bug report.

Original Advisory:
http://mpg123.org/cgi-bin/news.cgi


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Tim Harder gentoo-dev 2014-02-04 19:06:39 UTC
> @maintainer(s): since the fixed package is already in the tree, please let
> us know if it is ready for the stabilization or not.

Sure, go ahead.
Comment 2 Sergey Popov gentoo-dev 2014-05-11 12:54:54 UTC
Arches, please test and mark stable =media-sound/mpg123-1.18.1

Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-05-12 14:19:32 UTC
(In reply to Sergey Popov from comment #2)
> Arches, please test and mark stable

=media-sound/mpg123-1.18.1
Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-05-12 15:04:15 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2014-05-17 10:39:27 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-05-17 10:39:55 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-05-17 13:50:59 UTC
alpha stable
Comment 8 Markus Meier gentoo-dev 2014-05-25 18:49:28 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-06-08 10:42:18 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-06-08 10:45:56 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-06-08 10:49:15 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-06-08 10:51:51 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2014-06-10 00:35:07 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

New GLSA Request filed.
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-12-14 15:59:33 UTC
Cleanup done.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-02-06 15:20:14 UTC
This issue was resolved and addressed in
 GLSA 201502-01 at http://security.gentoo.org/glsa/glsa-201502-01.xml
by GLSA coordinator Mikle Kolyada (Zlogene).