The mad_decoder_run function in decoder.c in libmad 0.15.1b allows remote attackers to cause a denial of service (memory corruption) via a crafted MP3 file.
Debian bug report suggests this is an issue with mpg321?
Maintainer(s), RedHat has this fixed in version libmad-0.15.1b-26.el6, please advise if the version in tree contains this fix.
(In reply to Yury German from comment #2)
> Maintainer(s), RedHat has this fixed in version libmad-0.15.1b-26.el6,
> please advise if the version in tree contains this fix.
I haven't tested on Fedora but build log from that version (git+https://src.fedoraproject.org/rpms/libmad.git#f34ffbead19e2214ba880d66a24f7cf31fee682b) shows that two patches
> Patch6: length-check.patch
> Patch7: md_size.diff
When I add these patches to our libmad version I still get the same crash with the PoC from $URL.
(In reply to Andreas Sturmlechner from comment #1)
> Debian bug report suggests this is an issue with mpg321?
Well, the backtrace from $URL clearly shows that it's crashing in libmad. So libmad needs to be patched. In case of Debian: According to my understanding they applied https://sources.debian.org/src/mpg321/0.3.2-3/debian/patches/handle_illegal_bitrate_value.patch/ to error out early in case of bad data like used in the PoC before reaching vulnerable libmad. However, with this patch applied, I still see mpg321 crashing when using the PoC.
I doubt that this is fixed somewhere.
Correction: Looks like handle_illegal_bitrate_value.patch is for CVE-2019-14247 (bug 711918).