Daniel Kobras over at Debian passed this on to me. It's fixed in mpg123-0.59s-r9. Archs please mark stable. Moi Jeremy! I'm the Debian maintainer of mpg123. Recently, we got notified by a user about (yet another) security problem with layer 2 streams. In a nutshell, certain parameters in the MPEG header are assumed to be constant throughout the whole stream, while different, but related parameters are allowed to vary. This can definitely be abused to read from illegal positions in memory and crash the app. With a few indirections, it might even be possible to obtain a heap overflow situation similar to CAN-2004-0805. Anyway, severity seems rather low, but we decided to treat this as a security issue. Our security team has assigned CAN-2004-0991 for it. The bug was discovered and investigated by Yuri D'Elia. I've coded the attached fix for 0.59r and thought I pass it on to you, even if it doesn't apply cleanly to Gentoo's pre-0.59s. Looks like the header decoding has been cleaned up a bit in between, but the bug might still be present. If you need more information about the issue, please let me know, and I'll try to dig out some. Regards, Daniel.
Stable on ppc.
marked stable ppc64 for corsair.
Groovy IA64 magic done; removing from CC.
Stable on hppa.
Stable on alpha.
Stable on mips.
GLSA 200501-14
