Daniel Kobras over at Debian passed this on to me. It's fixed in mpg123-0.59s-r9. Archs please mark stable.
I'm the Debian maintainer of mpg123. Recently, we got notified by a user
about (yet another) security problem with layer 2 streams. In a
nutshell, certain parameters in the MPEG header are assumed to be
constant throughout the whole stream, while different, but related
parameters are allowed to vary. This can definitely be abused to read
from illegal positions in memory and crash the app. With a few
indirections, it might even be possible to obtain a heap overflow
situation similar to CAN-2004-0805. Anyway, severity seems rather low,
but we decided to treat this as a security issue. Our security team has
assigned CAN-2004-0991 for it. The bug was discovered and investigated
by Yuri D'Elia. I've coded the attached fix for 0.59r and thought I pass
it on to you, even if it doesn't apply cleanly to Gentoo's pre-0.59s.
Looks like the header decoding has been cleaned up a bit in between, but
the bug might still be present. If you need more information about the
issue, please let me know, and I'll try to dig out some.
Stable on ppc.
marked stable ppc64 for corsair.
Groovy IA64 magic done; removing from CC.
Stable on hppa.
Stable on alpha.
Stable on mips.