Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 623786 (CVE-2017-10683, CVE-2017-11126) - <media-sound/mpg123-1.25.2: multiple vulnerabilities (CVE-2017-{10683,11126})
Summary: <media-sound/mpg123-1.25.2: multiple vulnerabilities (CVE-2017-{10683,11126})
Alias: CVE-2017-10683, CVE-2017-11126
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on: CVE-2017-12797
  Show dependency tree
Reported: 2017-07-04 10:08 UTC by Agostino Sarubbo
Modified: 2017-11-11 20:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-07-04 10:08:16 UTC

Some bug fixes in libmpg123, triggered by me asking for it (fuzzers swaying their aim from LAME towards mpg123):
Avoid memset(NULL, 0, 0) to calm down the paranoid.
Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten offset from the frame flag bytes (unnoticed in practice for a long time). Fuzzers are in the house again. This one got CVE-2017-10683.
Avoid a mostly harmless conditional jump depending on uninitialised fr->lay in compute_bpf() (mpg123_position()) when track is not ready yet.
Fix undefined shifts on signed long mask in layer3.c (worked in practice, never right in theory). Code might be a bit faster now, even. Thanks to Agostino Sarubbo for reporting.
Comment 1 Agostino Sarubbo gentoo-dev 2017-07-05 10:33:26 UTC
unfortunately the first is not fixed upstream, let's wait.
Comment 2 Agostino Sarubbo gentoo-dev 2017-07-12 07:15:36 UTC
Fixed here:

It will be in 1.25.2
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-07-12 13:32:08 UTC
CVE-2017-11126 (
  The III_i_stereo function in libmpg123/layer3.c in mpg123 through 1.25.1
  allows remote attackers to cause a denial of service (buffer over-read and
  application crash) via a crafted audio file that is mishandled in the code
  for the "block_type != 2" case, a similar issue to CVE-2017-9870.

CVE-2017-10683 (
  In mpg123 1.25.0, there is a heap-based buffer over-read in the
  convert_latin1 function in libmpg123/id3.c. A crafted input will lead to a
  remote denial of service attack.
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-07-12 13:34:12 UTC
@ Arches,

please test and mark stable: =media-sound/mpg123-1.25.2
Comment 5 Markus Meier gentoo-dev 2017-07-14 04:57:08 UTC
arm stable
Comment 6 Tobias Klausmann gentoo-dev 2017-07-15 09:58:51 UTC
Stable on alpha.
Comment 7 Tobias Klausmann gentoo-dev 2017-07-15 10:04:41 UTC
(In reply to Tobias Klausmann from comment #6)
> Stable on alpha.

Bullshit. Amd64 stable.
Comment 8 Sergei Trofimovich gentoo-dev 2017-07-15 11:32:03 UTC
ia64 stable
Comment 9 Tobias Klausmann gentoo-dev 2017-07-16 11:13:51 UTC
Stable on alpha.
Comment 10 Thomas Deutschmann gentoo-dev Security 2017-08-18 19:43:28 UTC
x86 stable
Comment 12 Sergei Trofimovich gentoo-dev 2017-09-26 08:59:45 UTC
ppc64 stable
Comment 13 Sergei Trofimovich gentoo-dev 2017-09-26 22:28:36 UTC
ppc stable
Comment 14 Sergei Trofimovich gentoo-dev 2017-10-09 17:16:40 UTC
hppa stable
Comment 15 Aleksandr Wagner (Kivak) 2017-10-09 17:48:23 UTC
Stabilization done, thank you arches.

@Maintainer(s): Please clean the vulnerable version from the tree.

Gentoo Security Padawan
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-25 00:26:30 UTC
GLSA Vote: No