Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 623786 (CVE-2017-10683, CVE-2017-11126) - <media-sound/mpg123-1.25.2: multiple vulnerabilities (CVE-2017-{10683,11126})
Summary: <media-sound/mpg123-1.25.2: multiple vulnerabilities (CVE-2017-{10683,11126})
Status: RESOLVED FIXED
Alias: CVE-2017-10683, CVE-2017-11126
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2017-12797
Blocks:
  Show dependency tree
 
Reported: 2017-07-04 10:08 UTC by Agostino Sarubbo
Modified: 2017-11-11 20:39 UTC (History)
1 user (show)

See Also:
Package list:
media-sound/mpg123-1.25.2
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-07-04 10:08:16 UTC 
https://blogs.gentoo.org/ago/2017/07/03/mpg123-global-buffer-overflow-in-iii_i_stereo-layer3-c/
http://www.openwall.com/lists/oss-security/2017/06/28/15

NEWS:
Some bug fixes in libmpg123, triggered by me asking for it (fuzzers swaying their aim from LAME towards mpg123):
Avoid memset(NULL, 0, 0) to calm down the paranoid.
Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten offset from the frame flag bytes (unnoticed in practice for a long time). Fuzzers are in the house again. This one got CVE-2017-10683.
Avoid a mostly harmless conditional jump depending on uninitialised fr->lay in compute_bpf() (mpg123_position()) when track is not ready yet.
Fix undefined shifts on signed long mask in layer3.c (worked in practice, never right in theory). Code might be a bit faster now, even. Thanks to Agostino Sarubbo for reporting.
Comment 1 Agostino Sarubbo gentoo-dev 2017-07-05 10:33:26 UTC 
unfortunately the first is not fixed upstream, let's wait.
Comment 2 Agostino Sarubbo gentoo-dev 2017-07-12 07:15:36 UTC 
Fixed here:
https://scm.orgis.org/view/mpg123/trunk/src/libmpg123/layer3.c?view=patch&r1=4275&r2=4274&pathrev=4275

It will be in 1.25.2
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-07-12 13:32:08 UTC 
CVE-2017-11126 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11126):
  The III_i_stereo function in libmpg123/layer3.c in mpg123 through 1.25.1
  allows remote attackers to cause a denial of service (buffer over-read and
  application crash) via a crafted audio file that is mishandled in the code
  for the "block_type != 2" case, a similar issue to CVE-2017-9870.

CVE-2017-10683 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10683):
  In mpg123 1.25.0, there is a heap-based buffer over-read in the
  convert_latin1 function in libmpg123/id3.c. A crafted input will lead to a
  remote denial of service attack.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-07-12 13:34:12 UTC 
@ Arches,

please test and mark stable: =media-sound/mpg123-1.25.2
Comment 5 Markus Meier gentoo-dev 2017-07-14 04:57:08 UTC 
arm stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-15 09:58:51 UTC 
Stable on alpha.
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-15 10:04:41 UTC 
(In reply to Tobias Klausmann from comment #6)
> Stable on alpha.

Bullshit. Amd64 stable.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-07-15 11:32:03 UTC 
ia64 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-07-16 11:13:51 UTC 
Stable on alpha.
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-18 19:43:28 UTC 
x86 stable
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-09-10 22:09:43 UTC 
sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-26 08:59:45 UTC 
ppc64 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-26 22:28:36 UTC 
ppc stable
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-09 17:16:40 UTC 
hppa stable
Comment 15 Aleksandr Wagner (Kivak) 2017-10-09 17:48:23 UTC 
Stabilization done, thank you arches.

@Maintainer(s): Please clean the vulnerable version from the tree.

Gentoo Security Padawan
Kivak
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2017-10-25 00:26:30 UTC 
GLSA Vote: No