The mad_decoder_run function in decoder.c in libmad 0.15.1b allows remote attackers to cause a denial of service (memory corruption) via a crafted MP3 file.
Debian bug report suggests this is an issue with mpg321?
Maintainer(s), RedHat has this fixed in version libmad-0.15.1b-26.el6, please advise if the version in tree contains this fix.
(In reply to Yury German from comment #2)
> Maintainer(s), RedHat has this fixed in version libmad-0.15.1b-26.el6,
> please advise if the version in tree contains this fix.
I haven't tested on Fedora but build log from that version (git+https://src.fedoraproject.org/rpms/libmad.git#f34ffbead19e2214ba880d66a24f7cf31fee682b) shows that two patches
> Patch6: length-check.patch
> Patch7: md_size.diff
When I add these patches to our libmad version I still get the same crash with the PoC from $URL.
(In reply to Andreas Sturmlechner from comment #1)
> Debian bug report suggests this is an issue with mpg321?
Well, the backtrace from $URL clearly shows that it's crashing in libmad. So libmad needs to be patched. In case of Debian: According to my understanding they applied https://sources.debian.org/src/mpg321/0.3.2-3/debian/patches/handle_illegal_bitrate_value.patch/ to error out early in case of bad data like used in the PoC before reaching vulnerable libmad. However, with this patch applied, I still see mpg321 crashing when using the PoC.
I doubt that this is fixed somewhere.
Correction: Looks like handle_illegal_bitrate_value.patch is for CVE-2019-14247 (bug 711918).
i cannot reproduce the issue:
$ mpg321-mpg123 libmad_0.15.1b_memory_corruption.mp3
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3.
Version 0.3.2-1 (2012/03/25). Written and copyrights by Joe Drew,
now maintained by Nanakos Chrysostomos and others.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
Title : ExifTool Test Artist : Phil Harvey
Album : Phil's Greatest Hits Year : 2005
Comment : My Comments Genre : Testing
Illegal bit allocation value
Playing MPEG stream from libmad_0.15.1b_memory_corruption.mp3 ...
MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo
[0:00] Decoding of libmad_0.15.1b_memory_corruption.mp3 finished.
so i suppose you can proceed.