Source: mpg123 Version: 0.59f-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Control: fixed -1 1.32.8-1
Forwarding this from <https://www.openwall.com/lists/oss-security/2024/10/30/2>: > There is possible buffer overflow > (writing of decoded PCM samples beyond allocated output buffer) for > streams that change output properties together with certain usage of > libmpg123. This needed seeking around in the stream (including scanning > it before actual decoding) to trigger. So, your usual web radio stream > as obvious attack vector is unlikely, as you won't seek around in it. > If you do work with stream dumps, usage of MPG123_NO_FRANKENSTEIN or > the --no-frankenstein option to the mpg123 application is a workaround > to avoid the formerly dangerous situation in earlier mpg123 releases. > This also means that mpg123 will not decode streams of concatenated > files with either varying format or leading Info frames past the first > track anymore. … > Exploitation of this is not trivial, but I cannot rule out the > possibility of gaining code execution. … > Basically any version of mpg123 is affected by this, at least those > that explicitly support so-called Frankenstein streams. There is currently no CVE ID allocated. smcv
