Bug 1626083

Summary: libmpg123: Invalid read and segfault on files with part2_3_length == 0
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ASSIGNED --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: wtaymans
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mpg123 1.25.10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1627847, 1627848, 1627849, 1627850    
Bug Blocks: 1626084    

Description Pedro Sampaio 2018-09-06 14:29:39 UTC 
Security flaw fixed in mpg123 1.25.10 release:

libmpg123: Fix another invalid read and segfault on damaged (fuzzed) files with part2_3_length == 0 (set maxband=1, pulled from upcoming 1.26.0).

References:

http://www.mpg123.de/cgi-bin/news.cgi
Comment 1 Wim Taymans 2018-09-07 07:07:25 UTC 
fedora 28, 29 and rawhide have 1.25.10.
Comment 2 Scott Gayou 2018-09-11 15:48:33 UTC 
Upstream Patch:

http://www.mpg123.de/cgi-bin/scm/mpg123?view=revision&sortby=date&revision=4373
Comment 4 Scott Gayou 2018-09-11 16:46:16 UTC 
Looking at the source code, my guess is that this may not apply back to the mpg123 shipped in rhel-7. It looks like the maxband parameter wasn't set to 0 until a later commit and underwent quite a bit of refactoring. (http://www.mpg123.de/cgi-bin/scm/mpg123/trunk/src/libmpg123/layer3.c?sortby=date&r1=4355&r2=4356&pathrev=4373&).
Comment 5 Scott Gayou 2018-09-11 16:59:59 UTC 
Created mpg123 tracking bugs for this issue:

Affects: epel-7 [bug 1627848]
Affects: fedora-all [bug 1627847]