Bug 1626083 - libmpg123: Invalid read and segfault on files with part2_3_length == 0
Summary: libmpg123: Invalid read and segfault on files with part2_3_length == 0
Keywords:
Status: ASSIGNED
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1627847 1627848 1627849 1627850
Blocks: 1626084
TreeView+ depends on / blocked
 
Reported: 2018-09-06 14:29 UTC by Pedro Sampaio
Modified: 2023-07-07 08:32 UTC (History)
1 user (show)

Fixed In Version: mpg123 1.25.10
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2018-09-06 14:29:39 UTC 
Security flaw fixed in mpg123 1.25.10 release:

libmpg123: Fix another invalid read and segfault on damaged (fuzzed) files with part2_3_length == 0 (set maxband=1, pulled from upcoming 1.26.0).

References:

http://www.mpg123.de/cgi-bin/news.cgi
Comment 1 Wim Taymans 2018-09-07 07:07:25 UTC 
fedora 28, 29 and rawhide have 1.25.10.
Comment 2 Scott Gayou 2018-09-11 15:48:33 UTC 
Upstream Patch:

http://www.mpg123.de/cgi-bin/scm/mpg123?view=revision&sortby=date&revision=4373
Comment 4 Scott Gayou 2018-09-11 16:46:16 UTC 
Looking at the source code, my guess is that this may not apply back to the mpg123 shipped in rhel-7. It looks like the maxband parameter wasn't set to 0 until a later commit and underwent quite a bit of refactoring. (http://www.mpg123.de/cgi-bin/scm/mpg123/trunk/src/libmpg123/layer3.c?sortby=date&r1=4355&r2=4356&pathrev=4373&).
Comment 5 Scott Gayou 2018-09-11 16:59:59 UTC 
Created mpg123 tracking bugs for this issue:

Affects: epel-7 [bug 1627848]
Affects: fedora-all [bug 1627847]
Note You need to log in before you can comment on or make changes to this bug.