There's a out-of-bounds write issue in mpg123, the vulnerability is located when handling crafted streams. During the decoding of PCM the libmpg123 may write past the end of a heap located buffer, as consequence heap corruption may happen and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload needs to be validated by the MPEG decoder and by the PCM synth before being executed. Additionally to successfully execute the attack,the user needs to scan through the stream making web live stream content (such as web radios) a very unlikely attack vector.
Upstream fixes are located at: https://scm.orgis.org/mpg123/branches/1.31-fixes/
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:11193 https://access.redhat.com/errata/RHSA-2024:11193
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:11242 https://access.redhat.com/errata/RHSA-2024:11242