mpg123-1.32.9-1.el8_10

エラータID: AXSA:2024-9431:01

Release date: 
Thursday, December 19, 2024 - 22:44
Subject: 
mpg123-1.32.9-1.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The mpg123 packages contain real time MPEG 1.0/2.0/2.5 audio player/decoder for layers 1, 2, and 3 (most commonly MPEG 1.0 layer 3 also known as MP3), as well as re-usable decoding and output libraries.

Security Fix(es):

* mpg123: Buffer overflow when writing decoded PCM samples (CVE-2024-10573)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-10573
An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.

Solution: 

Update packages.

CVEs: 
CVE-2024-10573
An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.
Additional Info: 

N/A

Download: 

SRPMS
  1. mpg123-1.32.9-1.el8_10.src.rpm
    MD5: 69ecd52d461154069e8c201ea22f8631
    SHA-256: 793d8eee9112c4cc69233ec8944b6580f038811bbd8436d9797d11cb804e74a4
    Size: 1.08 MB

Asianux Server 8 for x86_64
  1. mpg123-1.32.9-1.el8_10.x86_64.rpm
    MD5: 8ede0e66f8e03998a3aab7e3dab7efa7
    SHA-256: 83cde0b3683a2bf3243031014c929e9fb5735e6caba81974fc549d5a2ddc9fb9
    Size: 151.39 kB
  2. mpg123-devel-1.32.9-1.el8_10.i686.rpm
    MD5: 34941849e8b30a0adc52a17e6aaf1bf0
    SHA-256: 6a36e9225aedfe14af1582e4509061f545568d9a84b5f3e8764d5bff1ae72fad
    Size: 320.98 kB
  3. mpg123-devel-1.32.9-1.el8_10.x86_64.rpm
    MD5: 00428e3b14b2e44d3f478b9714537b65
    SHA-256: 002f93a3cd7595a03c9f725533d2626b86c3e4e64a82e70b122a9854492c1d47
    Size: 320.97 kB
  4. mpg123-libs-1.32.9-1.el8_10.i686.rpm
    MD5: 6d99ea4866bc199c5194b82e672017c4
    SHA-256: be24e87eb26a9b0fe72a7e069c8fba6f8fe094ff17ff223152a4e7045fa9c253
    Size: 366.03 kB
  5. mpg123-libs-1.32.9-1.el8_10.x86_64.rpm
    MD5: 81cb2d2ea501e3238b248291c7ffad97
    SHA-256: e06009303a78a3d5b7c1438fb1f5e22bb28c6cab896c540d2df87b0abde27a97
    Size: 364.07 kB
  6. mpg123-plugins-pulseaudio-1.32.9-1.el8_10.x86_64.rpm
    MD5: da227cdaabb4f3bb64dd9af81b96fa22
    SHA-256: 946cb4e751f2506d61a0a12f14a05767298443bbac59101b448f5ad73ae262f3
    Size: 18.57 kB