Support / Security / Advisories / Mandriva Linux 2008.1 / MDVSA-2009:093

Package name: mpg123
Date: 2009-04-22
Advisory ID: MDVSA-2009:093
Affected versions: 2009.0 x86_64 , 2009.0 i586 , 2008.1 x86_64 , 2008.1 i586

Problem description

A vulnerability has been found and corrected in mpg123:

Integer signedness error in the store_id3_text function in the
ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a
denial of service (out-of-bounds memory access) and possibly execute
arbitrary code via an ID3 tag with a negative encoding value. NOTE:
some of these details are obtained from third party information
(CVE-2009-1301).

The updated packages have been patched to correct this issue.

Updated packages

2009.0 x86_64

 55456399081d421116e15fb5c6142047  2009.0/x86_64/lib64mpg123_0-1.5.1-1.1mdv2009.0.x86_64.rpm
 61ee85441821a474afc3c5bbc078fe3a  2009.0/x86_64/lib64mpg123-devel-1.5.1-1.1mdv2009.0.x86_64.rpm
 a6862814757d750351cf2e5ae2a63513  2009.0/x86_64/mpg123-1.5.1-1.1mdv2009.0.x86_64.rpm
 9dd1fe35d257e3b572f62a1b84973539  2009.0/x86_64/mpg123-arts-1.5.1-1.1mdv2009.0.x86_64.rpm
 9c3352756eb2d47674b78c06d64af245  2009.0/x86_64/mpg123-esd-1.5.1-1.1mdv2009.0.x86_64.rpm
 6861a571d67491f5f682f28ba20791b0  2009.0/x86_64/mpg123-jack-1.5.1-1.1mdv2009.0.x86_64.rpm
 d68a98de48576e1ae59ff7416310722d  2009.0/x86_64/mpg123-nas-1.5.1-1.1mdv2009.0.x86_64.rpm
 41300cdbaecbb9076be86523c02fcd02  2009.0/x86_64/mpg123-portaudio-1.5.1-1.1mdv2009.0.x86_64.rpm
 f5cfbb7a0924144907727d3243dc36bb  2009.0/x86_64/mpg123-pulse-1.5.1-1.1mdv2009.0.x86_64.rpm
 7a4befb77ac872c102d62b479729c4bf  2009.0/x86_64/mpg123-sdl-1.5.1-1.1mdv2009.0.x86_64.rpm 
 33c0c1eca9214ae675ee64e5f60a5680  2009.0/SRPMS/mpg123-1.5.1-1.1mdv2009.0.src.rpm

2009.0 i586

 55d2e58aac27199d56fafa090f304e1d  2009.0/i586/libmpg123_0-1.5.1-1.1mdv2009.0.i586.rpm
 12c5fd3ed53e3acde2fd864adb71f3a2  2009.0/i586/libmpg123-devel-1.5.1-1.1mdv2009.0.i586.rpm
 bdd8379acaf7ee7ae7cab0f33171894e  2009.0/i586/mpg123-1.5.1-1.1mdv2009.0.i586.rpm
 1cf33578ede2faf231beb65ba87d44f6  2009.0/i586/mpg123-arts-1.5.1-1.1mdv2009.0.i586.rpm
 fb3a2408082c979e8c0113f4f75bd2ae  2009.0/i586/mpg123-esd-1.5.1-1.1mdv2009.0.i586.rpm
 6cf812ce20e713b3348da94148591531  2009.0/i586/mpg123-jack-1.5.1-1.1mdv2009.0.i586.rpm
 cf104d9c646ad25aa3f8fdfe2397d7a1  2009.0/i586/mpg123-nas-1.5.1-1.1mdv2009.0.i586.rpm
 25deb84bde82e41deb31bfa2baaa081a  2009.0/i586/mpg123-portaudio-1.5.1-1.1mdv2009.0.i586.rpm
 278145ef704f391efa4d47b1b6560797  2009.0/i586/mpg123-pulse-1.5.1-1.1mdv2009.0.i586.rpm
 12249c606e9091db23e7e8679cc62a59  2009.0/i586/mpg123-sdl-1.5.1-1.1mdv2009.0.i586.rpm 
 33c0c1eca9214ae675ee64e5f60a5680  2009.0/SRPMS/mpg123-1.5.1-1.1mdv2009.0.src.rpm

2008.1 x86_64

 80de2daf3547f24a55b11eb4081d8764  2008.1/x86_64/lib64mpg123_0-1.3.0-2.1mdv2008.1.x86_64.rpm
 f316f27f7c2649ab4a11d370fdd77a57  2008.1/x86_64/lib64mpg123-devel-1.3.0-2.1mdv2008.1.x86_64.rpm
 fbf5a5cb6f12573a918cc65087aaf886  2008.1/x86_64/mpg123-1.3.0-2.1mdv2008.1.x86_64.rpm
 ff1337fe890fd39ba17e78446d594501  2008.1/x86_64/mpg123-arts-1.3.0-2.1mdv2008.1.x86_64.rpm
 45cbe7842f7ad497d5a199e1b0965682  2008.1/x86_64/mpg123-esd-1.3.0-2.1mdv2008.1.x86_64.rpm
 603a552d7c630b8978976dd685cd26b5  2008.1/x86_64/mpg123-jack-1.3.0-2.1mdv2008.1.x86_64.rpm
 9921ffe979eabac108a1a36e4b0d5dd2  2008.1/x86_64/mpg123-nas-1.3.0-2.1mdv2008.1.x86_64.rpm
 68a74b613c67555f17784d5c4713648c  2008.1/x86_64/mpg123-portaudio-1.3.0-2.1mdv2008.1.x86_64.rpm
 72a05a1eebcc661707399d8d6f331ba1  2008.1/x86_64/mpg123-pulse-1.3.0-2.1mdv2008.1.x86_64.rpm
 c8c753e156be443afba158363dd3e39a  2008.1/x86_64/mpg123-sdl-1.3.0-2.1mdv2008.1.x86_64.rpm 
 7f2b01f872bef312145e9457d40915e0  2008.1/SRPMS/mpg123-1.3.0-2.1mdv2008.1.src.rpm

2008.1 i586

 841bd47d2b98cea2d6599b06b8f37941  2008.1/i586/libmpg123_0-1.3.0-2.1mdv2008.1.i586.rpm
 e12f7c088f18cd8bb23fbe020110c549  2008.1/i586/libmpg123-devel-1.3.0-2.1mdv2008.1.i586.rpm
 b34bad8d5898df44ac1d0bec68e89177  2008.1/i586/mpg123-1.3.0-2.1mdv2008.1.i586.rpm
 07e785c76d1966af59261e15444c7bd5  2008.1/i586/mpg123-arts-1.3.0-2.1mdv2008.1.i586.rpm
 4062000a7af212ca1966207ffbe5801e  2008.1/i586/mpg123-esd-1.3.0-2.1mdv2008.1.i586.rpm
 1bba6b00c83a8286d025af3610ca3aae  2008.1/i586/mpg123-jack-1.3.0-2.1mdv2008.1.i586.rpm
 ca8cecc89792bb9a642eea1cb998b6ed  2008.1/i586/mpg123-nas-1.3.0-2.1mdv2008.1.i586.rpm
 06d2112fd4e1ee796b58449344e68c62  2008.1/i586/mpg123-portaudio-1.3.0-2.1mdv2008.1.i586.rpm
 6b59b19a0762c7758e95886ab0beee84  2008.1/i586/mpg123-pulse-1.3.0-2.1mdv2008.1.i586.rpm
 e8a971e1baabaaa3b537bf09a41a60a9  2008.1/i586/mpg123-sdl-1.3.0-2.1mdv2008.1.i586.rpm 
 7f2b01f872bef312145e9457d40915e0  2008.1/SRPMS/mpg123-1.3.0-2.1mdv2008.1.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1301