MDKSA-2004:120

Package name

mpg123

Date

2004-11-01

Advisory ID

MDKSA-2004:120

Affected versions

CS2.1 x86_64 , 10.0 amd64 , 10.1 i586 , 10.0 i586 , CS2.1 i586 , 10.1 x86_64

Problem description

Carlos Barros discovered two buffer overflow vulnerabilities in mpg123; the first in the getauthfromURL() function and the second in the http_open() function. These vulnerabilities could be exploited to possibly execute arbitrary code with the privileges of the user running mpg123. The provided packages are patched to fix these issues, as well additional boundary checks that were lacking have been included (thanks to the Gentoo Linux Sound Team for these additional fixes).

Updated packages

CS2.1 x86_64

 1974ef15ef340f0c38a9dba8ecc9723f  x86_64/corporate/2.1/RPMS/mpg123-0.59r-21.2.C21mdk.x86_64.rpm
0c38f64a2b5492824947d5aeaddb190a  x86_64/corporate/2.1/SRPMS/mpg123-0.59r-21.2.C21mdk.src.rpm

10.0 amd64

 79de393feac1cb0b307085f3af8d3fdc  amd64/10.0/RPMS/mpg123-0.59r-22.1.100mdk.amd64.rpm
c4d8be742f4e6299c7661d6c66a20d53  amd64/10.0/SRPMS/mpg123-0.59r-22.1.100mdk.src.rpm

10.1 i586

 65f24310894911afebb9172aec3eb7a4  10.1/RPMS/mpg123-0.59r-22.1.101mdk.i586.rpm
ed8c0715a350da0d8b8736f78e52de80  10.1/SRPMS/mpg123-0.59r-22.1.101mdk.src.rpm

10.0 i586

 e182221a9da782a235dd6ff3db6d5df0  10.0/RPMS/mpg123-0.59r-22.1.100mdk.i586.rpm
c4d8be742f4e6299c7661d6c66a20d53  10.0/SRPMS/mpg123-0.59r-22.1.100mdk.src.rpm

CS2.1 i586

 0484f705c2ae6dd6ee6c7183cf5bcc3b  corporate/2.1/RPMS/mpg123-0.59r-21.2.C21mdk.i586.rpm
0c38f64a2b5492824947d5aeaddb190a  corporate/2.1/SRPMS/mpg123-0.59r-21.2.C21mdk.src.rpm

10.1 x86_64

 405f3bfd2b7f8379b0fdc4880b1b84ff  x86_64/10.1/RPMS/mpg123-0.59r-22.1.101mdk.x86_64.rpm
ed8c0715a350da0d8b8736f78e52de80  x86_64/10.1/SRPMS/mpg123-0.59r-22.1.101mdk.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0982
• http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt