| Package | mpg123 |
|---|---|
| Version | 1.23.8-1+deb9u1 (stretch) |
| Related CVEs | CVE-2017-9545 CVE-2017-10683 CVE-2017-12797 CVE-2017-12839 CVE-2024-10573 |
mpg123 a popular MPEG layer 1/2/3 audio player was affected by multiple vulnerabilities.
CVE-2017-9545
The next_text function allowed remote attackers to cause a
Denial Of Service (buffer over-read) via a crafted mp3 file.
CVE-2017-10683
A heap-based buffer over-read was found in the convert_latin1 function.
A crafted input will lead to a remote denial of service attack.
CVE-2017-12797
An Integer Overflow was found in the INT123_parse_new_id3 function
in the ID3 parser in mpg123 on 32-bit platforms. This vulnerability
allowed remote attackers to cause a denial of service via a crafted
file, which triggers a heap-based buffer overflow.
CVE-2017-12839
A heap-based buffer over-read was found in the getbits function.
This vulnerability allowed a remote attackers to cause
a possible denial-of-service (out-of-bounds read) via a
crafted mp3 file.
CVE-2024-10573
An out-of-bounds write flaw was found in mpg123 when handling crafted
streams. When decoding PCM, the libmpg123 may write past the end
of a heap-located buffer. Consequently, heap corruption may happen.
For Debian 9 stretch, these problems have been fixed in version 1.23.8-1+deb9u1.
We recommend that you upgrade your mpg123 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.