Debian Security Advisory

DSA-564-1 mpg123 -- missing user input sanitising

Date Reported:

13 Oct 2004

Affected Packages:

mpg123

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2004-0805.

More information:

Davide Del Vecchio discovered a vulnerability in mpg123, a popular (but non-free) MPEG layer 1/2/3 audio player. A malicious MPEG layer 2/3 file could cause the header checks in mpg123 to fail, which could in turn allow arbitrary code to be executed with the privileges of the user running mpg123.

For the stable distribution (woody) this problem has been fixed in version 0.59r-13woody3.

For the unstable distribution (sid) this problem has been fixed in version 0.59r-16.

We recommend that you upgrade your mpg123 package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3.dsc; http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3.diff.gz; http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_alpha.deb; http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody3_alpha.deb
ARM:: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_i386.deb; http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody3_i386.deb; http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-nas_0.59r-13woody3_i386.deb; http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-3dnow_0.59r-13woody3_i386.deb; http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-i486_0.59r-13woody3_i386.deb
HPPA:: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_m68k.deb
PowerPC:: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_powerpc.deb; http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody3_powerpc.deb
Sun Sparc:: http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_sparc.deb

MD5 checksums of the listed files are available in the original advisory.