Recommended update for mpg123 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2409-1 Final 1 1 2017-09-11T07:06:43Z current 2017-09-11T07:06:43Z 2017-09-11T07:06:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Recommended update for mpg123 This update for mpg123 fixes the following issues: - Update to version 1.25.6 * Hotfix for bug 255: Overflow reading frame data bits in layer II decoding. Now, all-zero data is returned if the frame data is exhausted. This might have a slight impact on performance, but not easily measurable so far. - Update to version 1.25.5 * Avoid another buffer read overflow in the ID3 parser on 32 bit platforms (bug 254). (CVE-2017-12797/boo#1056999) - Update to version 1.25.4 libmpg123: * Prevent harmless call to memcpy(NULL, NULL, 0). * More early checking of ID3v2 encoding values to avoid bogus text being stored. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-09/msg00044.html E-Mail link for openSUSE-SU-2017:2409-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 libmpg123-0-1.25.6-7.1 libmpg123-0-32bit-1.25.6-7.1 libout123-0-1.25.6-7.1 libout123-0-32bit-1.25.6-7.1 mpg123-1.25.6-7.1 mpg123-devel-1.25.6-7.1 mpg123-devel-32bit-1.25.6-7.1 mpg123-esound-1.25.6-7.1 mpg123-esound-32bit-1.25.6-7.1 mpg123-jack-1.25.6-7.1 mpg123-jack-32bit-1.25.6-7.1 mpg123-openal-1.25.6-7.1 mpg123-openal-32bit-1.25.6-7.1 mpg123-portaudio-1.25.6-7.1 mpg123-portaudio-32bit-1.25.6-7.1 mpg123-pulse-1.25.6-7.1 mpg123-pulse-32bit-1.25.6-7.1 mpg123-sdl-1.25.6-7.1 mpg123-sdl-32bit-1.25.6-7.1 libmpg123-0-1.25.6-7.1 as a component of openSUSE Leap 42.3 libmpg123-0-32bit-1.25.6-7.1 as a component of openSUSE Leap 42.3 libout123-0-1.25.6-7.1 as a component of openSUSE Leap 42.3 libout123-0-32bit-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-devel-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-devel-32bit-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-esound-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-esound-32bit-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-jack-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-jack-32bit-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-openal-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-openal-32bit-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-portaudio-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-portaudio-32bit-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-pulse-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-pulse-32bit-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-sdl-1.25.6-7.1 as a component of openSUSE Leap 42.3 mpg123-sdl-32bit-1.25.6-7.1 as a component of openSUSE Leap 42.3 Integer overflow in the INT123_parse_new_id3 function in the ID3 parser in mpg123 before 1.25.5 on 32-bit platforms allows remote attackers to cause a denial of service via a crafted file, which triggers a heap-based buffer overflow. CVE-2017-12797 openSUSE Leap 42.3:libmpg123-0-1.25.6-7.1 openSUSE Leap 42.3:libmpg123-0-32bit-1.25.6-7.1 openSUSE Leap 42.3:libout123-0-1.25.6-7.1 openSUSE Leap 42.3:libout123-0-32bit-1.25.6-7.1 openSUSE Leap 42.3:mpg123-1.25.6-7.1 openSUSE Leap 42.3:mpg123-devel-1.25.6-7.1 openSUSE Leap 42.3:mpg123-devel-32bit-1.25.6-7.1 openSUSE Leap 42.3:mpg123-esound-1.25.6-7.1 openSUSE Leap 42.3:mpg123-esound-32bit-1.25.6-7.1 openSUSE Leap 42.3:mpg123-jack-1.25.6-7.1 openSUSE Leap 42.3:mpg123-jack-32bit-1.25.6-7.1 openSUSE Leap 42.3:mpg123-openal-1.25.6-7.1 openSUSE Leap 42.3:mpg123-openal-32bit-1.25.6-7.1 openSUSE Leap 42.3:mpg123-portaudio-1.25.6-7.1 openSUSE Leap 42.3:mpg123-portaudio-32bit-1.25.6-7.1 openSUSE Leap 42.3:mpg123-pulse-1.25.6-7.1 openSUSE Leap 42.3:mpg123-pulse-32bit-1.25.6-7.1 openSUSE Leap 42.3:mpg123-sdl-1.25.6-7.1 openSUSE Leap 42.3:mpg123-sdl-32bit-1.25.6-7.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-09/msg00044.html https://www.suse.com/security/cve/CVE-2017-12797.html CVE-2017-12797 https://bugzilla.suse.com/1046766 SUSE Bug 1046766 https://bugzilla.suse.com/1056999 SUSE Bug 1056999