AIKIDO-2024-10420
mpg123 is vulnerable to Out-of-bounds Write
54
Medium Risk
This Affects:
mpg123TL;DR
An out-of-bounds write flaw exists in mpg123 when handling crafted streams. During PCM decoding, the libmpg123 library may write past the end of a heap-allocated buffer, leading to potential heap corruption. This vulnerability could allow arbitrary code execution. The complexity to exploit this flaw is high, as the payload must pass validation through both the MPEG decoder and PCM synthesizer before execution. Additionally, successful exploitation requires the attacker to scan through the stream, which makes web live stream content, such as web radios, an unlikely attack vector. However, if successfully exploited, this vulnerability poses a significant risk to affected systems.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
mpg123 is vulnerable to Out-of-bounds Write in versions 0.61 - 1.32.7.
How to fix this
Upgrade the mpg123 library to the patch version.
Links
mpg123.org/cgi-bin/news.cgi#2024-10-26access.redhat.com/errata/RHSA-2024:11193access.redhat.com/errata/RHSA-2024:11242access.redhat.com/security/cve/CVE-2024-10573bugzilla.redhat.com/show_bug.cgi?id=2322980openwall.com/lists/oss-security/2024/10/30/3openwall.com/lists/oss-security/2024/10/31/4openwall.com/lists/oss-security/2024/11/01/1lists.debian.org/debian-lts-announce/2024/11/msg00025.html
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant