mpg123: User-assisted execution of arbitrary code — GLSA 201502-01

A vulnerability has been found in mpg123, which could result in arbitrary code execution.

Affected Packages

media-sound/mpg123 on all architectures
Affected versions < 1.18.1
Unaffected versions >= 1.18.1

Background

mpg123 is a realtime MPEG 1.0/2.0/2.5 audio player for layers 1, 2 and 3.

Description

An issue has been found in mpg123 when decoding specifically crafted MP3 file, that causes a heap-based buffer overflow.

Impact

A remote attacker could entice a user to open a specially crafted MPEG file using mpg123, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All mpg123 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-sound/mpg123-1.18.1"
 

References

Release Date
February 06, 2015

Latest Revision
February 06, 2015: 1

Severity
normal

Exploitable
remote

Bugzilla entries