Debian Security Advisory
DSA-564-1 mpg123 -- missing user input sanitising
- Date Reported:
- 13 Oct 2004
- Affected Packages:
- mpg123
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2004-0805.
- More information:
-
Davide Del Vecchio discovered a vulnerability in mpg123, a popular (but non-free) MPEG layer 1/2/3 audio player. A malicious MPEG layer 2/3 file could cause the header checks in mpg123 to fail, which could in turn allow arbitrary code to be executed with the privileges of the user running mpg123.
For the stable distribution (woody) this problem has been fixed in version 0.59r-13woody3.
For the unstable distribution (sid) this problem has been fixed in version 0.59r-16.
We recommend that you upgrade your mpg123 package.
- Fixed in:
-
Debian GNU/Linux 3.0 (woody)
- Source:
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3.dsc
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3.diff.gz
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r.orig.tar.gz
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_alpha.deb
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody3_alpha.deb
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody3_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_i386.deb
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody3_i386.deb
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-nas_0.59r-13woody3_i386.deb
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-3dnow_0.59r-13woody3_i386.deb
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-i486_0.59r-13woody3_i386.deb
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody3_i386.deb
- HPPA:
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_m68k.deb
- PowerPC:
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_powerpc.deb
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody3_powerpc.deb
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody3_powerpc.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_sparc.deb
MD5 checksums of the listed files are available in the original advisory.