-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:093 http://www.mandriva.com/security/ _______________________________________________________________________ Package : mpg123 Date : April 22, 2009 Affected: 2008.1, 2009.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in mpg123: Integer signedness error in the store_id3_text function in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via an ID3 tag with a negative encoding value. NOTE: some of these details are obtained from third party information (CVE-2009-1301). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1301 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 841bd47d2b98cea2d6599b06b8f37941 2008.1/i586/libmpg123_0-1.3.0-2.1mdv2008.1.i586.rpm e12f7c088f18cd8bb23fbe020110c549 2008.1/i586/libmpg123-devel-1.3.0-2.1mdv2008.1.i586.rpm b34bad8d5898df44ac1d0bec68e89177 2008.1/i586/mpg123-1.3.0-2.1mdv2008.1.i586.rpm 07e785c76d1966af59261e15444c7bd5 2008.1/i586/mpg123-arts-1.3.0-2.1mdv2008.1.i586.rpm 4062000a7af212ca1966207ffbe5801e 2008.1/i586/mpg123-esd-1.3.0-2.1mdv2008.1.i586.rpm 1bba6b00c83a8286d025af3610ca3aae 2008.1/i586/mpg123-jack-1.3.0-2.1mdv2008.1.i586.rpm ca8cecc89792bb9a642eea1cb998b6ed 2008.1/i586/mpg123-nas-1.3.0-2.1mdv2008.1.i586.rpm 06d2112fd4e1ee796b58449344e68c62 2008.1/i586/mpg123-portaudio-1.3.0-2.1mdv2008.1.i586.rpm 6b59b19a0762c7758e95886ab0beee84 2008.1/i586/mpg123-pulse-1.3.0-2.1mdv2008.1.i586.rpm e8a971e1baabaaa3b537bf09a41a60a9 2008.1/i586/mpg123-sdl-1.3.0-2.1mdv2008.1.i586.rpm 7f2b01f872bef312145e9457d40915e0 2008.1/SRPMS/mpg123-1.3.0-2.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 80de2daf3547f24a55b11eb4081d8764 2008.1/x86_64/lib64mpg123_0-1.3.0-2.1mdv2008.1.x86_64.rpm f316f27f7c2649ab4a11d370fdd77a57 2008.1/x86_64/lib64mpg123-devel-1.3.0-2.1mdv2008.1.x86_64.rpm fbf5a5cb6f12573a918cc65087aaf886 2008.1/x86_64/mpg123-1.3.0-2.1mdv2008.1.x86_64.rpm ff1337fe890fd39ba17e78446d594501 2008.1/x86_64/mpg123-arts-1.3.0-2.1mdv2008.1.x86_64.rpm 45cbe7842f7ad497d5a199e1b0965682 2008.1/x86_64/mpg123-esd-1.3.0-2.1mdv2008.1.x86_64.rpm 603a552d7c630b8978976dd685cd26b5 2008.1/x86_64/mpg123-jack-1.3.0-2.1mdv2008.1.x86_64.rpm 9921ffe979eabac108a1a36e4b0d5dd2 2008.1/x86_64/mpg123-nas-1.3.0-2.1mdv2008.1.x86_64.rpm 68a74b613c67555f17784d5c4713648c 2008.1/x86_64/mpg123-portaudio-1.3.0-2.1mdv2008.1.x86_64.rpm 72a05a1eebcc661707399d8d6f331ba1 2008.1/x86_64/mpg123-pulse-1.3.0-2.1mdv2008.1.x86_64.rpm c8c753e156be443afba158363dd3e39a 2008.1/x86_64/mpg123-sdl-1.3.0-2.1mdv2008.1.x86_64.rpm 7f2b01f872bef312145e9457d40915e0 2008.1/SRPMS/mpg123-1.3.0-2.1mdv2008.1.src.rpm Mandriva Linux 2009.0: 55d2e58aac27199d56fafa090f304e1d 2009.0/i586/libmpg123_0-1.5.1-1.1mdv2009.0.i586.rpm 12c5fd3ed53e3acde2fd864adb71f3a2 2009.0/i586/libmpg123-devel-1.5.1-1.1mdv2009.0.i586.rpm bdd8379acaf7ee7ae7cab0f33171894e 2009.0/i586/mpg123-1.5.1-1.1mdv2009.0.i586.rpm 1cf33578ede2faf231beb65ba87d44f6 2009.0/i586/mpg123-arts-1.5.1-1.1mdv2009.0.i586.rpm fb3a2408082c979e8c0113f4f75bd2ae 2009.0/i586/mpg123-esd-1.5.1-1.1mdv2009.0.i586.rpm 6cf812ce20e713b3348da94148591531 2009.0/i586/mpg123-jack-1.5.1-1.1mdv2009.0.i586.rpm cf104d9c646ad25aa3f8fdfe2397d7a1 2009.0/i586/mpg123-nas-1.5.1-1.1mdv2009.0.i586.rpm 25deb84bde82e41deb31bfa2baaa081a 2009.0/i586/mpg123-portaudio-1.5.1-1.1mdv2009.0.i586.rpm 278145ef704f391efa4d47b1b6560797 2009.0/i586/mpg123-pulse-1.5.1-1.1mdv2009.0.i586.rpm 12249c606e9091db23e7e8679cc62a59 2009.0/i586/mpg123-sdl-1.5.1-1.1mdv2009.0.i586.rpm 33c0c1eca9214ae675ee64e5f60a5680 2009.0/SRPMS/mpg123-1.5.1-1.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 55456399081d421116e15fb5c6142047 2009.0/x86_64/lib64mpg123_0-1.5.1-1.1mdv2009.0.x86_64.rpm 61ee85441821a474afc3c5bbc078fe3a 2009.0/x86_64/lib64mpg123-devel-1.5.1-1.1mdv2009.0.x86_64.rpm a6862814757d750351cf2e5ae2a63513 2009.0/x86_64/mpg123-1.5.1-1.1mdv2009.0.x86_64.rpm 9dd1fe35d257e3b572f62a1b84973539 2009.0/x86_64/mpg123-arts-1.5.1-1.1mdv2009.0.x86_64.rpm 9c3352756eb2d47674b78c06d64af245 2009.0/x86_64/mpg123-esd-1.5.1-1.1mdv2009.0.x86_64.rpm 6861a571d67491f5f682f28ba20791b0 2009.0/x86_64/mpg123-jack-1.5.1-1.1mdv2009.0.x86_64.rpm d68a98de48576e1ae59ff7416310722d 2009.0/x86_64/mpg123-nas-1.5.1-1.1mdv2009.0.x86_64.rpm 41300cdbaecbb9076be86523c02fcd02 2009.0/x86_64/mpg123-portaudio-1.5.1-1.1mdv2009.0.x86_64.rpm f5cfbb7a0924144907727d3243dc36bb 2009.0/x86_64/mpg123-pulse-1.5.1-1.1mdv2009.0.x86_64.rpm 7a4befb77ac872c102d62b479729c4bf 2009.0/x86_64/mpg123-sdl-1.5.1-1.1mdv2009.0.x86_64.rpm 33c0c1eca9214ae675ee64e5f60a5680 2009.0/SRPMS/mpg123-1.5.1-1.1mdv2009.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJ7qQEmqjQ0CJFipgRAnQaAJ9IYBt9io4Hoyc6DgGQU5JeISRAcACgq5I0 uYhyYA9o/xPZaC6JwH9irQQ= =st9Z -----END PGP SIGNATURE-----