Upstream information

CVE-2017-10683 at MITRE

Description

In mpg123 1.25.0, there is a heap-based buffer over-read in the convert_latin1 function in libmpg123/id3.c. A crafted input will lead to a remote denial of service attack.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having low severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 5
Vector AV:N/AC:L/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial
CVSS v3 Scores
  National Vulnerability Database
Base Score 7.5
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Vector Network
Access Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact None
Availability Impact High
CVSSv3 Version 3
SUSE Bugzilla entry: 1046766 [RESOLVED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Module for Basesystem 15 SP2
  • libmpg123-0 >= 1.25.10-1.38
SUSE Linux Enterprise Module for Desktop Applications 15 SP2
  • libout123-0 >= 1.25.10-1.38
  • mpg123 >= 1.25.10-1.38
  • mpg123-devel >= 1.25.10-1.38
  • mpg123-pulse >= 1.25.10-1.38
SUSE Linux Enterprise Module for Desktop Applications 15
SUSE Linux Enterprise Module for Desktop Applications 15 SP1
  • libmpg123-0 >= 1.25.10-1.38
  • libout123-0 >= 1.25.10-1.38
  • mpg123 >= 1.25.10-1.38
  • mpg123-devel >= 1.25.10-1.38
  • mpg123-pulse >= 1.25.10-1.38
openSUSE Leap 15.0
  • libmpg123-0 >= 1.25.10-lp150.1.1
  • mpg123-openal >= 1.25.10-lp150.1.1
  • mpg123-pulse >= 1.25.10-lp150.1.1
Patchnames:
openSUSE Leap 15.0 GA libmpg123-0