CVE-2017-10683

Upstream information

CVE-2017-10683 at MITRE

Description

In mpg123 1.25.0, there is a heap-based buffer over-read in the convert_latin1 function in libmpg123/id3.c. A crafted input will lead to a remote denial of service attack.

---

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having low severity.

CVSS v2 Scores

	National Vulnerability Database
Base Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P
Access Vector	Network
Access Complexity	Low
Authentication	None
Confidentiality Impact	None
Integrity Impact	None
Availability Impact	Partial

CVSS v3 Scores

	National Vulnerability Database
Base Score	7.5
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Vector	Network
Access Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality Impact	None
Integrity Impact	None
Availability Impact	High
CVSSv3 Version	3

SUSE Bugzilla entry: 1046766 [RESOLVED]

SUSE Security Advisories:

• openSUSE-SU-2017:2682-1, published Tue, 10 Oct 2017 12:09:50 +0200 (CEST)

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Linux Enterprise Module for Basesystem 15 SP2	libmpg123-0 >= 1.25.10-1.38
SUSE Linux Enterprise Module for Desktop Applications 15 SP2	libout123-0 >= 1.25.10-1.38 mpg123 >= 1.25.10-1.38 mpg123-devel >= 1.25.10-1.38 mpg123-pulse >= 1.25.10-1.38
SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Desktop Applications 15 SP1	libmpg123-0 >= 1.25.10-1.38 libout123-0 >= 1.25.10-1.38 mpg123 >= 1.25.10-1.38 mpg123-devel >= 1.25.10-1.38 mpg123-pulse >= 1.25.10-1.38
openSUSE Leap 15.0	libmpg123-0 >= 1.25.10-lp150.1.1 mpg123-openal >= 1.25.10-lp150.1.1 mpg123-pulse >= 1.25.10-lp150.1.1	Patchnames: openSUSE Leap 15.0 GA libmpg123-0
openSUSE Leap 42.3	libmpg123-0 >= 1.25.2-1.1 libmpg123-0-32bit >= 1.25.7-10.1 libmpg123-0-debuginfo >= 1.25.7-10.1 libmpg123-0-debuginfo-32bit >= 1.25.7-10.1 libout123-0 >= 1.25.7-10.1 libout123-0-32bit >= 1.25.7-10.1 libout123-0-debuginfo >= 1.25.7-10.1 libout123-0-debuginfo-32bit >= 1.25.7-10.1 mpg123 >= 1.25.7-10.1 mpg123-debuginfo >= 1.25.7-10.1 mpg123-debugsource >= 1.25.7-10.1 mpg123-devel >= 1.25.7-10.1 mpg123-devel-32bit >= 1.25.7-10.1 mpg123-esound >= 1.25.2-1.1 mpg123-esound-32bit >= 1.25.7-10.1 mpg123-esound-debuginfo >= 1.25.7-10.1 mpg123-esound-debuginfo-32bit >= 1.25.7-10.1 mpg123-jack >= 1.25.7-10.1 mpg123-jack-32bit >= 1.25.7-10.1 mpg123-jack-debuginfo >= 1.25.7-10.1 mpg123-jack-debuginfo-32bit >= 1.25.7-10.1 mpg123-openal >= 1.25.2-1.1 mpg123-openal-32bit >= 1.25.7-10.1 mpg123-openal-debuginfo >= 1.25.7-10.1 mpg123-openal-debuginfo-32bit >= 1.25.7-10.1 mpg123-portaudio >= 1.25.7-10.1 mpg123-portaudio-32bit >= 1.25.7-10.1 mpg123-portaudio-debuginfo >= 1.25.7-10.1 mpg123-portaudio-debuginfo-32bit >= 1.25.7-10.1 mpg123-pulse >= 1.25.2-1.1 mpg123-pulse-32bit >= 1.25.7-10.1 mpg123-pulse-debuginfo >= 1.25.7-10.1 mpg123-pulse-debuginfo-32bit >= 1.25.7-10.1 mpg123-sdl >= 1.25.7-10.1 mpg123-sdl-32bit >= 1.25.7-10.1 mpg123-sdl-debuginfo >= 1.25.7-10.1 mpg123-sdl-debuginfo-32bit >= 1.25.7-10.1	Patchnames: openSUSE Leap 42.3 GA libmpg123-0 openSUSE-2017-1139 openSUSE-2017-862