Debian alert DLA-3967-1 (mpg123)

From:
             
 
rouca@debian.org
To:
             
 
<debian-lts-announce@lists.debian.org>
Subject:
             
 
[SECURITY] [DLA 3967-1] mpg123 security update
Date:
             
 
Tue, 26 Nov 2024 20:59:53 +0000
Message-ID:
             
 
<ac3d6335ff46cbe4161cbbdab516d5d6@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3967-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
November 26, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : mpg123
Version        : 1.26.4-1+deb11u1
CVE ID         : CVE-2024-10573
Debian Bug     : 1086443

mpg123 a popular MPEG layer 1/2/3 audio player was afected
by a vulnerability.

An out-of-bounds write flaw was found in mpg123 when handling crafted
streams. When decoding PCM, the libmpg123 may write past the end
of a heap-located buffer. Consequently, heap corruption may happen.

For Debian 11 bullseye, this problem has been fixed in version
1.26.4-1+deb11u1.

We recommend that you upgrade your mpg123 packages.

For the detailed security status of mpg123 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mpg123

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmdGNskACgkQADoaLapB
CF9O0g/9FhyETELnf2JIWnWdNA78WBQGha1jOl+CXYTHMnw7vd7r+RWvwNd8KkH2
X3p5BxfBvjFuUX9f9bmxrahmnXC9mSu2ReEqh2OTZsds+Mie7dnlkxxV33paTJcU
Mf+dsJ6thYGXomLE0EJlzlcL4DEdgWh4cwdJC4VmGYV/YlV4nUSmvIGa51Pfr2ZT
hTDJlGsoIm20K9YVv1TsAEbGIGOK3gDX9n59jEZQxUXxVLvBr9RZld62gy5aun6P
pllX+fFabKbdkjF7wVevKaCFNoVfTcelTumYQD59OGQdXFIL+egXoe4IeOCitFF1
9VLw7p4ZIcRQE6WnaFdAPprJetpC/2q3IC0uEN+2ajg5uA8DkhDPbmss20Hyoa2h
/kJ8lQ1iFnekX87UMDOUQJ31GUImfB9QUF4Mp6SvZrg+EbBZaw8qTf4047XWofzX
DHNJVK68CIOr/UpmnKp7Vrr35wWmMssFmQ+R1Tj7TBxrinPa1nJ+JDyybSrpEeVj
ep8iCBFTXxHl/P+jmnp6aS9Ij70KiQlRAjhSGjVEzsJu01WzoaMkZ/zdvN2Nd01A
bCMiQsAy68uMG1xSx/i7tm02z0a1vY85a6XEpqVWHpl5q+kmFtCeMcCRkqlDIeHN
VoNu74IKk09FbFpVZDtbgV1ILrgzNE3QWqdslBl63jXP+KkJrxc=
=ozUF
-----END PGP SIGNATURE-----