-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Several security vulnerabilities have been discovered in mpg123, an
MPEG layer 1/2/3 audio decoder and player. An attacker could take
advantage of these flaws to cause a denial of service against mpg123
or applications using the libmpg123 library with a carefully crafted
input file.

CVE-2014-9497

    Myautsai PAN discovered a flaw in the decoder initialization code
    of libmpg123. A specially crafted mp3 input file can be used to
    cause a buffer overflow, resulting in a denial of service.

CVE-2016-1000247

    Jerold Hoong discovered a flaw in the id3 tag processing code of
    libmpg123. A specially crafted mp3 input file could be used to
    cause a buffer over-read, resulting in a denial of service.

For Debian 7 "Wheezy", these problems have been fixed in version
1.14.4-1+deb7u1.

We recommend that you upgrade your mpg123 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -- 
Jonas Meurer

-----BEGIN PGP SIGNATURE-----

iQItBAEBCAAXBQJYAg5ZEBxtZWpvQGRlYmlhbi5vcmcACgkQUmLn/0kQSf5U1g//
dO1tJFriBYqoUKJfmEaUplQ51DQDZYu5JkWfL+TvtEKtr9VVSQttjJrcQBwtNSJB
jPnCqhfDLTGpLpGVmraSfGqs0edQj859qNCs0Dd2B1nKVVK9wq1LjCjsXrLwS9J5
LxOnnfEGR946lIo+L3SnpAHns0ACsLibaz+dEs4oaglfsO2z6jXzKKyC/6YoYkS6
KplLoWtimWaCtwZAweHScXT2UG2Smln7+Plx+gf68vCrCWLdqMO0SnstHWOc+aML
7/lkFYvNLN3XCFuHPfXuSuWZwMUzGfP/EHUagkSxExBIJFLri/OFck5zFDZCxVCP
inCcO85JzFvneGSv9Yr+l0t0a7Iu6pez+C5RWzkTuRjl8jfNmbHFA5BP1Yw2OFOR
BAWQyO1LxFE59lcAnJwRNwIjnVK3Q8nb9Z5K3mThnwWe3Oq9S8/WK5eS2LqKDsU+
17/IJfmLboCXLG7oFGLC6NTeNo6C7cDX08DQL29s7K+CBOZ5EmzTJ9XiCQMzkaH7
11GMvnD2uqGQEBI3MEqTBHOqMK+6uNxE77jEUHJvmb/4Wyt02xW7yN8/iaCwMJbj
AiRsvE/kJ44Qu+wLKjKgPOOIiy5xQOgxEODdjqDDayCRTJpctscHMDFWWlWXcLE3
EDyLQ6S0UF+wFFTYXQYsVdDa1P53e9xj9mfwKMreoPM=
=8+cb
-----END PGP SIGNATURE-----

Reply via email to