CVE-2017-12839 — Out-of-bounds Read in Mpg123

CWE-125 — Out-of-bounds Read8 documents8 sources

Severity

8.3HIGHNVD

EPSS

1.1%

top 22.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mpg123

Timeline

PublishedMay 9

Latest updateMay 24

Description

A heap-based buffer over-read in the getbits function in src/libmpg123/getbits.h in mpg123 through 1.25.5 allows remote attackers to cause a possible denial-of-service (out-of-bounds read) or possibly have unspecified other impact via a crafted mp3 file.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:LExploitability: 2.8 | Impact: 5.5

Affected Packages2 packages

▶Debianmpg123/mpg123< 1.25.6-1+3

▶NVDmpg123/mpg1231.25.5

Patches

Patch: www.mpg123.de ↗Patch: www.mpg123.de ↗

🔴Vulnerability Details

GHSA

GHSA-gv4j-f4j9-qr3q: A heap-based buffer over-read in the getbits function in src/libmpg123/getbits↗2022-05-24

▶

CVEList

CVE-2017-12839: A heap-based buffer over-read in the getbits function in src/libmpg123/getbits↗2019-05-09

▶

OSV

CVE-2017-12839: A heap-based buffer over-read in the getbits function in src/libmpg123/getbits↗2019-05-09

▶

📋Vendor Advisories

Ubuntu

mpg123 vulnerability↗2021-03-17

▶

Red Hat

mpg123: heap-based buffer over-read in function getbits insrc/libmpg123/getbits.h↗2017-08-11

▶

Debian

CVE-2017-12839: mpg123 - A heap-based buffer over-read in the getbits function in src/libmpg123/getbits.h...↗2017

▶

💬Community

Bugzilla

CVE-2017-12839 mpg123: heap-based buffer over-read in function getbits insrc/libmpg123/getbits.h↗2019-05-10

▶