CVE-2017-12839
published 2019-05-09CVE-2017-12839: A heap-based buffer over-read in the getbits function in src/libmpg123/getbits.h in mpg123 through 1.25.5 allows remote attackers to cause a possible…
PriorityP338high8.3CVSS 3.0
AVNACLPRNUIRSUCHIHAL
EPSS
2.90%
85.2th percentile
A heap-based buffer over-read in the getbits function in src/libmpg123/getbits.h in mpg123 through 1.25.5 allows remote attackers to cause a possible denial-of-service (out-of-bounds read) or possibly have unspecified other impact via a crafted mp3 file.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mpg123 | < mpg123 1.25.6-1 (bookworm) | mpg123 1.25.6-1 (bookworm) |
| mpg123 | mpg123 | <= 1.25.5 | — |
| mpg123 | mpg123 | >= 0 < 1.25.6-1 | 1.25.6-1 |
| mpg123 | mpg123 | >= 0 < 1.25.6-1 | 1.25.6-1 |
| mpg123 | mpg123 | >= 0 < 1.25.6-1 | 1.25.6-1 |
| mpg123 | mpg123 | >= 0 < 1.25.6-1 | 1.25.6-1 |
CVSS provenance
nvdv3.08.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.3HIGH
vendor_debian8.3HIGH
vendor_redhat8.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
mpg123 vulnerability
vendor_ubuntu·2021-03-17
CVE-2017-11126 mpg123 vulnerability
Title: mpg123 vulnerability
Summary: mpg123 could be made to crash if it opened a specially crafted
file.
It was discovered that mpg123 failed to handle certain malformed mp3 files.
An attacker could use this vulnerability to potentially leak sensitive
information or cause a crash.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
mpg123: heap-based buffer over-read in function getbits insrc/libmpg123/getbits.h
vendor_redhat·2017-08-11·CVSS 8.3
CVE-2017-12839 [HIGH] CWE-125 mpg123: heap-based buffer over-read in function getbits insrc/libmpg123/getbits.h
mpg123: heap-based buffer over-read in function getbits insrc/libmpg123/getbits.h
A heap-based buffer over-read in the getbits function in src/libmpg123/getbits.h in mpg123 through 1.25.5 allows remote attackers to cause a possible denial-of-service (out-of-bounds read) or possibly have unspecified other impact via a crafted mp3 file.
Package: mpg123 (Red Hat Enterprise Linux 7) - Not affected
Package: mpg123 (Red Hat Enterprise Linux 8) - Not affected
Debian
CVE-2017-12839: mpg123 - A heap-based buffer over-read in the getbits function in src/libmpg123/getbits.h...
vendor_debian·2017·CVSS 8.3
CVE-2017-12839 [HIGH] CVE-2017-12839: mpg123 - A heap-based buffer over-read in the getbits function in src/libmpg123/getbits.h...
A heap-based buffer over-read in the getbits function in src/libmpg123/getbits.h in mpg123 through 1.25.5 allows remote attackers to cause a possible denial-of-service (out-of-bounds read) or possibly have unspecified other impact via a crafted mp3 file.
Scope: local
bookworm: resolved (fixed in 1.25.6-1)
bullseye: resolved (fixed in 1.25.6-1)
forky: resolved (fixed in 1.25.6-1)
sid: resolved (fixed in 1.25.6-1)
trixie: resolved (fixed in 1.25.6-1)
GHSA
GHSA-gv4j-f4j9-qr3q: A heap-based buffer over-read in the getbits function in src/libmpg123/getbits
ghsa_unreviewed·2022-05-24
CVE-2017-12839 [HIGH] CWE-125 GHSA-gv4j-f4j9-qr3q: A heap-based buffer over-read in the getbits function in src/libmpg123/getbits
A heap-based buffer over-read in the getbits function in src/libmpg123/getbits.h in mpg123 through 1.25.5 allows remote attackers to cause a possible denial-of-service (out-of-bounds read) or possibly have unspecified other impact via a crafted mp3 file.
OSV
CVE-2017-12839: A heap-based buffer over-read in the getbits function in src/libmpg123/getbits
osv·2019-05-09·CVSS 8.3
CVE-2017-12839 [HIGH] CVE-2017-12839: A heap-based buffer over-read in the getbits function in src/libmpg123/getbits
A heap-based buffer over-read in the getbits function in src/libmpg123/getbits.h in mpg123 through 1.25.5 allows remote attackers to cause a possible denial-of-service (out-of-bounds read) or possibly have unspecified other impact via a crafted mp3 file.
No detection rules found.
No public exploits indexed.
https://sourceforge.net/p/mpg123/bugs/255/https://www.mpg123.de/https://www.mpg123.de/cgi-bin/scm/mpg123/trunk/src/libmpg123/getbits.h?r1=2024&r2=4323&sortby=datehttps://sourceforge.net/p/mpg123/bugs/255/https://www.mpg123.de/https://www.mpg123.de/cgi-bin/scm/mpg123/trunk/src/libmpg123/getbits.h?r1=2024&r2=4323&sortby=date
2019-05-09
Published