libmpg123-0-1.32.9-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14454-1 Final 1 1 2024-11-03T00:00:00Z current 2024-11-03T00:00:00Z 2024-11-03T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libmpg123-0-1.32.9-1.1 on GA media These are all security issues fixed in the libmpg123-0-1.32.9-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14454 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-10573/ SUSE CVE CVE-2024-10573 page openSUSE Tumbleweed libmpg123-0-1.32.9-1.1 libmpg123-0-32bit-1.32.9-1.1 libout123-0-1.32.9-1.1 libout123-0-32bit-1.32.9-1.1 libsyn123-0-1.32.9-1.1 libsyn123-0-32bit-1.32.9-1.1 mpg123-1.32.9-1.1 mpg123-devel-1.32.9-1.1 mpg123-devel-32bit-1.32.9-1.1 mpg123-jack-1.32.9-1.1 mpg123-jack-32bit-1.32.9-1.1 mpg123-openal-1.32.9-1.1 mpg123-openal-32bit-1.32.9-1.1 mpg123-portaudio-1.32.9-1.1 mpg123-portaudio-32bit-1.32.9-1.1 mpg123-pulse-1.32.9-1.1 mpg123-pulse-32bit-1.32.9-1.1 mpg123-sdl-1.32.9-1.1 mpg123-sdl-32bit-1.32.9-1.1 libmpg123-0-1.32.9-1.1 as a component of openSUSE Tumbleweed libmpg123-0-32bit-1.32.9-1.1 as a component of openSUSE Tumbleweed libout123-0-1.32.9-1.1 as a component of openSUSE Tumbleweed libout123-0-32bit-1.32.9-1.1 as a component of openSUSE Tumbleweed libsyn123-0-1.32.9-1.1 as a component of openSUSE Tumbleweed libsyn123-0-32bit-1.32.9-1.1 as a component of openSUSE Tumbleweed mpg123-1.32.9-1.1 as a component of openSUSE Tumbleweed mpg123-devel-1.32.9-1.1 as a component of openSUSE Tumbleweed mpg123-devel-32bit-1.32.9-1.1 as a component of openSUSE Tumbleweed mpg123-jack-1.32.9-1.1 as a component of openSUSE Tumbleweed mpg123-jack-32bit-1.32.9-1.1 as a component of openSUSE Tumbleweed mpg123-openal-1.32.9-1.1 as a component of openSUSE Tumbleweed mpg123-openal-32bit-1.32.9-1.1 as a component of openSUSE Tumbleweed mpg123-portaudio-1.32.9-1.1 as a component of openSUSE Tumbleweed mpg123-portaudio-32bit-1.32.9-1.1 as a component of openSUSE Tumbleweed mpg123-pulse-1.32.9-1.1 as a component of openSUSE Tumbleweed mpg123-pulse-32bit-1.32.9-1.1 as a component of openSUSE Tumbleweed mpg123-sdl-1.32.9-1.1 as a component of openSUSE Tumbleweed mpg123-sdl-32bit-1.32.9-1.1 as a component of openSUSE Tumbleweed An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector. CVE-2024-10573 openSUSE Tumbleweed:libmpg123-0-1.32.9-1.1 openSUSE Tumbleweed:libmpg123-0-32bit-1.32.9-1.1 openSUSE Tumbleweed:libout123-0-1.32.9-1.1 openSUSE Tumbleweed:libout123-0-32bit-1.32.9-1.1 openSUSE Tumbleweed:libsyn123-0-1.32.9-1.1 openSUSE Tumbleweed:libsyn123-0-32bit-1.32.9-1.1 openSUSE Tumbleweed:mpg123-1.32.9-1.1 openSUSE Tumbleweed:mpg123-devel-1.32.9-1.1 openSUSE Tumbleweed:mpg123-devel-32bit-1.32.9-1.1 openSUSE Tumbleweed:mpg123-jack-1.32.9-1.1 openSUSE Tumbleweed:mpg123-jack-32bit-1.32.9-1.1 openSUSE Tumbleweed:mpg123-openal-1.32.9-1.1 openSUSE Tumbleweed:mpg123-openal-32bit-1.32.9-1.1 openSUSE Tumbleweed:mpg123-portaudio-1.32.9-1.1 openSUSE Tumbleweed:mpg123-portaudio-32bit-1.32.9-1.1 openSUSE Tumbleweed:mpg123-pulse-1.32.9-1.1 openSUSE Tumbleweed:mpg123-pulse-32bit-1.32.9-1.1 openSUSE Tumbleweed:mpg123-sdl-1.32.9-1.1 openSUSE Tumbleweed:mpg123-sdl-32bit-1.32.9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-10573.html CVE-2024-10573 https://bugzilla.suse.com/1232659 SUSE Bug 1232659