发布时间 :2004-12-23 00:00:00
修订时间 :2008-09-10 15:27:50

[原文]Buffer overflow in layer2.c in mpg123 0.59r and possibly mpg123 0.59s allows remote attackers to execute arbitrary code via a certain (1) mp3 or (2) mp2 file.



- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:mandrakesoft:mandrake_linux:9.2MandrakeSoft Mandrake Linux 9.2
cpe:/o:mandrakesoft:mandrake_linux:10.0MandrakeSoft Mandrake Linux 10.0
cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1MandrakeSoft Mandrake Linux Corporate Server 2.1

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  XF  mpg123-layer2c-bo(17287)
(UNKNOWN)  BID  11121
(UNKNOWN)  BUGTRAQ  20040916 mpg123 buffer overflow vulnerability
(UNKNOWN)  FULLDISC  20040907 mpg123 buffer overflow vulnerability

- 漏洞信息

高危 边界条件错误
2004-12-23 00:00:00 2005-10-20 00:00:00

- 公告与补丁

        Index: layer2.c
        RCS file: /home/kobras/cvsroot/debian/mpg123/layer2.c,v
        retrieving revision
        diff -u -r1.1.1.1 layer2.c
         --- layer2.c 1999/02/10 12:13:06
        +++ layer2.c 2004/09/02 21:43:58
        @@ -265,6 +265,11 @@
         fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
         (fr->mode_ext<<2)+4 : fr->II_sblimit;
        + if (fr->jsbound > fr->II_sblimit) {
        + fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
        + fr->jsbound=fr->II_sblimit;
        + }
         if(stereo == 1 || single == 3)
         single = 0;

- 漏洞信息 (F34297)

mpg123overflow.txt (PacketStormID:F34297)
2004-09-10 00:00:00
Davide Del Vecchio

A malicious formatted mp3/2 causes mpg123 to fail header checks, this may allow arbitrary code to be executed with the privilege of the user trying to play the mp3. Versions affected: mpg123-0.59r and maybe mpg123-0.59s.

 mpg123-0.59r buffer overflow vulnerability

Davide Del Vecchio Adv#10 

Discovered in: 16/08/2003
Date: 06/09/2003
Version affected: mpg123-0.59r and maybe mpg123-0.59s
CVE: CAN-2004-0805 

Tested and verified on Linux debian SID and OpenBSD.
The same vulnerable code is also present in the development
version 0.59s, but new and unrelated header checks have prevented the
test case for 0.59r from crashing this version as well. A more
carefully crafted file might hit the vulnerability on 0.59s as well. 

It should affect almost every OS with mpg123 package installed. 


 mpg123 reads one or more files (or standard input if     

- 漏洞信息

mpg123 layer2.c Header Remote Overflow
Context Dependent Input Manipulation
Loss of Integrity Third-Party Solution
Exploit Unknown Third-party Verified

- 漏洞描述

mpg123 contains an overflow condition in the handling of MP2 or MP3 files. The issue is due to the 'do_layer()' function in layer2.c not validating user-supplied input. With a specially crafted MP2 or MP3 file, a context-dependent attacker can cause a buffer overflow, resulting in a denial of service or potentially execution of arbitrary code.

- 时间线

2004-09-06 2003-08-16
Unknow Unknow

- 解决方案

Multiple vendors have released a patch to address this vulnerability. Check the vendor advisory, changelog, or solution in the references section for details.

- 相关参考

- 漏洞作者

- 漏洞信息

MPG123 Remote Stereo Boundary Buffer Overflow Vulnerability
Boundary Condition Error 11121
Yes No
2004-09-07 12:00:00 2009-07-12 07:06:00
Discovery of this issue is credited to "Davide Del Vecchio" <>.

- 受影响的程序版本

mpg123 mpg123 0.59 s
+ Gentoo Linux
mpg123 mpg123 0.59 r
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Gentoo Linux 1.4
+ Gentoo Linux
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Mandriva Linux Mandrake 9.2 amd64
Mandriva Linux Mandrake 9.2
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1

- 漏洞讨论

Reportedly mpg123 is affected by a remote stereo boundary buffer overflow vulnerability. This issue is due to a failure of the application to properly validate user-supplied string sizes prior to copying them into process buffers.

This issue will allow a malicious user to manipulate process memory ultimately leading to arbitrary code execution in the context of the user that started the vulnerable application.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: &lt;;.

- 解决方案

Gentoo has released updates to this issue that may be applied with the following commands:
emerge sync
emerge -pv ">=media-sound/mpg123-0.59s-r4"
emerge ">=media-sound/mpg123-0.59s-r4"

Mandrake Linux has released advisory MDKSA-2004:100 along with fixes to address this issue. Please see the referenced advisory for further information.

Debian has released advisory DSA 564-1 to address this issue. Please see the attached advisory for information on obtaining and applying fixes.

mpg123 mpg123 0.59 r

- 相关参考