Candidate: CVE-2017-10683
PublicDate: 2017-06-29 23:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10683
Description:
 In mpg123 1.25.0, there is a heap-based buffer over-read in the
 convert_latin1 function in libmpg123/id3.c. A crafted input will lead to a
 remote denial of service attack.
Ubuntu-Description:
 It was discovered that mpg123 incorrectly handled certain media files.
 An attacker could possibly use this issue to cause a denial of service or
 other unspecified impact.
Notes:
 ratliff> reproducer doesn't crash on trusty
Bugs:
 https://bugzilla.redhat.com/show_bug.cgi?id=1465819
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]

Patches_mpg123:
upstream_mpg123: released (1.25.1-1)
precise/esm_mpg123: DNE
trusty_mpg123: released (1.16.0-1ubuntu1.1)
trusty/esm_mpg123: released (1.16.0-1ubuntu1.1)

vivid/ubuntu-core_mpg123: DNE
xenial_mpg123: released (1.22.4-1ubuntu0.1)

yakkety_mpg123: ignored (reached end-of-life)
zesty_mpg123: ignored (reached end-of-life)
artful_mpg123: not-affected (1.25.6-1)
bionic_mpg123: not-affected (1.25.8-1)
devel_mpg123: not-affected (1.25.8-1)