[Buildroot] [git commit branch/2024.11.x] package/mpg123: security bump to version 1.32.8

Peter Korsgaard peter at korsgaard.com
Tue Feb 18 08:21:46 UTC 2025 

commit: https://git.buildroot.net/buildroot/commit/?id=18edcac74467ff297dcbf67996bd26a5755523f2
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2024.11.x

Fixes the following security vulnerability:

CVE-2024-10573: An out-of-bounds write flaw was found in mpg123 when
handling crafted streams.  When decoding PCM, the libmpg123 may write past
the end of a heap-located buffer.  Consequently, heap corruption may happen,
and arbitrary code execution is not discarded.  The complexity required to
exploit this flaw is considered high as the payload must be validated by the
MPEG decoder and the PCM synth before execution.  Additionally, to
successfully execute the attack, the user must scan through the stream,
making web live stream content (such as web radios) a very unlikely attack
vector.

https://www.openwall.com/lists/oss-security/2024/10/30/2

Release notes:
https://sourceforge.net/p/mpg123/mailman/message/58834094/

Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Signed-off-by: Julien Olivain <ju.o at free.fr>
(cherry picked from commit 35d2880e33db17ff8c60f1f72521c14245d364e2)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 package/mpg123/mpg123.hash | 6 +++---
 package/mpg123/mpg123.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/mpg123/mpg123.hash b/package/mpg123/mpg123.hash
index 5a83f29586..67ece34528 100644
--- a/package/mpg123/mpg123.hash
+++ b/package/mpg123/mpg123.hash
@@ -1,6 +1,6 @@
-# From https://sourceforge.net/projects/mpg123/files/mpg123/1.32.6/
-sha1  886c8c5f100caccfb4fefabc1c75ff6e2a834128  mpg123-1.32.6.tar.bz2
+# From https://sourceforge.net/projects/mpg123/files/mpg123/1.32.8/
+sha1  dc4d8d9d7fdc9c6c85e3036734eb937272a97800  mpg123-1.32.8.tar.bz2
 # Locally calculated
-sha256  ccdd1d0abc31d73d8b435fc658c79049d0a905b30669b6a42a03ad169dc609e6  mpg123-1.32.6.tar.bz2
+sha256  feee1374c79540e0e405df0bc45fde20ad67011425c361a2759e2146894a27a7  mpg123-1.32.8.tar.bz2
 # License file
 sha256  c22482728a634a8dfdb4ff72a96d4c1ed64cd8f3e79335c401751ac591609366  COPYING
diff --git a/package/mpg123/mpg123.mk b/package/mpg123/mpg123.mk
index dbf595e172..2020fa55e8 100644
--- a/package/mpg123/mpg123.mk
+++ b/package/mpg123/mpg123.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-MPG123_VERSION = 1.32.6
+MPG123_VERSION = 1.32.8
 MPG123_SOURCE = mpg123-$(MPG123_VERSION).tar.bz2
 MPG123_SITE = https://downloads.sourceforge.net/project/mpg123/mpg123/$(MPG123_VERSION)
 MPG123_INSTALL_STAGING = YES

More information about the buildroot mailing list