CVE-2024-10573: 
Rocky Linux vulnerability analysis and mitigation

An out-of-bounds write vulnerability (CVE-2024-10573) was discovered in mpg123, affecting versions before 1.32.8. The flaw occurs when handling crafted streams during PCM decoding, where libmpg123 may write past the end of a heap-located buffer. The vulnerability was discovered in October 2024 and affects all versions of mpg123 that support Frankenstein streams (MPG123 News).

The vulnerability is triggered when decoding PCM data, specifically when the stream changes output properties in combination with seeking operations. The complexity required to exploit this flaw is considered high as the payload must be validated by both the MPEG decoder and PCM synth before execution. The issue has been assigned a CVSS v3.1 score of 6.7 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H (Red Hat CVE).

The vulnerability can lead to heap corruption and potentially arbitrary code execution. However, web live stream content (such as web radios) is considered a very unlikely attack vector since the exploit requires scanning through the stream. The impact is limited by the high complexity of exploitation, as any payload must pass through both MPEG decoder and PCM synth validation (OSS Security).

The vulnerability has been fixed in mpg123 version 1.32.8. For users unable to update immediately, a workaround is available by using the MPG123NOFRANKENSTEIN option or the --no-frankenstein command-line option. Additionally, applications that use a fixed decoding buffer for full stereo of the maximum of 1152 samples per frame are not susceptible to this vulnerability (MPG123 News).